AdvancedSecurity-Codeql-Init task codeqlpathstoignore does not work for csharp

[ritesh-harry]

Hello,

As per the title, I wanted to take advantage of the codeqlpathstoignore in the AdvancedSecurity-Codeql-Init task as there are some folders that don't need to be scanned. But when trying to use it we see the warning below in the pipeline,

[warning] The include/exclude paths options only have effect for JavaScript, Python, and Ruby

Will this task eventually support csharp for the codeqlpathstoignore ? Is there something else I need to do to get this to work?

Apologies if I have not raised this is the correct place. If you can redirect me that would be great.

Thank you.

[davidcatriel]

Hi Ritesh. This repo is just for add-on scripts to Advanced Security; your Init task question would be better off in the developper community (https://developercommunity.visualstudio.com/home). But just quickly - we're using the folder exclusion with C# without a problem so it might be something else in your script.

This is our task:

    - task: AdvancedSecurity-Codeql-Init@1
      displayName: 'Advanced Security Initialization'
      inputs:
        languages: 'csharp'
        querysuite: 'code-scanning'
        codeqlpathstoignore: 'path/subpath1, path/subpath2, path/subpath3'

[ritesh-harry]

Hi,

Thank you for the reply.

I will try it again and use the exact same task inputs as shown in your task to check if it makes any difference. I am using the default query suite which I think is security-extended or something like that maybe the warning that popped up in the pipeline is due to that...

If I have any further issues, I'll raise the question in the developer community.

Thanks again,

Cheers.

[felickz]

Referencing the GitHub docs here for the settings this is modifying under the covers:

Specifying directories to scan When codebases are analyzed without building the code, you can restrict code scanning to files in specific directories by adding a paths array to the configuration file. You can also exclude the files in specific directories from analysis by adding a paths-ignore array. You can use this option when you run the CodeQL actions on an interpreted language (Python, Ruby, and JavaScript/TypeScript) or when you analyze a compiled language without building the code (currently supported for Java).

For compiled languages (like Csharp) using the traced build (how GHAzDO handles scanning currently ... CSharp without a build option coming eventually) - the best way to exclude code from analysis is to not compile it. I provide a few options for C#/.NET here: https://github.com/advanced-security/advanced-security-material/blob/main/troubleshooting/codeql-builds/compiled-languages-csharp.md#optimization---removing-code-from-scans

Optimization - Removing Code From Scans

CodeQL will extract and analyze any code that is passed through the compiler. Consider excluding any code you do not wish to include in a security scan to speed up and remove noise from this process. This is commonly employed for unit tests, demo code, or code that would not benefit from being scanned (ex: DacPacs).

With .NET we can employ a few mechanisms to remove code from CodeQL scans (e.g. you would want to run your unit test in another workflow ):

• A solution filter to only build required projects
• An explicit solution file that excludes projects
  • example from the Open Source project: Identity Server
    • have a build.sh script wrapper around their solution targets
  • distinct IdentityServer.CodeQL.sln solution excluding unit tests
  • CodeQL yaml passes in a flag to build script to use the CodeQL solution
• Build in release mode - exclude test projects from that build configuration

[felickz]

Adding to docs: https://github.com/MicrosoftDocs/azure-devops-yaml-schema/pull/335

[woeterman94]

Hi Ritesh. This repo is just for add-on scripts to Advanced Security; your Init task question would be better off in the developper community (https://developercommunity.visualstudio.com/home). But just quickly - we're using the folder exclusion with C# without a problem so it might be something else in your script.

This is our task:

    - task: AdvancedSecurity-Codeql-Init@1
      displayName: 'Advanced Security Initialization'
      inputs:
        languages: 'csharp'
        querysuite: 'code-scanning'
        codeqlpathstoignore: 'path/subpath1, path/subpath2, path/subpath3'

This might be off-topic but any idea if the codeqlpathstoignore parameter works with wildcards? like 'path/subpath/*'