Skip to content

Clear CodeQL high-severity alerts blocking releases (TASK-372/373)#10

Merged
tgd1975 merged 5 commits into
mainfrom
fix/codeql-high-severity-alerts
May 8, 2026
Merged

Clear CodeQL high-severity alerts blocking releases (TASK-372/373)#10
tgd1975 merged 5 commits into
mainfrom
fix/codeql-high-severity-alerts

Conversation

@tgd1975

@tgd1975 tgd1975 commented May 8, 2026

Copy link
Copy Markdown
Owner

Summary

Two fixes that together clear the GHAS code-scanning gate blocking PR #9 (v0.5.0 release):

  • TASK-372: add .github/codeql/codeql-config.yml with paths-ignore for **/_deps/** and .vscode/build*/**. Wires it into the CodeQL workflow so vendored GoogleTest source pulled into the host-test build is not scanned (5 false-positive high-severity alerts go away).
  • TASK-373: switch the JsonArray-iteration counter in config_loader.cpp and config_loader_merge.cpp from uint8_t to size_t. Both loops compared the narrow counter against JsonArray::size() (size_t); CodeQL flagged cpp/comparison-with-wider-type. Behaviour is unchanged in practice because numProfiles (uint8_t, ≤ 255) was already the binding cap.

After this lands on main and the next CodeQL scan runs, the 7 currently-open high-severity alerts should drop to 0.

Test plan

🤖 Generated with Claude Code

tgd1975 and others added 4 commits May 8, 2026 16:22
Adds .github/codeql/codeql-config.yml that excludes **/_deps/** and
.vscode/build*/** from CodeQL analysis, and wires the file into
.github/workflows/codeql-analysis.yml via config-file: on the
codeql-action/init step.

Removes 5 high-severity GHAS false-positive alerts on GoogleTest
source pulled into .vscode/build/_deps/ during the host-test build.

Also scaffolds TASK-373 (real cpp/comparison-with-wider-type fixes
in config_loader.cpp / config_loader_merge.cpp), which is the other
half required to clear the GHAS gate so the v0.5.0 release PR #9
can merge.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
Switches the JsonArray-iteration counter in
lib/PedalLogic/src/config_loader.cpp:154 (loadConfig) and
lib/PedalLogic/src/config_loader_merge.cpp:65 (mergeConfig) from
uint8_t to size_t. Both loops compared the narrow counter against
JsonArray::size() (size_t), which CodeQL flagged as
cpp/comparison-with-wider-type — the counter could in principle wrap
to zero and never terminate.

In practice the secondary guard `i < hardwareConfig.numProfiles` (where
numProfiles is uint8_t) bounds the counter at 255, so behaviour is
unchanged. config_loader.cpp adds a static_cast<uint8_t> at the
profileManager.addProfile() call site since the counter is now wider
than the API expects; the cast is safe by construction.

Clears CodeQL alerts #1 (config_loader.cpp) and #2
(config_loader_merge.cpp) so the v0.5.0 release PR #9 can pass the
GHAS code-scanning gate.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
@github-actions

github-actions Bot commented May 8, 2026

Copy link
Copy Markdown

GoogleTest Results

291 tests  ±0   291 ✅ ±0   0s ⏱️ ±0s
 25 suites ±0     0 💤 ±0 
  1 files   ±0     0 ❌ ±0 

Results for commit d1131d4. ± Comparison against base commit 083c6ef.

♻️ This comment has been updated with latest results.

…ease-PR gate

Pulls in pedal_config.cpp and profile.cpp from feature/config-extensions
(squash branch / PR #9) to clear the pre-existing clang-tidy backlog on
main. Without this, PR #10 cannot pass the required clang-tidy CI gate
even though my own changes do not touch these files — the gate fails
on errors that already exist on main.

Mechanical fixes:
- braces around single-statement if/for bodies in pedal_config.cpp
  (8x) and profile.cpp (4x) — readability-braces-around-statements
- remove unused 'ILogger* createLogger()' forward declaration in
  pedal_config.cpp — readability-redundant-declaration

Identical to the corresponding hunks in TASK-371's squashed history;
no functional change. Once PR #10 merges, main is clang-tidy-clean
and PR #9 (v0.5.0 release) can rebase and merge without --admin
override.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
@tgd1975 tgd1975 merged commit 2b6a88f into main May 8, 2026
15 of 18 checks passed
@tgd1975 tgd1975 deleted the fix/codeql-high-severity-alerts branch May 8, 2026 14:50
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant