Open guderkar opened 2 years ago
I think I get it now CodeQL searches for python files in current working directory right? Therefore when .venv
is in cwd it also scans all the dependencies. Still what is the intended way? Scan only project files or scan all files including dependencies? I gues I can just put .venv
to some path ignore to make it consistent. Feel free to close this issue.
I've setup basic CodeQL pipeline for python and I'm using poetry as dependency manager.
What I found out is that if file
poerty.toml
with configuration below is present (venv is created in$PWD/.venv
)then the pipeline starts report bunch of alerts regarding urllib, requests, etc.
If I remove
poetry.toml
the alerts are gone (venv is created in/home/runner/.cache/pypoetry/virtualenvs
)I'm not sure if I should be getting the alerts or not. However the behavior should be consistent in both cases.