Open jason-ha opened 1 year ago
Thanks for reporting. The problem seems to be caused by the use of different path component separators: D:/a/_work/1/s/build/tsconfig.json === D:\a\_work\1\s\build\tsconfig.json
. We need to investigate why this happens.
As a workaround you could try switching to a Linux agent.
Unfortunately, we cannot use a linux agent or at least couldn't without weeks of work. The build for repository in question has complicated setup. The javascript present is a small portion; so, we can wait for a fix. Also worth noting that most of the javascript is generated during the build; so, no good option to do a one-off javascript "build" to capture that portion.
Thanks!
Also worth noting that most of the javascript is generated during the build; so, no good option to do a one-off javascript "build" to capture that portion.
What is the JavaScript code build from?
If it's build from other JavaScript/TypeScript in the same repo, then our analysis should work just fine without doing a build-step.
(JS generally doesn't require a build-step, unlike e.g. Java/C#/C++).
Mostly Emscripten
Mostly Emscripten
If the source language of that code is one of the other languages covered by CodeQL (C++?), then that language analysis should take care of analyzing the source code.
Analyzing compiled JavaScript, especially from a tool like Emscripten, won't provide you much benefit, as the it's unlikely that our analysis will find anything useful, and even if it does you can't fix the JavaScript code directly.
My recommendation is to do the JavaScript analysis on a simple linux runner that doesn't do any build or setup
I'm not sure. I don't think there is a translation of C++ to javascript exactly such that a C++ scan would get results. I think it is more complicated. And even if we can't drive a change directly we'd want to be aware of the issue. In some cases, there might be an alternate pattern. Anyway the tooling isn't meant to just run on Linux, right? Are you considering not fixing or just discussing possible workarounds until this is fixed?
Anyway the tooling isn't meant to just run on Linux, right?
Correct. I'm currently using it on a Mac. And we test most things on Linux+Mac+Windows.
Are you considering not fixing or just discussing possible workarounds until this is fixed?
The latter.
I don't know how long it'll take before the issue is fixed.
I use a Mac right now, so I'm trying to pull someone else in that can help fix the issue.
I don't think there is a translation of C++ to javascript exactly such that a C++ scan would get results. I think it is more complicated.
More complicated? What is the source language?
Our analysis is not designed to work on generated code, and it generally performs badly and/or produces results that don't mean much.
This is why we generally tell people not to run any build-steps before analyzing JavaScript code.
So I still think you can skip the build-step on your JavaScript code.
Oh, and you won't get in-PR alerts from generated code. The alerts will only appear in the code-scanning tab.
I have tried to replicate it on a non-dev Windows box I have access to. But I can't replicate the issue.
I don't know why.
It might be that the TypeScript compiler no longer crashes on that input (it's been updated since).
Or it could be that the code I tried on didn't experience the above in the first place. (I tried on github.com/microsoft/vscode
, which is a complex TypeScript application).
You can see if updating CodeQL fixes the issue 🤷
If not, then I will still recommend that you move your JavaScript analysis to a separate run, where you don't do a build. Because the JavaScript analysis does not need the build to happen, and the build artifacts might confuse the analysis or make the performance worse.
D:\a_work_temp\codeql3000\github\codeql\codeql.exe database trace-command --index-traceless-dbs --db-cluster D:\a_work_temp\codeql3000\d Running 2 commands for 3 databases:
As stated above I was unable to replicate the issue.
Can you give me a minimal example that cause the crash to happen?
When javascript is scanned during finalize typescript-parser-wrapper can throw with tsconfig.json path mismatch. This particular situation was found when more than javascript was detected and was on a Windows agent.