CodeQL with submodules #21632
-
Looking for best practices on setting up CodeQL analysis with submodules. Currently we are running the analysis from the top repo, but for any alerts in the submodules it reports “Preview unavailable”, “Sorry, we couldn’t find this file in the repository.” Is there a way to tell CodeQL to look in the submodule repo? Also we’d really like to run the analysis on submodule pull requests, is there a preferred method? My thought is to checkout the top repo recursively, then checkout the pull request reference and run the analysis and hopefully the report will then actually show the code with the alert? Any better way to tell CodeQL we really only care about alerts from the specific submodule? EDIT - I did just find the configuration capability to specify directories… so one part solved |
Beta Was this translation helpful? Give feedback.
Replies: 16 comments
-
Ok, so I’m checking out the main repo with submodules (gets default submodule), then checking out the submodule (gets the reference submodule) into the expected directory… so I think I’m in business, and should be able to build the code and run analysis on just the submodule (using the path option) |
Beta Was this translation helpful? Give feedback.
-
I’m happy to hear that! Let us know if you need help with anything. |
Beta Was this translation helpful? Give feedback.
-
The only remaining issue is in reviewing code scanning alerts I still get “Preview unavailable Sorry, we couldn’t find this file in the repository.” Since the submodule is down 1 directory (builds from main_repo_dir): main_repo_dir So all code references look like submodule_repo_dir/code.c#L52, but to resolve from within the submodule it would need to be code.c#L52 (without the submodule_repo_dir). Is there any way to strip leading directory from the reported reference? It’s not all that hard to figure out things by hand, but it would be nice if there was a way to make the links work. The simple example here isn’t that bad, but imagine 10+ submodules all at different locations in the directory structure… |
Beta Was this translation helpful? Give feedback.
-
Hi, I checked in with the engineering team for this, and the missing context for annotations within submodules is a known limitation. However, stripping the directory alone would not be enough here, as we (at that point) do not look through the submodule reference at all. |
Beta Was this translation helpful? Give feedback.
-
Thanks for the feedback, looking forward to improvements! Running CodeQL analysis in our workflow has been very beneficial! I’m actually trying it two ways, one is running the analysis as an action from the top repo (which makes sense that it’s extra work to get to the submodule reference), but I’m also running the analysis from the submodule to analyze PRs at that level. I’d think when run from the submodule the path just needs to be correct? Example of the submodule analysis at osal/codeql-build.yml at 4de3def9cd60a72486616f682800449d2953dbfe · skliper/osal · GitHub (nasa/cFS is the main repo, osal is the submodule of interest). |
Beta Was this translation helpful? Give feedback.
-
Hi, I agree that the second way should work. I would expect that if you run your workflow on the osal repo, it should do an analysis of that, and also report all findings with preview et al. |
Beta Was this translation helpful? Give feedback.
-
Thanks for looking! Just updated the workflow to run on all pushes. See Actions · skliper/osal · GitHub, and the reference issue in https://github.com/skliper/osal/security/code-scanning/93?query=ref%3Arefs%2Fheads%2Ffix775-add_codeql (I think the osal/src/tests/time-base-api-test/ time-base-api-test.c #L223 link just needs “osal/” removed" |
Beta Was this translation helpful? Give feedback.
-
Sorry for the really late reply, somehow this thread somehow slipped through the cracks. I am in conversations now with the engineering teams - two workarounds I had in my mind already don’t work, I’ll get back to you if I find something that does. |
Beta Was this translation helpful? Give feedback.
-
a) We are tracking a bug in the
See also CodeQL Code Scanning: improvements for users analyzing codebases on 3rd party CI/CD systems - GitHub Changelog for this workflow. That blog post also links to the codeql CLI documentation. I believe that you will not need to install |
Beta Was this translation helpful? Give feedback.
-
criemen:
In theory, to use the codeql commands in a GitHub actions workflow, codeql-actions will need to be initialized using I was also looking into possibly downloading the zip CodeQL Bundle, but I am having issues doing so on the command line. |
Beta Was this translation helpful? Give feedback.
-
Hi @ArielSAdamsNASA , Otherwise, you should be able to install the latest CLI release from https://github.com/github/codeql-cli-binaries/releases/latest and use that. Follow the instructions at https://codeql.github.com/docs/codeql-cli/getting-started-with-the-codeql-cli/to also get the necessary queries. Let me know if you need any more help! |
Beta Was this translation helpful? Give feedback.
-
Thank you! I was able to use the latest CLI release in a GitHub Actions workflow, however, the preview is still unavailable. |
Beta Was this translation helpful? Give feedback.
-
Can you take a screenshot? This page is not publicly accessible. |
Beta Was this translation helpful? Give feedback.
-
Workflow:
Output: |
Beta Was this translation helpful? Give feedback.
-
That is strange! I’ve pinged the engineering team, and will get back to you once I’ve heard from them. |
Beta Was this translation helpful? Give feedback.
-
Hi Ariel, the engineering team confirmed this behavior as normal. Let me know if I can help you further. |
Beta Was this translation helpful? Give feedback.
Hi Ariel,
the engineering team confirmed this behavior as normal.
The reason is that we currently don’t look for files across submodules for the preview.
There is an internal feature request that we produce the snippet that’s shown there as part of the analysis of the code, and then use that for the preview window, but that feature is not being worked on right now.
Let me know if I can help you further.