Skip to content

ci/codeql: ignore bundled libc++ headers in CodeQL analysis#44600

Closed
Copilot wants to merge 2 commits intomainfrom
copilot/fix-codeql-alert-cpp-new-free-mismatch
Closed

ci/codeql: ignore bundled libc++ headers in CodeQL analysis#44600
Copilot wants to merge 2 commits intomainfrom
copilot/fix-codeql-alert-cpp-new-free-mismatch

Conversation

Copy link
Copy Markdown
Contributor

Copilot AI commented Apr 23, 2026
edited
Loading

CodeQL alert #1881 (cpp/new-free-mismatch) repeatedly opens/closes on main with location bin/clang18.1.8/include/c++/v1/vector:492 — a false positive inside libc++'s std::vector allocator path. The alert yo-yos because the CodeQL workflows download and untar the clang toolchain into bin/clang18.1.8/ inside $GITHUB_WORKSPACE, causing CodeQL to treat bundled libc++ headers as project source files.

Changes

  • .github/codeql/codeql-config.yml (new): CodeQL config with a narrowly-scoped paths-ignore targeting only libc++ v1 headers (**/include/c++/v1/**). Intentionally does not broaden to bin/** or include/c++/** (libstdc++). Includes a comment explaining the rationale and scope constraint.

  • codeql-push.yml, codeql-daily.yml: Add config-file: ./.github/codeql/codeql-config.yml to the Initialize CodeQL step in both workflows so push-time and weekly scans use the same exclusion and the alert cannot flip state across the two runs.

- name: Initialize CodeQL
  uses: github/codeql-action/init@95e58e9a2cdfd71adc6e0353d5c52f41a045d225
  with:
    languages: cpp
    trap-caching: false
    config-file: ./.github/codeql/codeql-config.yml
Original prompt

Background

CodeQL alert #1881 (cpp/new-free-mismatch, CWE-401) repeatedly opens/reappears/closes on main. Its location is:

bin/clang18.1.8/include/c++/v1/vector:492

That path is libc++ from the clang toolchain that both CodeQL workflows download and untar into the workspace:

# .github/workflows/codeql-push.yml and .github/workflows/codeql-daily.yml
mkdir -p bin/clang18.1.8
cd bin/clang18.1.8
wget -q https://github.com/llvm/llvm-project/releases/download/llvmorg-18.1.8/clang+llvm-18.1.8-x86_64-linux-gnu-ubuntu-18.04.tar.xz
tar -xf clang+llvm-18.1.8-x86_64-linux-gnu-ubuntu-18.04.tar.xz --strip-components 1

The bazel build is then invoked with --repo_env=BAZEL_LLVM_PATH="$(realpath bin/clang18.1.8)", which surfaces libc++ headers through the compile commands CodeQL observes. The alert is a dataflow-precision false positive inside std::vector's allocator path — there's nothing to fix in Envoy source, and no Envoy code change can retire it. Its yoyoing "Fixed/Reappeared" history (observable on the alert page) is a function of which 1–3 targets the push workflow happens to build, not of any code change.

What to do

Add a CodeQL configuration file in the repo that tells CodeQL to ignore results whose location is inside the bundled libc++ headers, and reference that config from both CodeQL workflows via github/codeql-action/init's config-file input. Keep the scope as narrow as possible:

  • Suppress only libc++ v1 headers, i.e. the include/c++/v1/** tree shipped in the downloaded clang bundle. Do not broaden to bin/**, include/c++/** (libstdc++), or any rule-wide exclusion.
  • Put the config in its own YAML file under .github/codeql/ rather than inlining paths-ignore blocks into each workflow. The config must live in a single place and be referenced (not duplicated) by both workflows.

