C#: Freeze quality queries in the security-and-quality suite. #19713
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
752ae4d to
a15b9a8
Compare
There was a problem hiding this comment.
Pull Request Overview
This PR freezes the set of quality and security queries in the C# security-and-quality suite by replacing the broad selector with explicit include/exclude rules.
- Replaces the wildcard
queries: .selector with targeted include blocks for security and quality queries - Enumerates all query IDs explicitly to lock down suite contents
- Adds exclude rules for deprecated, experimental, and model-related queries
Comments suppressed due to low confidence (1)
csharp/ql/src/codeql-suites/csharp-security-and-quality.qls:12
- [nitpick] Consider adding a top-of-file comment explaining that this suite is intentionally frozen and must be updated manually, so future maintainers understand the rationale.
include:
Comment on lines
+23
to
+125
| - cs/call-to-object-tostring | ||
| - cs/call-to-obsolete-method | ||
| - cs/call-to-unmanaged-code | ||
| - cs/cast-from-abstract-to-concrete-collection | ||
| - cs/cast-of-this-to-type-parameter | ||
| - cs/catch-nullreferenceexception | ||
| - cs/catch-of-all-exceptions | ||
| - cs/chained-type-tests | ||
| - cs/class-implements-icloneable | ||
| - cs/class-missing-equals | ||
| - cs/class-name-comparison | ||
| - cs/class-name-matches-base-class | ||
| - cs/coalesce-of-identical-expressions | ||
| - cs/comparison-of-identical-expressions | ||
| - cs/complex-block | ||
| - cs/complex-condition | ||
| - cs/constant-comparison | ||
| - cs/constant-condition | ||
| - cs/coupled-types | ||
| - cs/dereferenced-value-is-always-null | ||
| - cs/dereferenced-value-may-be-null | ||
| - cs/dispose-not-called-on-throw | ||
| - cs/downcast-of-this | ||
| - cs/empty-block | ||
| - cs/empty-catch-block | ||
| - cs/empty-collection | ||
| - cs/empty-lock-statement | ||
| - cs/equality-on-floats | ||
| - cs/equals-on-arrays | ||
| - cs/equals-on-unrelated-types | ||
| - cs/equals-uses-as | ||
| - cs/equals-uses-is | ||
| - cs/expose-implementation | ||
| - cs/field-masks-base-field | ||
| - cs/gethashcode-is-not-defined | ||
| - cs/impossible-array-cast | ||
| - cs/inconsistent-compareto-and-equals | ||
| - cs/inconsistent-equals-and-gethashcode | ||
| - cs/inconsistent-lock-sequence | ||
| - cs/index-out-of-bounds | ||
| - cs/inefficient-containskey | ||
| - cs/invalid-dynamic-call | ||
| - cs/invalid-string-formatting | ||
| - cs/linq/inconsistent-enumeration | ||
| - cs/linq/missed-all | ||
| - cs/linq/missed-cast | ||
| - cs/linq/missed-oftype | ||
| - cs/linq/missed-select | ||
| - cs/linq/missed-where | ||
| - cs/linq/useless-select | ||
| - cs/local-not-disposed | ||
| - cs/local-shadows-member | ||
| - cs/lock-this | ||
| - cs/locked-wait | ||
| - cs/loss-of-precision | ||
| - cs/mishandling-japanese-era | ||
| - cs/misleading-indentation | ||
| - cs/missed-readonly-modifier | ||
| - cs/missed-ternary-operator | ||
| - cs/missed-using-statement | ||
| - cs/nested-if-statements | ||
| - cs/nested-loops-with-same-variable | ||
| - cs/non-short-circuit | ||
| - cs/null-argument-to-equals | ||
| - cs/path-combine | ||
| - cs/recursive-equals-call | ||
| - cs/recursive-operator-equals-call | ||
| - cs/reference-equality-on-valuetypes | ||
| - cs/reference-equality-with-object | ||
| - cs/rethrown-exception-variable | ||
| - cs/self-assignment | ||
| - cs/simplifiable-boolean-expression | ||
| - cs/static-field-written-by-instance | ||
| - cs/string-concatenation-in-loop | ||
| - cs/stringbuilder-creation-in-loop | ||
| - cs/stringbuilder-initialized-with-character | ||
| - cs/test-for-negative-container-size | ||
| - cs/too-many-ref-parameters | ||
| - cs/type-test-of-this | ||
| - cs/unchecked-cast-in-equals | ||
| - cs/unmanaged-code | ||
| - cs/unsafe-double-checked-lock | ||
| - cs/unsafe-sync-on-field | ||
| - cs/unsafe-year-construction | ||
| - cs/unsynchronized-getter | ||
| - cs/unsynchronized-static-access | ||
| - cs/unused-collection | ||
| - cs/unused-label | ||
| - cs/unused-property-value | ||
| - cs/useless-assignment-to-local | ||
| - cs/useless-cast-to-self | ||
| - cs/useless-gethashcode-call | ||
| - cs/useless-if-statement | ||
| - cs/useless-tostring-call | ||
| - cs/useless-type-test | ||
| - cs/useless-upcast | ||
| - cs/virtual-call-in-constructor | ||
| - cs/wrong-compareto-signature | ||
| - cs/wrong-equals-signature | ||
| - cs/xmldoc/missing-summary |
There was a problem hiding this comment.
