Skip to content

fix(oracle): make CodeQL run the dispose query + auto-pick a build target for Infer##22

Merged
PhysShell merged 2 commits into
mainfrom
claude/zen-pasteur-76hfs1
Jun 17, 2026
Merged

fix(oracle): make CodeQL run the dispose query + auto-pick a build target for Infer##22
PhysShell merged 2 commits into
mainfrom
claude/zen-pasteur-76hfs1

Conversation

@PhysShell

@PhysShell PhysShell commented Jun 17, 2026

Copy link
Copy Markdown
Owner

What the first real oracle run taught us

The first dispatch of oracle (cross-tool) on DapperLib/Dapper (run 27659607294) ran the pipeline end-to-end — but as validation it was inconclusive, because both oracles silently contributed nothing. Same shape as the first corpus mine: the run exposed two harness bugs, not target bugs. This fixes both.

What that run actually produced:

tool leak-class reality
Own.NET 1 BenchmarkBase._connection (SqlConnection) — the known weak field-leak signal
CodeQL 0 false zero — the dispose query never ran
Infer# skipped — target build failed (MSB1050)

Fix 1 — CodeQL was running the wrong query suite

cs/local-not-disposed (and the other dispose/leak queries) are quality queries — they are not in the default code-scanning (security) suite that the action runs when queries: is unset. So CodeQL reported 0 leaks because the query never executed, not because the code was clean.

CodeQL init now requests queries: security-and-quality.

Fix 2 — Infer# build target was ambiguous on multi-project repos

dotnet build target (the repo root) failed with MSB1050: ... the folder "target" contains more than one project or solution file, so BUILD_OK was never set and the Run Infer# step was skipped (the continue-on-error partial-report path worked as designed — but we got no Infer#).

→ The build step now picks a target: explicit build input wins; else a lone *.sln (auto-detected, which covers Dapper); else the dir (still continue-on-error).

Docs

docs/notes/oracle.md records both: the security-and-quality requirement (with the why) and the lone-.sln autodetect.

Not changed

No comparator code change — oracle_compare.py and its --selftest (12/12) are untouched; this is purely the orchestration + docs.

After merge

Re-dispatch oracle (cross-tool) with repo = DapperLib/Dapper (now no build input needed — Dapper has a lone .sln). That should give a real Own.NET vs CodeQL(security-and-quality) vs Infer# comparison, where agree / oracle-only finally mean something.

Verified

oracle.yml valid YAML · build-step bash parses · ruff clean · oracle --selftest 12/12.

🤖 Generated with Claude Code


Generated by Claude Code

Summary by CodeRabbit

  • Chores

    • Improved automated code quality analysis by explicitly running the security-and-quality ruleset.
    • Enhanced build selection logic for analysis runs, improving reliability for repositories containing multiple solutions.
  • Documentation

    • Expanded guidance on how analysis behaves when builds fail, including partial reporting behavior.
    • Clarified how multi-solution repositories are handled and how to provide explicit build input to avoid ambiguity errors.

…rget

The first real oracle run (DapperLib/Dapper, run 27659607294) exposed two harness
gaps that made BOTH oracles silently contribute nothing — the same way the first
mine exposed two extractor false positives.

- CodeQL: request `queries: security-and-quality`. `cs/local-not-disposed` and the
  other dispose/leak queries are *quality* queries, absent from the default
  code-scanning (security) suite. CodeQL reported 0 leaks because the query never
  ran (a false zero), not because the code was clean.
- Infer# build: `dotnet build target` (the repo root) hit MSB1050 on Dapper
  (>1 solution/project present), so the build failed and Infer# was skipped.
  Now pick a target: explicit `build` input wins; else a lone *.sln; else the dir
  (still continue-on-error -> partial report).
- docs/notes/oracle.md: record both (the security-and-quality requirement and the
  lone-.sln autodetect).

No comparator code change. oracle.yml valid YAML; oracle selftest 12/12; ruff clean.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Claude-Session: https://claude.ai/code/session_01Rg8kSk1YT14x7A1vo5zgED
@chatgpt-codex-connector

Copy link
Copy Markdown

You have reached your Codex usage limits for code reviews. You can see your limits in the Codex usage dashboard.
To continue using code reviews, you can upgrade your account or add credits to your account and enable them for code reviews in your settings.

