Condition for CodeQL Analysis Task DevOps YAML Pipeline

[ritesh-harry]

Hello,

I have managed to integrate GHAS for Azure DevOps into all my yaml pipelines.

I wanted to find out if there is a way to halt the pipeline or skip a task in the same pipeline if the Advanced Security Perform CodeQL analysis task does/does not find any vulnerabilities?

When the Advanced Security Perform CodeQL analysis task detects any vulnerabilities we see the below in the task pipeline run -

Analyzing CodeQL execution results. The Analyze task succeeded without any issues.

When the Advanced Security Perform CodeQL analysis task detects no vulnerabilities we see the below in the task pipeline run -

Analyzing CodeQL execution results. The CodeQL analysis has successfully completed, however no violations were detected for the following language(s): 'csharp'. If you think there should be violations, please refer to this document for troubleshooting https://aka.ms/codeQL-no-result

I thought about using the variable below, which is set by default in the Advanced Security Perform CodeQL analysis task, as a condition in the same yaml pipeline on whether or not a subsequent task(s) should run but this variable is always set to true so I cannot use it and the SARIF file is still generated even if there are no vulnerabilities, which is fine.

##[debug]Processed: ##vso[task.setvariable variable=advancedsecurity.codeql.results.published;isOutput=false;issecret=false;]true

Is there a way to check/read the SARIF file, if it does have any sort of information in there regarding the detection of any vulnerabilities or something along those lines, in the Advanced Security Perform CodeQL analysis task? This is to determine if the task has or has not detected any vulnerabilities. By this I mean if I can check in a subsequent task in my yaml pipeline the output of the Advanced Security Perform CodeQL analysis task if it has or has not detected vulnerabilities and then I can set a custom variable or use some builtin variable relating to the task for a condition or something which can be used to run a subsequent task(s) or to log an error message etc.?

To try and explain better of what I am trying to achieve, I am currently doing something similar with the Advanced Security Dependency Scanning task whereby I am reading the log file from the task which actually states if any vulnerabilities have been found. For example, the log file contains the below if vulnerabilities have been found,

[WRN] Dependency Scanning has detected

Depending on whether or not the Advanced Security Dependency Scanning task has detected any vulnerabilities, I can set a custom variable which I can use in subsequent task(s) in the same yaml pipeline, for example, forcing the pipeline to complete with issues if there are any dependency vulnerabilities detected.

If you can provide any ideas on how I can achieve what I am trying to do that will be greatly appreciated.

Apologies if I have not raised this is the correct place. If you can redirect me that would be great.

Thank you.

[felickz]

The gating sample is an alternative way to handle this. It calls the alert API after the SARIF has been parsed by the Advanced Security Service. This can be an advantage because there may be alerts that have been previously dismissed as false positive that would be noise to block on. The raw SARIF that is generated by code scanning won't be aware of the state of the alert, but the API will be able to handle this.

[ritesh-harry]

Hi,

Thank you for the suggestion. I will try this out and check if I can get it working for my use case.

Thank you.

[ritesh-harry]

Hi,

Please can you confirm what this does useDatabaseProvider=true?

In the gating.ps1 script, line 33. $url = "https://advsec.dev.azure.com/{0}/{1}/_apis/AdvancedSecurity/Repositories/{2}/alerts?useDatabaseProvider=true" -f $orgName, $project, $repositoryId

Thank you.

[felickz]

useDatabaseProvider=true

This is legacy and should be the default going forward. An artifact from the preview days of the API 💟.

[ritesh-harry]

Got it, thanks. I had excluded it in the URL and noticed the results returned are the same. The script works great, I have tweaked it to suit our needs and currently testing.

I noticed there are pr-gating scripts, would that add annotations to Pull Requests if Advanced Scanning does detect any vulnerabilities?

Thank you.

[ritesh-harry]

Hi,

For some repositories I am seeing an alert count, when checking via the API, which is higher or even lower than what is shown in the AzDO portal. For e.g. one of the repositories that has scanning enabled in the portal we see that dependency scanning has picked up n number of alerts but when checking via the API it's returning 0 results - no alert(s) found.

Are you able to advise why this may be happening, seems very strange. Nothing has been closed or resolved so when checking the API some results should definitely be returned.

Thank you.

[ritesh-harry]

Looks like I needed to use the continuationToken parameter in the API call. But still doesn't make sense for some repositories showing more or less alerts in the portal vs API.

[ritesh-harry]

I think I may have fixed this. I added an "unknown" severity type which seems to do nothing when running the script locally but when the script is run in AzDO it returns a number higher than what is actually found.