Maintaining a manually curated list of 100+ query IDs is error-prone; consider generating this block via a script or shared selector to streamline updates and avoid omissions.
Suggested change
| id: | |
| - cs/asp/response-write | |
| - cs/call-to-gc | |
| - cs/call-to-object-tostring | |
| - cs/call-to-obsolete-method | |
| - cs/call-to-unmanaged-code | |
| - cs/cast-from-abstract-to-concrete-collection | |
| - cs/cast-of-this-to-type-parameter | |
| - cs/catch-nullreferenceexception | |
| - cs/catch-of-all-exceptions | |
| - cs/chained-type-tests | |
| - cs/class-implements-icloneable | |
| - cs/class-missing-equals | |
| - cs/class-name-comparison | |
| - cs/class-name-matches-base-class | |
| - cs/coalesce-of-identical-expressions | |
| - cs/comparison-of-identical-expressions | |
| - cs/complex-block | |
| - cs/complex-condition | |
| - cs/constant-comparison | |
| - cs/constant-condition | |
| - cs/coupled-types | |
| - cs/dereferenced-value-is-always-null | |
| - cs/dereferenced-value-may-be-null | |
| - cs/dispose-not-called-on-throw | |
| - cs/downcast-of-this | |
| - cs/empty-block | |
| - cs/empty-catch-block | |
| - cs/empty-collection | |
| - cs/empty-lock-statement | |
| - cs/equality-on-floats | |
| - cs/equals-on-arrays | |
| - cs/equals-on-unrelated-types | |
| - cs/equals-uses-as | |
| - cs/equals-uses-is | |
| - cs/expose-implementation | |
| - cs/field-masks-base-field | |
| - cs/gethashcode-is-not-defined | |
| - cs/impossible-array-cast | |
| - cs/inconsistent-compareto-and-equals | |
| - cs/inconsistent-equals-and-gethashcode | |
| - cs/inconsistent-lock-sequence | |
| - cs/index-out-of-bounds | |
| - cs/inefficient-containskey | |
| - cs/invalid-dynamic-call | |
| - cs/invalid-string-formatting | |
| - cs/linq/inconsistent-enumeration | |
| - cs/linq/missed-all | |
| - cs/linq/missed-cast | |
| - cs/linq/missed-oftype | |
| - cs/linq/missed-select | |
| - cs/linq/missed-where | |
| - cs/linq/useless-select | |
| - cs/local-not-disposed | |
| - cs/local-shadows-member | |
| - cs/lock-this | |
| - cs/locked-wait | |
| - cs/loss-of-precision | |
| - cs/mishandling-japanese-era | |
| - cs/misleading-indentation | |
| - cs/missed-readonly-modifier | |
| - cs/missed-ternary-operator | |
| - cs/missed-using-statement | |
| - cs/nested-if-statements | |
| - cs/nested-loops-with-same-variable | |
| - cs/non-short-circuit | |
| - cs/null-argument-to-equals | |
| - cs/path-combine | |
| - cs/recursive-equals-call | |
| - cs/recursive-operator-equals-call | |
| - cs/reference-equality-on-valuetypes | |
| - cs/reference-equality-with-object | |
| - cs/rethrown-exception-variable | |
| - cs/self-assignment | |
| - cs/simplifiable-boolean-expression | |
| - cs/static-field-written-by-instance | |
| - cs/string-concatenation-in-loop | |
| - cs/stringbuilder-creation-in-loop | |
| - cs/stringbuilder-initialized-with-character | |
| - cs/test-for-negative-container-size | |
| - cs/too-many-ref-parameters | |
| - cs/type-test-of-this | |
| - cs/unchecked-cast-in-equals | |
| - cs/unmanaged-code | |
| - cs/unsafe-double-checked-lock | |
| - cs/unsafe-sync-on-field | |
| - cs/unsafe-year-construction | |
| - cs/unsynchronized-getter | |
| - cs/unsynchronized-static-access | |
| - cs/unused-collection | |
| - cs/unused-label | |
| - cs/unused-property-value | |
| - cs/useless-assignment-to-local | |
| - cs/useless-cast-to-self | |
| - cs/useless-gethashcode-call | |
| - cs/useless-if-statement | |
| - cs/useless-tostring-call | |
| - cs/useless-type-test | |
| - cs/useless-upcast | |
| - cs/virtual-call-in-constructor | |
| - cs/wrong-compareto-signature | |
| - cs/wrong-equals-signature | |
| - cs/xmldoc/missing-summary | |
| kind: | |
| - problem | |
| - path-problem | |
| precision: | |
| - high | |
| - very-high | |
| - medium | |
| problem.severity: | |
| - error | |
| - warning | |
| tags contain: | |
| - security | |
| - quality |
Copilot uses AI. Check for mistakes.
tamasvajk
approved these changes
Jun 10, 2025
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Freeze the quality queries in
security-and-qualityfor C# (to avoid accidentally adding new quality queries to this suite).