search

microsoft / GHAzDO-Resources

Resources, Scripts, etc. for GitHub Advanced Security on Azure DevOps
MIT License
31 stars 14 forks source link

codeql-autosetup does not work #31

Closed 0GiS0 closed 5 months ago

0GiS0 commented 5 months ago

Hi all,

Thank you so much for this repo! I'm trying to use codeql-autosetup but I get an error:

image

Before add this task to the marketplace I run npm install and tsc inside of the src/extensions/codeql-autosetup/buildandreleasetask folder to make sure it has the node_modules in place but still I get this error.

Did I miss something?

Thank you so much!

0GiS0 commented 5 months ago

Hi again!

First issue was solved but It still not working. I modified the error message a little bit and It seems the System.AccessToken doesn't have the right permissions to call ProjectAnalysis:LanguageMetrics

##[debug]Evaluating condition for step: 'AdvancedSecurityCodeQLAutoconfig'
##[debug]Evaluating: SucceededNode()
##[debug]Evaluating SucceededNode:
##[debug]=> True
##[debug]Result: True
Starting: AdvancedSecurityCodeQLAutoconfig
==============================================================================
Task         : Advanced Security CodeQL Autoconfigurator
Description  : Sets Variables and automatically configures CodeQL for use in the pipeline
Version      : 0.1.13
Author       : Microsoft Corporation
Help         : https://aka.ms/advanced-security/code-scanning/detection
==============================================================================
##[debug]Using node path: /home/vsts/agents/3.236.1/externals/node/bin/node
##[debug]agent.TempDirectory=/home/vsts/work/_temp
##[debug]loading inputs and endpoints
##[debug]loading ENDPOINT_AUTH_SYSTEMVSSCONNECTION
##[debug]loading ENDPOINT_AUTH_SCHEME_SYSTEMVSSCONNECTION
##[debug]loading ENDPOINT_AUTH_PARAMETER_SYSTEMVSSCONNECTION_ACCESSTOKEN
##[debug]loading SECRET_SYSTEM_ACCESSTOKEN
##[debug]loaded 4
##[debug]Agent.ProxyUrl=undefined
##[debug]Agent.CAInfo=undefined
##[debug]Agent.ClientCert=undefined
##[debug]Agent.SkipCertValidation=undefined
##[debug]Agent.ToolsDirectory=/opt/hostedtoolcache
Tool Cache Directory: /opt/hostedtoolcache
##[debug]Agent.ToolsDirectory=/opt/hostedtoolcache
##[debug]Agent.ToolsDirectory=/opt/hostedtoolcache
##[debug]System.CollectionUri=https://dev.azure.com/returngisorg/
##[debug]System.TeamProjectId=f065fad0-13d3-4d58-b61a-ce3fdb0165c5
##[debug]Build.Repository.ID=715536d8-b2c9-453b-a27a-c8931e82be01
##[debug]set AdvancedSecurity.CodeQL.Autoconfig=failed
##[debug]Processed: ##vso[task.setvariable variable=AdvancedSecurity.CodeQL.Autoconfig;isOutput=false;issecret=false;]failed
##[debug]System.AccessToken=***
Token: ***
Using Project f065fad0-13d3-4d58-b61a-ce3fdb0165c5
##[debug]set AdvancedSecurity.CodeQL.Autoconfig=failed
##[debug]Processed: ##vso[task.setvariable variable=AdvancedSecurity.CodeQL.Autoconfig;isOutput=false;issecret=false;]failed
CodeQL Autoconfig failed with error: Error: Access Denied: 4922da13-6f02-44b8-9c75-9e9c355e4858 needs the following permission(s) on the resource ProjectAnalysis:LanguageMetrics:f065fad0-13d3-4d58-b61a-ce3fdb0165c5 to perform this action: View Project Analysis language metrics data
Finishing: AdvancedSecurityCodeQLAutoconfig

Any thoughts on this?

// cc @ncouraud

Thanks again!

felickz commented 5 months ago

I was getting the same error:

     message: 'Access Denied: bbb480c8-6d40-4635-b3c5-bea9d32a33e1 needs the following permission(s) on the resource ProjectAnalysis:LanguageMetrics:e67087a7-e72d-4562-8713-049881d236a5 to perform this action: View Project Analysis language metrics data',
     typeName: 'Microsoft.VisualStudio.Services.Security.AccessCheckException, Microsoft.VisualStudio.Services.WebApi',

Looking up that api showed we need a permission Contributors have. My fix was to add the project build account to the project contributor group:

Image

0GiS0 commented 5 months ago

I was getting the same error:

     message: 'Access Denied: bbb480c8-6d40-4635-b3c5-bea9d32a33e1 needs the following permission(s) on the resource ProjectAnalysis:LanguageMetrics:e67087a7-e72d-4562-8713-049881d236a5 to perform this action: View Project Analysis language metrics data',
     typeName: 'Microsoft.VisualStudio.Services.Security.AccessCheckException, Microsoft.VisualStudio.Services.WebApi',

Looking up that api showed we need a permission Contributors have. My fix was to add the project build account to the project contributor group:

Image

Hi @felickz ! Thank you so much for your answer but are you using your own self-hosted agent or Microsoft hosted agents?

felickz commented 5 months ago

Hi @felickz ! Thank you so much for your answer but are you using your own self-hosted agent or Microsoft hosted agents?

MS hosted agent

0GiS0 commented 5 months ago

Thanks @felickz for your support 🎉!

I've created a PR with the steps you need to install this task