codeql icon indicating copy to clipboard operation
codeql copied to clipboard

Published 20 hours ago verified publisher icon github

C# builds fails when invoking command from dotnet tools

Open svalbuena opened this issue 11 months ago • 3 comments

My .NET solution has a project that uses a dotnet tool command to generate code from an OpenApi spec, this works fine in my GH workflows and local environment but fails in the CodeQL action. The CodeQL action attempts to inject invalid parameters to this command. I've found an old PR that attempts to fix a very similar issue https://github.com/github/codeql/pull/13794, but that does not seem to fix my issue. I think this issue happened on the version v2 of the codeql actions as well.

dotnet-tools.json file:

  "version": 1,
  "isRoot": true,
  "tools": {
    "nswag.consolecore": {
      "version": "14.0.3",
      "commands": [
        "nswag"
      ]
    }
  }
}

global.json (This already happened when the project was in .NET 6):

{
    "sdk": {
      "version": "8.0.200",
      "rollForward": "latestFeature",
      "allowPrerelease": false
    }
  }

SwaggerDefinition.csproj of the project that fails:

<Project Sdk="Microsoft.NET.Sdk.Web">

  <PropertyGroup>
    <OutputType>Library</OutputType>
    <NoDefaultLaunchSettingsFile>true</NoDefaultLaunchSettingsFile>
  </PropertyGroup>

  <ItemGroup>
    <OpenApiSpec Include="api-spec.json" />
    <NSwagServer Include="nswag-server.json" />
    <NSwagClient Include="nswag-client.json" />
    <GeneratedServerCode Include="ApiServer_generated.cs" />
    <GeneratedClientCode Include="ApiClient_generated.cs" />

    <NSwagDependencies Include="SwaggerDefinition.csproj;@(OpenApiSpec);@(NSwagServer);@(NSwagClient)" />
    <NSwagGenerated Include="@(GeneratedServerCode);@(GeneratedClientCode)" />
  </ItemGroup>

  <Target Name="RunNSwag" BeforeTargets="BeforeCompile;CoreCompile" Inputs="@(NSwagDependencies)" Outputs="@(NSwagGenerated)">
    <Exec Command="dotnet tool restore" />
    <Message Importance="High" Text="Generating code from OpenApi spec..." />
    <Exec Command="dotnet nswag run @(NSwagServer) /variables:OpenApiSpecFile=@(OpenApiSpec),Namespace=Api.Server,Output=@(GeneratedServerCode)" />
    <Exec Command="dotnet nswag run @(NSwagClient) /variables:OpenApiSpecFile=@(OpenApiSpec),Namespace=Api.Client,Output=@(GeneratedClientCode)" />
  </Target>

  <ItemGroup>
    <Compile Remove="*_generated.cs" />
  </ItemGroup>

</Project>

SwaggerDefinition project content:

SwaggerDefinition
|
 -- SwaggerDefinition.csproj
 -- api-spec.json
 -- nswag-client.json
 -- nswag-server.json

The error in the CodeQL GH workflow:

2024-03-04T06:54:29.5538939Z Running /home/runner/work/_temp/codeql_databases/csharp/working/.dotnet/dotnet build --no-incremental /home/runner/work/svalbuena/Solution.sln
2024-03-04T06:54:29.7120349Z MSBuild version 17.9.4+90725d08d for .NET
2024-03-04T06:54:31.0562838Z   Determining projects to restore...
2024-03-04T06:54:31.7560432Z   All projects are up-to-date for restore.
2024-03-04T06:54:34.2140644Z   Skipping NuGet package signature verification.
2024-03-04T06:54:34.6077126Z   Tool 'nswag.consolecore' (version '14.0.3') was restored. Available commands: nswag
2024-03-04T06:54:34.6081509Z   
2024-03-04T06:54:34.6153772Z   Restore was successful.
2024-03-04T06:54:34.6279022Z   Generating code from OpenApi spec...
2024-03-04T06:54:35.0473533Z   NSwag command line tool for .NET Core Net80, toolchain v14.0.3.0 (NJsonSchema v11.0.0.0 (Newtonsoft.Json v13.0.0.0))
2024-03-04T06:54:35.0488160Z   Visit http://NSwag.org for more information.
2024-03-04T06:54:35.0510648Z   NSwag bin directory: /home/runner/.nuget/packages/nswag.consolecore/14.0.3/tools/net8.0/any
2024-03-04T06:54:35.0806802Z   NConsole.UnusedArgumentException: Unrecognised arguments are present: [-p:EmitCompilerGeneratedFiles=true, --, nswag-server.json]
2024-03-04T06:54:35.0808872Z      at NConsole.CommandLineProcessor.ProcessSingleAsync(String[] args, Object input)
2024-03-04T06:54:35.0810075Z      at NConsole.CommandLineProcessor.ProcessAsync(String[] args, Object input)
2024-03-04T06:54:35.1001386Z      at NSwag.Commands.NSwagCommandProcessor.ProcessAsync(String[] args) in /_/src/NSwag.Commands/NSwagCommandProcessor.cs:line 62
2024-03-04T06:54:35.1004640Z /home/runner/work/Solution/src/SwaggerDefinition/SwaggerDefinition.csproj(23,5): error MSB3073: The command "dotnet nswag run nswag-server.json /variables:OpenApiSpecFile=api-spec.json,Namespace=Api.Server,Output=ApiServer_generated.cs" exited with code 255.
2024-03-04T06:54:35.1456954Z 
2024-03-04T06:54:35.1457702Z Build FAILED.
2024-03-04T06:54:35.1458351Z 
2024-03-04T06:54:35.1461039Z /home/runner/work/Solution/src/SwaggerDefinition/SwaggerDefinition.csproj(23,5): error MSB3073: The command "dotnet nswag run nswag-server.json /variables:OpenApiSpecFile=api-spec.json,Namespace=Api.Server,Output=ApiServer_generated.cs" exited with code 255.
2024-03-04T06:54:35.1463938Z     0 Warning(s)
2024-03-04T06:54:35.1543634Z     1 Error(s)
2024-03-04T06:54:35.1543897Z 
2024-03-04T06:54:35.1544051Z Time Elapsed 00:00:05.30
2024-03-04T06:54:35.1813354Z Exit code 1

codeql.yaml:

name: CodeQL

on:
  push:
    branches:
      - main
  pull_request:
    branches:
      - main
  schedule:
    - cron: 16 5 * * 5

jobs:
  analyze:
    name: Analyze
    runs-on: ubuntu-latest
    timeout-minutes: 360
    permissions:
      actions: read
      contents: read
      security-events: write
    strategy:
      fail-fast: false
      matrix:
        language:
          - csharp
          - javascript
    steps:
    - name: Checkout Repository
      uses: actions/checkout@v4
    - name: Initialize CodeQL
      uses: github/codeql-action/init@v3
      with:
        languages: ${{ matrix.language }}
    - name: Autobuild
      uses: github/codeql-action/autobuild@v3
    - name: Perform CodeQL Analysis
      uses: github/codeql-action/analyze@v3
      with:
        category: "/language:${{matrix.language}}"

The project is private and can't be shared, so I can't provide a link to it.

svalbuena avatar Mar 04 '24 08:03 svalbuena

Hi @svalbuena 👋

Thanks for reporting this problem and including as much information as you have -- that's all very helpful! Judging by the build log, it does indeed look like we incorrectly inject the extra arguments here.

I will investigate this a bit further and see if we can get this fixed.

mbg avatar Mar 04 '24 10:03 mbg

I think the team actually already merged a change last week which should address this in the next CodeQL release (2.16.4). The next release should become available later this week.

Could you try the new version once it becomes available and report back whether the problem is resolved for you then?

mbg avatar Mar 04 '24 17:03 mbg

Looks promising! Thank you! I'll let you know next week

svalbuena avatar Mar 05 '24 08:03 svalbuena

Issue seems to be solved with the latest version, working good so far, thank you!

svalbuena avatar Mar 31 '24 19:03 svalbuena