mirror of
https://github.com/github/codeql.git
synced 2026-04-28 18:25:24 +02:00
6f408f949c
This makes ExecTainted report results only when the tainted value does not become the start of the string which is eventually run as a shell command. The theory is that those cases are likely to be deliberate, and part of the expected threat model of the program (e.g. $CC in make). This lines up better with the results I considered fixable true positives in LGTM testing