Open erzz opened 8 months ago
Hi @erzz,
Thank you for the question! The annotation is not faulty (cf. our documentation here). The paths
array only has an effect on interpreted languages. For compiled languages (such as Go), you can either rely on autobuild
or provide explicit build steps. You can use the following documentation as a guide: https://docs.github.com/en/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/codeql-code-scanning-for-compiled-languages#adding-build-steps-for-a-compiled-language
Thanks @ginsbach
Hmmm then perhaps the issue is more that without that input, the SARIF report is polluted with non-Go related locations
e.g.s
"invocations" : [ {
"toolExecutionNotifications" : [ {
"locations" : [ {
"physicalLocation" : {
"artifactLocation" : {
"uri" : "tests/node-sample-app/index.html",
"uriBaseId" : "%SRCROOT%",
"index" : 0
}
}
} ],
"message" : {
"text" : ""
},
"level" : "none",
"descriptor" : {
"id" : "go/diagnostics/successfully-extracted-files",
"index" : 1,
"toolComponent" : {
"index" : 0
}
},
"properties" : {
"formattedMessage" : {
"text" : ""
}
}
},
...
{
"locations" : [ {
"physicalLocation" : {
"artifactLocation" : {
"uri" : "src/components/OutputList/index.js",
"uriBaseId" : "%SRCROOT%",
"index" : 5
}
}
} ],
"message" : {
"text" : ""
},
"level" : "none",
"descriptor" : {
"id" : "cli/expected-extracted-files/javascript",
"index" : 0
},
"properties" : {
"formattedMessage" : {
"text" : ""
}
}
}, {
"locations" : [ {
"physicalLocation" : {
"artifactLocation" : {
"uri" : "sidebars.js",
"uriBaseId" : "%SRCROOT%",
"index" : 6
}
}
} ],
"message" : {
"text" : ""
},
"level" : "none",
"descriptor" : {
"id" : "cli/expected-extracted-files/javascript",
"index" : 0
},
"properties" : {
"formattedMessage" : {
"text" : ""
}
}
},
...
Its nothing breaking or anything - just hard work when debugging or trying to interpret the SARIF with human eyes. With the config we get a much shorter and cleaner output only on the intended resources.
I have asked the Go team for a clarification.
Can you post or link to your whole codeql action yaml file?
Hi - sure! Its actually a resusable with a bunch of security related jobs... but here is the relevant parts at least
jobs:
# <---------------------- CODEQL ----------------------->
codeql:
if: ${{ inputs.codeql-enable }}
name: CodeQL
runs-on: ubuntu-latest
steps:
- name: Checkout Source
uses: actions/checkout@v4
- name: Setup Go
uses: actions/setup-go@v5
with:
go-version-file: "${{ inputs.path }}/${{ inputs.go-version-file }}"
check-latest: ${{ inputs.go-check-latest }}
cache: ${{ inputs.go-cache }}
cache-dependency-path: "${{ inputs.path }}/${{ inputs.go-cache-path }}"
architecture: ${{ inputs.go-architecture }}
- name: Initialize CodeQL
uses: github/codeql-action/init@v3
with:
languages: go
- name: Run build
run: |
cd "$GITHUB_WORKSPACE/${{ inputs.path }}"
${{ inputs.build-command }}
- name: Perform CodeQL Analysis
id: codeql
uses: github/codeql-action/analyze@v3
- name: Upload Reports
uses: actions/upload-artifact@v4
if: always()
with:
name: CodeQL Reports
path: ${{ steps.codeql.outputs.sarif-output }}
Ah sorry, @ginsbach is right; this is expected behaviour. The various "expected-extracted-file" reports serve to inform the UI that it could be useful to enable languages other than golang if they are not already being analysed.
I battled for a while to get the action to only run for Go and a specific directory in a multi-language mono-repo.
I seemed to successful with the following:
By successful I mean that I can see in the SARIF reports that I am only getting locations related to the go part of the repository (before I was seeing everything from all languages in the reports).
So, the evidence suggests that this combination does what I needed - yet I get the annoying annotation below on every run:
Is it a faulty annotation?