Open pekkasin opened 1 year ago
You're right that CodeQL always sets MvcBuildViews to true in order to build and index .cshtml
files, since they may be relevant to security issues that our analysis tries to identify. I'll ask the C# team to comment further re: whether this can be disabled, or if we would consider adding such a facility in future.
Hello, thanks for replying! I had a hunch that the reason could be something like what you just described. The thing is that this wasn't a "feature" a couple of months back, so this change caused me a bit of a headache trying to trace it down (couldn't find it documented anywhere either) :D A simple ability to disable it would be very welcome since it would remove the need for me to maintain a separate configuration with CodeQL in mind.
Out of curiosity, doesn't the compile time failure (introduced by the codeql analysis) mean that your application would fail at runtime?
Yeah, it would for that particular view. I'll readily admit that this is probably an unusual use case :)
Any update on how we can ignore the error.
"D:\a\esd-coa\esd-coa\COA.Web.sln" (default target) (1) -> "D:\a\esd-coa\esd-coa\COA.User\COA.User.csproj" (default target) (12) -> (MvcBuildViews target) -> d:\a\esd-coa\esd-coa\COA.User\Views\Shared\EditorTemplates\String.cshtml(3): error CS1061: 'Kendo.Mvc.UI.Fluent.WidgetFactory
Until an option to turn this feature off turns up, I've resorted to tweaking the csproj file with powershell during the GitHub Action so that the hard-coded condition "gets fooled", basically. Something like this:
$filePath = (Join-Path $pwd '\SUBFOLDER\YOURCSPROJFILE.csproj')
$csproj = [xml](Get-Content $filePath)
$buildTargetNode = $csproj.Project.Target | ? name -eq "MvcBuildViews"
$buildTargetNode.SetAttribute("Condition", "'`$(MvcBuildViews)'=='false'")
$csproj.Save($filePath)
Running into the same problem. My VS solution is ancient and something is broken that prevents MvcBuildViews from working in the first place. This is what msbuild.exe spits out when CodeQL is in the workflow:
(MvcBuildViews target) -> C:\Windows\Microsoft.NET\Framework\v4.0.30319\Config\web.config(129): error ASPCONFIG: Could not load type 'System.Data.Entity.Design.AspNet.EntityDesignerBuildProvider'.
As far as I know, all of my .cshtml Views compile correctly at runtime.
Another workaround is to add ContinueOnError="WarnAndContinue"
-attribute to the MvcBuildViews build target like this:
<Target Name="MvcBuildViews" AfterTargets="AfterBuild" Condition="'$(MvcBuildViews)'=='true'">
<AspNetCompiler VirtualPath="temp" PhysicalPath="$(WebProjectOutputDir)" ContinueOnError="WarnAndContinue" />
</Target>
Issue Description
MSBuild doesn't seem to respect the MvcBuildViews-setting defined in a .NET-project's .csproj-file when it is run as a github action or through codeql cli. After trial and error, MSBuild seems to behave as if MvcBuildViews is hardcoded to be true. Mvc view precompilation works just as expected when MSBuild is run locally on its own.
In short, I can't disable mvc view precompilation by setting
<MvcBuildViews>false</MvcBuildViews>
in project configuration.Possibly noteworthy: I've used two different versions of CodeQL (2.12.0 latest and 2.6.0) and this only happens with 2.12.0.
Steps to Reproduce
false
by default in the project's .csproj -file like so:<MvcBuildViews>false</MvcBuildViews>
<Target Name="MvcBuildViews" AfterTargets="AfterBuild" Condition="'$(MvcBuildViews)'=='true'"> <AspNetCompiler VirtualPath="temp" PhysicalPath="$(WebProjectOutputDir)" /> </Target>
ViewBag.Title
inViews/Home/Index.cshtml
like this:nuget restore
the dependencies if Visual Studio didn't do it for you.on: push: branches: [ "main" ] pull_request: branches: [ "main" ] schedule:
jobs: analyze: name: Analyze runs-on: windows-latest permissions: actions: read contents: read security-events: write
Local | False | False | Yes GH Actions | | | No
Local | True | False | No GH Actions | | | No
This is the default setting that the project template comes with
Local | False | True | No GH Actions | | | Yes
Local | True | True | Yes GH Actions | | | Yes