General issue - RandonUsedOnce.ql treated as a critical security issue

[garethhurley]

Description of the issue
The following query is reported in Github alerts as a Critical severity security issue (with a severity of 9.8).
However there is no 'security' tag.

The impact is that other tools (e.g. LGTM) that parse the query differently do not treat this as a security issue. Can this be clarified?

https://github.com/github/codeql/blob/main/java/ql/src/Likely%20Bugs/Arithmetic/RandomUsedOnce.ql

[smowton]

Seems like this should be fixed, raised #7613

[garethhurley]

Thanks @smowton
A couple of points:

• Is it reasonable to treat this as a security issue in general? The problem with 'random used once' is that whether it is a security problem depends strongly on the context (perhaps more than other security queries - e.g. buffer overflows in Cpp or XXE in Java).
• Even if this should be categorized as security does it really deserve a security-severity of 9.8? The problem.severity is 'warning'.
• Are there other queries where a 'security-precision' is high but the issue is not tagged as 'security'?