Java: Include metrics in the database quality diagnostics and lower threshold.

michaelnebel · michaelnebel · commit b0ef0f06eb35 · 2025-09-08T12:05:37.000+02:00
diff --git a/java/ql/src/Telemetry/DatabaseQualityDiagnostics.ql b/java/ql/src/Telemetry/DatabaseQualityDiagnostics.ql
@@ -8,26 +8,39 @@
 import java
 import DatabaseQuality
 
+private predicate diagnostic(string msg, float value, float threshold) {
+  CallTargetStatsReport::percentageOfOk(msg, value) and
+  threshold = 85
+  or
+  ExprTypeStatsReport::percentageOfOk(msg, value) and
+  threshold = 85
+}
+
 private newtype TDbQualityDiagnostic =
   TTheDbQualityDiagnostic() {
-    exists(float percentageGood |
-      CallTargetStatsReport::percentageOfOk(_, percentageGood)
-      or
-      ExprTypeStatsReport::percentageOfOk(_, percentageGood)
-    |
-      percentageGood < 95
+    exists(float percentageGood, float threshold |
+      diagnostic(_, percentageGood, threshold) and
+      percentageGood < threshold
     )
   }
 
+private string getDbHealth() {
+  result =
+    strictconcat(string msg, float value, float threshold |
+      diagnostic(msg, value, threshold)
+    |
+      msg + ": " + value.floor() + " % (threshold " + threshold.floor() + " %)", ". "
+    )
+}
+
 class DbQualityDiagnostic extends TDbQualityDiagnostic {
   string toString() {
     result =
       "Scanning Java code completed successfully, but the scan encountered issues. " +
-        "This may be caused by problems identifying dependencies or use of generated source code, among other reasons -- "
-        +
-        "see other CodeQL diagnostics reported on the CodeQL status page for more details of possible causes. "
-        +
-        "Addressing these warnings is advisable to avoid false-positive or missing results. If they cannot be addressed, consider scanning Java "
+        "This may be caused by problems identifying dependencies or use of generated source code. " +
+        "Some metrics of the database quality are: " + getDbHealth() + ". " +
+        "Ideally these metrics should be above their thresholds. " +
+        "Addressing these issues is advisable to avoid false-positives or missing results. If they cannot be addressed, consider scanning Java "
         +
         "using either the `autobuild` or `manual` [build modes](https://docs.github.com/en/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/codeql-code-scanning-for-compiled-languages#comparison-of-the-build-modes)."
   }
