codeql icon indicating copy to clipboard operation
codeql copied to clipboard

Published 20 hours ago verified publisher icon github

Better explain how to exclude paths for compiled languages

Open rlsf opened this issue 3 years ago • 2 comments
trafficstars

the current explanation in github's FAQ says:

For compiled languages, if you want to limit code scanning to specific directories in your project, you must specify appropriate build steps in the workflow. The commands you need to use to exclude a directory from the build will depend on your build system. For more information, see "Configuring the CodeQL workflow for compiled languages."

however, there's no example or explanation how to actually do it. inside codeql's runner there is an exclude configuration for java code:

$ ./codeql resolve extractor --language=java --format=betterjson
{
  "extractor_root" : "/Users/me/codeql/codeql/java",
  "extractor_options" : {
    "exclude" : {
      "title" : "A glob excluding files from analysis.",
      "description" : "A glob indicating what files to exclude from the analysis.\n",
      "type" : "string"
    }
  }
}

however, i couldn't find a way to send this configuration to codeql workflow.

rlsf avatar Apr 07 '22 09:04 rlsf

Thanks for the suggestion; I have passed this to the docs team to look at improving that documentation.

smowton avatar Apr 07 '22 10:04 smowton

@rlsf while the docs team is working on that, this appears to be a usable (but clunky) workaround: https://josh-ops.com/posts/github-codeql-ignore-files/

zach2good avatar Sep 26 '22 10:09 zach2good

Has the documentation been improved? I am also struggling to understand how to really exclude paths for compiled languages. The codeql CLI documentation suggests that there are various "plumbing" commands and options (like the -- source-root parameter for the database create command or the database index-files command with an exclude option, but a more comprehensive example would be really useful.

sschaer avatar Oct 26 '23 22:10 sschaer

The relevant code scanning documentation is at https://docs.github.com/en/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/customizing-your-advanced-setup-for-code-scanning#configuring-code-scanning-for-compiled-languages -- in short, for a compiled language, use a custom build command that only builds the files you're interested in analysing. For the CLI, that corresponds to using the -c argument to database create in order to supply a build command and suppress the default auto-build behavour.

smowton avatar Oct 27 '23 09:10 smowton

I am also struggling with the documentation on how to exclude files from being scanned by CodeQL. Seems the documentation is not properly updated yet. Some pieces of the doc even suggest there is a simple CLI argument called --paths-ignore which I can't get to work. Example reference here or here.

Having such a simple argument --paths-ignore in whatever form would actually be great. I would not mind to use a comma-separated list of paths as one string value or specifying the same argument multiple times rather as --path-ignore always with one path only.

Kiemes avatar Apr 08 '24 14:04 Kiemes