@coderabbitai

coderabbitai Bot commented Jun 17, 2026

Copy link
Copy Markdown

Review Change Stack

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info
⚙️ Run configuration

Configuration used: Repository UI

Review profile: CHILL

Plan: Pro Plus

Run ID: f2ea1597-9ef2-4e39-ad96-102c8fba18f9

📥 Commits

Reviewing files that changed from the base of the PR and between 767d560 and 2afccab.

📒 Files selected for processing (2)
  • .github/workflows/oracle.yml
  • docs/notes/oracle.md
✅ Files skipped from review due to trivial changes (1)
  • docs/notes/oracle.md

📝 Walkthrough

Walkthrough

The Oracle workflow gains two targeted improvements: CodeQL initialization now explicitly specifies the security-and-quality query suite, and the Infer# build step replaces a static target/target/<build> choice with a heuristic that scans for .sln files, auto-selects a lone solution, or falls back with a disambiguation note. Documentation is updated to reflect both behaviors.

Changes

Oracle Workflow and Documentation Updates

Layer / File(s) Summary
CodeQL explicit security-and-quality suite
.github/workflows/oracle.yml, docs/notes/oracle.md
CodeQL init step now sets queries: security-and-quality; documentation updated to state the suite used and clarify that dispose/leak queries require this suite to contribute results.
Infer# .sln-scanning build target heuristic
.github/workflows/oracle.yml, docs/notes/oracle.md
Build step scans for .sln files under target, selects the single solution when exactly one is found, falls back to building target with a note when multiple exist; docs add the MSB1050 ambiguity explanation for multi-solution repo roots.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Possibly related PRs

  • PhysShell/Own.NET#21: Introduced the cross-tool oracle harness (.github/workflows/oracle.yml and docs/notes/oracle.md) that this PR directly refines with the CodeQL suite setting and Infer# build heuristic.

Poem

🐇 Hop, hop through the .sln files I go,
One solution found? I build it just so!
Too many? A note, and I fall to the dir,
CodeQL now sings with a quality choir.
Every query and suite in its place —
A cleaner oracle run, what a wonderful space! 🌟

🚥 Pre-merge checks | ✅ 5
✅ Passed checks (5 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed The title accurately summarizes the two main changes: enabling CodeQL's dispose query via the security-and-quality suite, and implementing auto-detection of build targets for Infer#.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.

✏️ Tip: You can configure your own custom pre-merge checks in the settings.

✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch claude/zen-pasteur-76hfs1

Comment @coderabbitai help to get the list of available commands and usage tips.

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.github/workflows/oracle.yml:
- Around line 118-123: The `-maxdepth 2` constraint in the find command that
searches for .sln files limits discovery to only two levels deep. This causes
.sln files at greater depths to be missed, resulting in zero solutions found and
triggering an incorrect fallback to "dotnet build target". Increase the maxdepth
value or remove the maxdepth constraint entirely in the mapfile command that
uses find to locate .sln files under the target directory, allowing it to
discover solution files at any depth and ensuring the lone-.sln auto-detection
works correctly.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: Repository UI

Review profile: CHILL

Plan: Pro Plus

Run ID: dd20efdf-25d8-4e1a-9204-f82610a2aa3c

📥 Commits

Reviewing files that changed from the base of the PR and between 4dbafa7 and 767d560.

📒 Files selected for processing (2)
  • .github/workflows/oracle.yml
  • docs/notes/oracle.md

Comment thread .github/workflows/oracle.yml Outdated
CodeRabbit (valid, Minor): `find -maxdepth 2` would miss a repo whose only
solution sits deeper, forcing the dir fallback. Their suggested unlimited `find`
over-corrects, though: a repo with a clean root solution plus nested sample
.slns would then read as "multiple" and fall back unnecessarily.

Root-first instead: a unique root-level *.sln wins; if none at root, a unique
solution anywhere (this is the deep-lone-.sln case they flagged); else fall back
to the dir + a note. More robust than either fixed depth.

oracle.yml valid YAML; build-step bash parses. Docs note updated to match.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Claude-Session: https://claude.ai/code/session_01Rg8kSk1YT14x7A1vo5zgED
@PhysShell
PhysShell merged commit da2c4b0 into main Jun 17, 2026
17 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants