codeql-action icon indicating copy to clipboard operation
codeql-action copied to clipboard
verified publisher icon github

JS Scanner Runs Extremely Slow in CodeQL Analysis

Open laipz8200 opened this issue 10 months ago • 3 comments

Hi,

We have observed that the JavaScript scanner in CodeQL runs extremely slowly. Below is a snippet from the logs:

[90/90 eval 156m41s] Evaluation done; writing results to codeql/javascript-queries/Security/CWE-730/RegExpInjection.bqrs.

more info

This task took 156 minutes to complete, leading to a total execution time of approximately 2.5 hours for our GitHub Actions workflow. This significantly impacts our CI/CD efficiency.

Expected Behavior

We expect the JavaScript scanning process to complete in a more reasonable timeframe to ensure smooth and efficient CI/CD pipelines.

Actual Behavior

The scanning process is taking an excessive amount of time, causing long delays in our GitHub Actions runs.

laipz8200 avatar Feb 07 '25 04:02 laipz8200

đź‘‹ @laipz8200 I'm sorry to hear you encountered this problem. It seems like the RegExpInjection query explodes on your repository. I will forward this info to the internal team working on it, having your repository as a reproducer will surely help!

redsun82 avatar Feb 07 '25 08:02 redsun82

Hi @laipz8200.

Thanks for the report.

As also mentioned in https://github.com/github/codeql/issues/18584, this is a consequence of our recent switch to the same data flow library used by other languages. There are rare cases where this type of slowdown can occur and we're looking into ways to fix it, but for now I've added this reproduction case to our internal tracking issue.

In the meantime, the best workaround I can offer is to disable the specific query, by adding this to a file called .github/codeql/codeql-configuration.yml:

query-filters:
  - exclude:
      id: js/regex-injection

asgerf avatar Feb 07 '25 10:02 asgerf

In the meantime, the best workaround I can offer is to disable the specific query, by adding this to a file called .github/codeql/codeql-configuration.yml:

Thank you all very much for your responses. I tried adding the configuration file to the project, but it doesn’t seem to have solved the problem. I’m using GitHub’s default configuration—should I switch to the advanced configuration?

Here is the PR I used for testing: https://github.com/langgenius/dify/pull/13365

laipz8200 avatar Feb 08 '25 05:02 laipz8200