Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

CodeQL: Setting paths in Github Advanced Security for Azure Devops #18372

Open
woeterman94 opened this issue Dec 27, 2024 · 4 comments
Open

CodeQL: Setting paths in Github Advanced Security for Azure Devops #18372

woeterman94 opened this issue Dec 27, 2024 · 4 comments
Labels
question Further information is requested

Comments

@woeterman94
Copy link

woeterman94 commented Dec 27, 2024

I'm using Github Advanced Security in Azure devops in a monorepo. With the given folder structure:

.
└── apps/
    ├── frontend/
    │   ├── green-app
    │   └── red-app
    └── backend/
        ├── green-app
        └── red-app

By default the codeql task will scan the ENTIRE code base. Which is not what I want.

How can I configure Github advanced security to only scan one project? For example the front-end and backend folder for the green-app.

I tried setting the sources folder to the back-end folder. But then I'm not able to "reach" the front-end folder when I set the codeqlpathstoinclude parameter. When I try this:

  - task: AdvancedSecurity-Codeql-Init@1
    condition: and(succeededOrFailed(), ${{parameters.runGithubAdvancedSecurity}})
    displayName: 'Github Advanced Security: Initialize 🛡'
    inputs:
      languages: 'csharp,javascript'
      sourcesfolder: '$(System.DefaultWorkingDirectory)/apps/backend/green-app'
      codeqlpathstoinclude: '../frontend/green-app'

(Following the docs: "The paths must be relative to the sourcesfolder where CodeQL is running, which defaults to the Build.SourcesDirectory pipeline environment variable. For example, to include the $(Build.SourcesDirectory)/app directory, set codeqlpathstoinclude: app rather than codeqlpathstoinclude: $(Build.SourcesDirectory)/app.")

I get:

Only found JavaScript or TypeScript files that were empty or contained syntax errors

Wildcards are also giving issues:
apps/*/green-app/**/*

What am I doing wrong here? Any other way i can accomplish this?

@woeterman94 woeterman94 added the question Further information is requested label Dec 27, 2024
@jketema jketema changed the title CodeQL: Setting paths in Github Advanced Security for Devops CodeQL: Setting paths in Github Advanced Security for Azure Devops Dec 27, 2024
@jketema
Copy link
Contributor

jketema commented Dec 27, 2024

Hi @woeterman94,

I've asked people knowledgeable about the Azure Devops setup to take a look at your question. Note that their response might be somewhat delayed, because many people have holidays around this time of year.

@felickz
Copy link
Contributor

felickz commented Dec 27, 2024

I would suggest a similar approach:

  • remove sources folder directive, you are accomplishing that with paths include filter
  • use paths include with glob: apps/**/green-app/**
    • Standard glob rules for CodeQL apply: here
  • CSharp paths include/ignore filtering only works if you switch to none for buildtype , testing with your JS should still work though (docs). Otherwise CodeQL CSharp will scan everything that compiles between Init and Analyze steps.

@woeterman94
Copy link
Author

woeterman94 commented Jan 3, 2025

you are accomplishing that with paths include filter

I thought the paths include filter only works for typescript code and not C#?

codeqlpathstoinclude setting applies only when you run the CodeQL tasks on an interpreted language (Python, Ruby, and JavaScript/TypeScript).

How can I include only the C# code for the project I'm building?
Also, how can I set buildtype in codeQL for Azure Devops?

@felickz
Copy link
Contributor

felickz commented Jan 7, 2025

I thought the paths include filter only works for typescript code and not C#?

Ah great catch, need a docs update to support the scanning without a build feature: MicrosoftDocs/azure-devops-yaml-schema#360

How can I include only the C# code for the project I'm building?
Also, how can I set buildtype in codeQL for Azure Devops?

The docs for setting the build type none are @Code scanning build mode customization
(task documentation)

  • none - the CodeQL database is created directly from the codebase without building the codebase (all C# source code under the source root - observes the path / paths-ignore filters)
  • manual - (this is the out of the box behavior) everything you build between the Init and Analyze steps is included.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
question Further information is requested
Projects
None yet
Development

No branches or pull requests

3 participants