codeql
codeql copied to clipboard
github
Python codeql analysis hangs
Description of the issue
I added a simple/default python config to a repo (https://github.com/envoyproxy/pytooling/commit/11d2fe8a6535444f9a3eba1d91d15e32362375db)
When it runs it always hangs at exactly the same place - the tail of the logs:
Starting evaluation of codeql/python-queries/Security/CWE-730/PolynomialReDoS.ql.
Starting evaluation of codeql/python-queries/Security/CWE-730/ReDoS.ql.
Starting evaluation of codeql/python-queries/Security/CWE-730/RegexInjection.ql.
Starting evaluation of codeql/python-queries/Security/CWE-918/FullServerSideRequestForgery.ql.
Starting evaluation of codeql/python-queries/Diagnostics/ExtractionWarnings.ql.
[2/31 eval 2ms] Evaluation done; writing results to codeql/python-queries/Diagnostics/ExtractionWarnings.bqrs.
Starting evaluation of codeql/python-queries/Diagnostics/SuccessfullyExtractedFiles.ql.
[3/31 eval 101ms] Evaluation done; writing results to codeql/python-queries/Diagnostics/SuccessfullyExtractedFiles.bqrs.
Starting evaluation of codeql/python-queries/Summary/LinesOfCode.ql.
[4/31 eval 5ms] Evaluation done; writing results to codeql/python-queries/Summary/LinesOfCode.bqrs.
Starting evaluation of codeql/python-queries/Summary/LinesOfUserCode.ql.
[5/31 eval 10.5s] Evaluation done; writing results to codeql/python-queries/Summary/LinesOfUserCode.bqrs.
Error: The operation was canceled.
(I cancelled it after it had run for an 1.5 hours - but it hangs at the same place almost immediately)
Thank you for your report!
I was able to recreate the issue locally based on the repository you link to. In this case, it seems there is some performance issue in our computation of the Python method resolution order (MRO) for the classes in your project. Are you doing something tricky with inheritance or metaclasses?
Alas, this is not something that is easily remedied or mitigated, as the MRO computation underlies the points-to analysis that most of our queries depend on. Plans are underway for removing our reliance on the points-to analysis, but it'll take a while before these enhancements are completed.
In the meantime, I would like to understand the structure of your repo better. At a glance, it looks like it consists of a bunch of separate components that don't really depend on each other. Is this an accurate description?
I'm wondering if what's happening is that two (or more) separate pieces of code result in modules/packages with the same name being created (and so, every place this module is mentioned, we analyse the code as if it could refer to all of these modules). This kind of cross-talk between unrelated pieces of the code can really cause the analysis to blow up.
Are you doing something tricky with inheritance or metaclasses?
guilty, as charged!
there is an abstracts package for defining Interfaces and Abstractions, and that gets funky with mro
At a glance, it looks like it consists of a bunch of separate components that don't really depend on each other. Is this an accurate description?
as a general description, some of packages are more generic (aio prefix) than the others (envoy packages) - the latter mostly depend on the former
im gradually trying to rationalize the packages down - they were initially shifted out from the tooling section of envoy's repo
I'm wondering if what's happening is that two (or more) separate pieces of code result in modules/packages with the same nam
i have a feeling that the namespacing is not quite correct in the packages - that is a possible explanation for that happening
thanks for looking into it further
im wondering if there is some tests i can disable
also, i can experiment further - ill try only running against 1 or 2 packages, and expand from there if it works - perhaps ill be able to pinpoint the issue that way
@phlax is this issue resolved? My python codeql also hangs the same way you mentioned. If issue is resolved what is the fix ? My python codeql also hangs the same way
@Harsha-Phvr seems to be. We didnt enable for a while, but added recently and all seems to work now