github / codeql

CodeQL: the libraries and queries that power security researchers around the world, as well as code scanning in GitHub Advanced Security
https://codeql.github.com
MIT License
7.73k stars 1.55k forks source link

CI: Ignore path for compiled languages #5618

Open soumyamahunt opened 3 years ago

soumyamahunt commented 3 years ago

Description of the issue

I have implemented CodeQL scanning in workflow for this project. It is a UWP app that uses xaml for UI and also uses additional tools like cppwinrt. When CodeQL scanning is performed CodeQL produces alerts for xaml compiler generated files and cppwinrt generated header files. Since these kind of files that are generated by build tools aren't maintained by individual project maintainers it doesn't make sense to get code quality analysis for them (getting security analysis is fine). Is there anyway I can restrict analysis done for these kind of files??

Additional Details

Right now I am using this workflow to manually dismiss these kind of alerts. However I want to automate it as soon as Code scanning results is published. Is there any way I can automate this??

msedge_rpCDtTtdVW

aeisenberg commented 3 years ago

According to the docs:

If the C/C++, C#, or Java code in your repository has a non-standard build process, autobuild may fail. You will need to remove the autobuild step from the workflow, and manually add build steps. For information on how to edit the workflow file, see "Configuring code scanning."

What this means is that the only way to ignore files in a compiled project is through a custom build step that explicitly avoids compiling these files.

aeisenberg commented 3 years ago

Internally, we've been discussing how to implement paths-ignore for compiled languages, but I can't promise anything about if or when we will ship.

soumyamahunt commented 3 years ago

According to the docs:

If the C/C++, C#, or Java code in your repository has a non-standard build process, autobuild may fail. You will need to remove the autobuild step from the workflow, and manually add build steps. For information on how to edit the workflow file, see "Configuring code scanning."

What this means is that the only way to ignore files in a compiled project is through a custom build step that explicitly avoids compiling these files.

Yes I do understand that, but the project needs these file to be built successfully, you can think of these files as dependencies that are generated from some metadata (Xaml compiler produces these from .xaml files and cppwinrt produces these from .winmd files) and then compiled rather than importing any .lib/.dll.

Internally, we've been discussing how to implement paths-ignore for compiled languages, but I can't promise anything about if or when we will ship.

That's good news. I hope this comes sooner.

aeisenberg commented 3 years ago

After the code generation step, is there anything that can be cleaned up before moving on to the code scanning step?

Again, it sounds like your workload is just too much for a standard runner. Have you considered a self-hosted runner?

soumyamahunt commented 3 years ago

After the code generation step, is there anything that can be cleaned up before moving on to the code scanning step?

Files generated by xaml compiler are all required while I can clean some headers generated by cppwinrt that I don't use, although having ignore path is much easier. Also, doing this doesn't solve anything as I would still get code quality alerts for the generated files I use.

Again, it sounds like your workload is just too much for a standard runner. Have you considered a self-hosted runner?

Does self hosted runners provide any special features regarding code scanning?? I couldn't find anything regarding that in documentation.

By the way, do you have any suggestion by which I can automate my code-scan-alert bulk-dismissal action?? I currently use it to dismiss unnecessary alerts but I would like it to run as soon as new alerts generated (so that I don't have to trigger it manually.)

aeisenberg commented 3 years ago

Self hosted runners do not offer specific features for code scanning, but they do allow you to provide your own machine for running workflows that can be as powerful as you need.

I do have some ideas on how you can improve your workflow, but it is very late for me and it will need to wait until tomorrow.

aeisenberg commented 3 years ago

You can use the workflow_run trigger to ensure that the csa-bulk-dismissal.yml workflow is triggered after main.yml completes.

For example:

on:
  workflow_run:
    workflows: ["Notepads CI/CD Pipeline"]
    types: 
      - completed

With this, you will no longer need to manually trigger the workflow. It does not accept any inputs, though.

jfitch11 commented 3 years ago

Any updates on supporting this?

jfitch11 commented 2 years ago

I ended up writing some custom Powershell that reads in a sarif file and removes results based on the path. This works well for some results (Nuget packages for example) but doesn't cover all