I’m a deepsource freeloader for my various open source cruft on Github. I find deepsource extremely useful and it finds things that other systems continue to miss. Anyway, I come to whine about two small nits
I have found that over the past few months, the DeepSource bot PR comments often fail to report any issue resolutions with the PR. I am explicitly creating PRs that address deepsource issues and find that once merged, the issue counts within the repo are going downward. I just miss the warm fuzzies of having the PR comment say that I have accomplished something!
I continue to get false positives for PHP-A1002 SQL Injection. It is flagging PHP code that has nothing to do with SQL. I don’t want to qlobally quiet this very important security issue.
Hey @akrherz! Thanks for your post. We appreciate you being a DeepSource user.
I have found that over the past few months, the DeepSource bot PR comments often fail to report any issue resolutions with the PR. I am explicitly creating PRs that address deepsource issues and find that once merged, the issue counts within the repo are going downward. I just miss the warm fuzzies of having the PR comment say that I have accomplished something!
Can you check if the “Pull Request Comments” flag is enabled in your repository’s settings?
I continue to get false positives for PHP-A1002 SQL Injection. It is flagging PHP code that has nothing to do with SQL. I don’t want to globally quiet this very important security issue.
Thanks for flagging this. Paging @anto-christo from my team here to take a look at this and add it to our backlog. We continue to improve our analyzers and fix these false positives, and your feedback helps a lot!
Thank you for the response. Indeed, I always get deepsource PR messages, the problem is that they do not denote when I fix issues. See this one line change PR
Ah, got it. Yes, we show messages when you’ve fixed issues — but we should! I’ll take this back to the team and see what we can do. Thanks for the feedback!
