search

github / codeql

CodeQL: the libraries and queries that power security researchers around the world, as well as code scanning in GitHub Advanced Security
https://codeql.github.com
MIT License
7.51k stars 1.49k forks source link

Python poetry alerts #9897

Open guderkar opened 2 years ago

guderkar commented 2 years ago

I've setup basic CodeQL pipeline for python and I'm using poetry as dependency manager.

What I found out is that if file poerty.toml with configuration below is present (venv is created in $PWD/.venv)

[virtualenvs]
in-project = true

then the pipeline starts report bunch of alerts regarding urllib, requests, etc. image

If I remove poetry.toml the alerts are gone (venv is created in /home/runner/.cache/pypoetry/virtualenvs)

I'm not sure if I should be getting the alerts or not. However the behavior should be consistent in both cases.

guderkar commented 2 years ago

I think I get it now CodeQL searches for python files in current working directory right? Therefore when .venv is in cwd it also scans all the dependencies. Still what is the intended way? Scan only project files or scan all files including dependencies? I gues I can just put .venv to some path ignore to make it consistent. Feel free to close this issue.