CWE 134

[akmittal1182]

Description of the false positive

Uncontrolled format string - querystring - Why this is categorized as critical Severity ?

Code samples or links to source code

URL to the alert on GitHub code scanning (optional)

[mbg]

Hi @akmittal1182

I am giving you the benefit of the doubt that you are trying to report an actual false positive. Could you please include the description of the false positive in the issue itself, rather than in a separate document? I have removed the links to your attachment from the issue description.

[akmittal1182]

we are currently using GitHub Advanced Security (CodeQL) within Azure DevOps and our Dev team have raised a concern regarding the severity rating applied to the use of "queryString".
We’ve observed that this is being flagged as a Critical severity issue, but based on our analysis, we believe it should be classified as a low-severity finding. Below is screenshot -

[akmittal1182]

Hello,
Do you need some other details ? Please let me know. Awaiting your response.

[mbg]

Hi @akmittal1182, thanks for posting the extra details.

The severity ratings are for the vulnerability a given query is for. In other words, all cs/uncontrolled-format-string alerts have "Critical" severity.

The alert you're getting is telling you that queryString depends on untrusted (user) input somewhere. The screenshots you posted don't show how every detail of how queryString is constructed, but you should be able to see the data flow path in the details of the alert. There you should see data flow from an untrusted user input to the alert location.

[intrigus-lgtm]

The severity ratings are for the vulnerability a given query is for. In other words, all cs/uncontrolled-format-string alerts have "Critical" severity.

Shouldn't the severity be reduced since #19738

[github-actions]

This issue is stale because it has been open 14 days with no activity. Comment or remove the Stale label in order to avoid having this issue closed in 7 days.

[github-actions]

This issue was closed because it has been inactive for 7 days.