Open marktefftech opened 4 months ago
Edit: Added screenshots and example query commands
SARIF is a static analysis results interchange format, and is meant as a common output format for static analysis tools. Therefore it is mainly designed for representing alerts/warnings/errors in source code. CodeQL is a general purpose query language and can output arbitrary table data. CodeQL uses the @kind
metadata tag to determine how to interpret the table data as static analysis results when writing SARIF output. Only a limited number of @kind
s can be included in SARIF (mainly problem
and path-problem
). If there is no @kind
then CodeQL does not know how to interpret the data, and fails.
Currently we can only use
@kind problem
and@kind path-problem
queries with query suites. Other queries need to be run manually and they end up in a separate format (.bqrs
and not.sarif
).There's a difference in exporting results from the UI in vscode. If you right click on a row in the query history, this is what you see for a raw query:
This is what you see for a path-problem query:
Notice the "View Alerts (SARIF)" option
You can directly run a CodeQL query like this:
However, with the output format set to sarif, we get this error:
This error happens after we have the BQRS, the tool is just saying it can't convert the BQRS to a SARIF.
Is it possible to include all query results in the sarif file?
Thanks in advance