search

github / codeql-action

Actions for running CodeQL analysis
MIT License
1.14k stars 315 forks source link

paths / paths-ignore DOES seem to work for Go, yet annotation says is doesnt #2094

Open erzz opened 8 months ago

erzz commented 8 months ago

I battled for a while to get the action to only run for Go and a specific directory in a multi-language mono-repo.

I seemed to successful with the following:

- name: Initialize CodeQL
  uses: github/codeql-action/init@v3
  with:
    languages: go
    config: |
      paths:
        - ${{ inputs.path }}

By successful I mean that I can see in the SARIF reports that I am only getting locations related to the go part of the repository (before I was seeing everything from all languages in the reports).

So, the evidence suggests that this combination does what I needed - yet I get the annoying annotation below on every run:

image

Is it a faulty annotation?

ginsbach commented 8 months ago

Hi @erzz,

Thank you for the question! The annotation is not faulty (cf. our documentation here). The paths array only has an effect on interpreted languages. For compiled languages (such as Go), you can either rely on autobuild or provide explicit build steps. You can use the following documentation as a guide: https://docs.github.com/en/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/codeql-code-scanning-for-compiled-languages#adding-build-steps-for-a-compiled-language

erzz commented 7 months ago

Thanks @ginsbach

Hmmm then perhaps the issue is more that without that input, the SARIF report is polluted with non-Go related locations

e.g.s

"invocations" : [ {
      "toolExecutionNotifications" : [ {
        "locations" : [ {
          "physicalLocation" : {
            "artifactLocation" : {
              "uri" : "tests/node-sample-app/index.html",
              "uriBaseId" : "%SRCROOT%",
              "index" : 0
            }
          }
        } ],
        "message" : {
          "text" : ""
        },
        "level" : "none",
        "descriptor" : {
          "id" : "go/diagnostics/successfully-extracted-files",
          "index" : 1,
          "toolComponent" : {
            "index" : 0
          }
        },
        "properties" : {
          "formattedMessage" : {
            "text" : ""
          }
        }
      },

...

{
        "locations" : [ {
          "physicalLocation" : {
            "artifactLocation" : {
              "uri" : "src/components/OutputList/index.js",
              "uriBaseId" : "%SRCROOT%",
              "index" : 5
            }
          }
        } ],
        "message" : {
          "text" : ""
        },
        "level" : "none",
        "descriptor" : {
          "id" : "cli/expected-extracted-files/javascript",
          "index" : 0
        },
        "properties" : {
          "formattedMessage" : {
            "text" : ""
          }
        }
      }, {
        "locations" : [ {
          "physicalLocation" : {
            "artifactLocation" : {
              "uri" : "sidebars.js",
              "uriBaseId" : "%SRCROOT%",
              "index" : 6
            }
          }
        } ],
        "message" : {
          "text" : ""
        },
        "level" : "none",
        "descriptor" : {
          "id" : "cli/expected-extracted-files/javascript",
          "index" : 0
        },
        "properties" : {
          "formattedMessage" : {
            "text" : ""
          }
        }
      },

...

Its nothing breaking or anything - just hard work when debugging or trying to interpret the SARIF with human eyes. With the config we get a much shorter and cleaner output only on the intended resources.

ginsbach commented 7 months ago

I have asked the Go team for a clarification.

smowton commented 7 months ago

Can you post or link to your whole codeql action yaml file?

erzz commented 7 months ago

Hi - sure! Its actually a resusable with a bunch of security related jobs... but here is the relevant parts at least

jobs:
  # <---------------------- CODEQL ----------------------->
  codeql:
    if: ${{ inputs.codeql-enable }}
    name: CodeQL
    runs-on: ubuntu-latest
    steps:
      - name: Checkout Source
        uses: actions/checkout@v4

      - name: Setup Go
        uses: actions/setup-go@v5
        with:
          go-version-file: "${{ inputs.path }}/${{ inputs.go-version-file }}"
          check-latest: ${{ inputs.go-check-latest }}
          cache: ${{ inputs.go-cache }}
          cache-dependency-path: "${{ inputs.path }}/${{ inputs.go-cache-path }}"
          architecture: ${{ inputs.go-architecture }}

      - name: Initialize CodeQL
        uses: github/codeql-action/init@v3
        with:
          languages: go

      - name: Run build
        run: |
          cd "$GITHUB_WORKSPACE/${{ inputs.path }}"
          ${{ inputs.build-command }}

      - name: Perform CodeQL Analysis
        id: codeql
        uses: github/codeql-action/analyze@v3

      - name: Upload Reports
        uses: actions/upload-artifact@v4
        if: always()
        with:
          name: CodeQL Reports
          path: ${{ steps.codeql.outputs.sarif-output }}
smowton commented 7 months ago

Ah sorry, @ginsbach is right; this is expected behaviour. The various "expected-extracted-file" reports serve to inform the UI that it could be useful to enable languages other than golang if they are not already being analysed.