Files to change

1. New file: .github/codeql/codeql-config.yml

Create with contents similar to:

name: "Envoy CodeQL config"

# The CodeQL workflows download a prebuilt clang bundle and untar it into
# $GITHUB_WORKSPACE/bin/clang18.1.8/. Bazel is then pointed at that path via
# BAZEL_LLVM_PATH, which causes CodeQL to see the bundled libc++ headers as
# project source files. Alerts whose primary location is inside those headers
# (e.g. cpp/new-free-mismatch in <vector>) are structural false positives
# from dataflow losing precision across allocator/template instantiations --
# they are not fixable in Envoy and are not indicative of real libc++ bugs.
#
# Scope is intentionally narrow: only libc++ (clang bundle) headers, matched
# by the standard v1 layout. Do not broaden to bin/** or to libstdc++
# (include/c++/** without the v1/ suffix).
paths-ignore:
  - '**/include/c++/v1/**'

The comment block above MUST be preserved so reviewers/future-maintainers understand why the exclusion exists and why it's scoped the way it is.

2. Modify .github/workflows/codeql-push.yml

Locate the existing Initialize CodeQL step:

    - name: Initialize CodeQL
      uses: github/codeql-action/init@95e58e9a2cdfd71adc6e0353d5c52f41a045d225  # codeql-bundle-v4.35.2
      with:
        languages: cpp
        trap-caching: false

Add a config-file input pointing at the new file:

    - name: Initialize CodeQL
      uses: github/codeql-action/init@95e58e9a2cdfd71adc6e0353d5c52f41a045d225  # codeql-bundle-v4.35.2
      with:
        languages: cpp
        trap-caching: false
        config-file: ./.github/codeql/codeql-config.yml

Do not change any other part of the workflow.

3. Modify .github/workflows/codeql-daily.yml

Apply the identical change to the corresponding Initialize CodeQL step in the daily workflow. Both workflows must reference the same config file so that push-time and weekly scans agree on what is in-scope; otherwise the alert would keep flipping state across the two runs.

Do not change any other part of the workflow.

Constraints

  • Do not modify or revert any source code under source/, test/, contrib/, or similar. This PR is CI-configuration only.
  • Do not add a blanket paths-ignore: ['bin/**'] or anything that would hide genuine findings in Envoy source that merely happens to live under a similarly named path.
  • Do not add query-filters / global rule exclusions. Keep the mechanism to paths-ignore against libc++ v1 headers only.
  • Keep the pinned SHA of github/codeql-action/init exactly as it currently is in each workflow. No action-version bumps.
  • The config file path passed to config-file MUST be ./.github/codeql/codeql-config.yml (leading ./ is conventional for the CodeQL action's resolver).

Verification

  • yamllint (or equivalent) should pass on the new file and the modified workflows.
  • The two workflow diffs should each be a single added line (config-file: ./.github/codeql/codeql-config.yml) under...

This pull request was created from Copilot chat.

@repokitteh-read-only
Copy link
Copy Markdown

repokitteh-read-only Bot commented Apr 23, 2026

As a reminder, PRs marked as draft will not be automatically assigned reviewers,
or be handled by maintainer-oncall triage.

Please mark your PR as ready when you want it to be reviewed!

🐱

Caused by: #44600 was opened by Copilot.

see: more, trace.

Copilot AI changed the title [WIP] Fix CodeQL alert cpp/new-free-mismatch in vector allocator ci/codeql: ignore bundled libc++ headers in CodeQL analysis Apr 23, 2026
Copilot AI requested a review from phlax April 23, 2026 11:29
@phlax phlax closed this Apr 23, 2026
@phlax phlax deleted the copilot/fix-codeql-alert-cpp-new-free-mismatch branch April 23, 2026 16:11
Copilot AI mentioned this pull request May 1, 2026
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@phlax phlax Awaiting requested review from phlax phlax is a code owner

@agrawroh agrawroh Awaiting requested review from agrawroh agrawroh will be requested when the pull request is marked ready for review agrawroh is a code owner

@jwendell jwendell Awaiting requested review from jwendell jwendell will be requested when the pull request is marked ready for review jwendell is a code owner

Assignees

@phlax phlax

Copilot code review Copilot

Labels

workflows:untested

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@phlax