codeql icon indicating copy to clipboard operation
codeql copied to clipboard

Published 20 hours ago verified publisher icon github

CodeQL CLI prints warning for valid config file

Open Kiemes opened this issue 1 year ago • 5 comments

Downloading the latest version (2.17.0) and running just the executable without any arguments, prints warning /Users/<user>/.config/codeql/config:1: Warning: Ignoring line with no option name." when this config file is present.

paths-ignore:
  - '**/*.Test.java'

There is nothing else in the config file. Still it should be valid according to this documentation. Or does the snippet only show a partial config file? If so, this could be better visualized or mentioned on the documentation. Is there a general syntax description of the config file?

Expectation is that there is no warning for valid config files or that the documentation states how a valid config file should look like.

Kiemes avatar Apr 08 '24 15:04 Kiemes

Hi @Kiemes 👋

The documentation you have linked to is for configuration files that are understood by the CodeQL GitHub Action. The /Users/<user>/.config/codeql/config file that is used with the CLI follows the format described in https://docs.github.com/en/code-security/codeql-cli/using-the-advanced-functionality-of-the-codeql-cli/specifying-command-options-in-a-codeql-configuration-file

mbg avatar Apr 08 '24 15:04 mbg

Thanks for that hint @mbg. 😅 But how do I specify paths-ignore then in the config file if the structure has to be <command> <subcommand> <option> <value>? Could you help there as well?

Kiemes avatar Apr 08 '24 15:04 Kiemes

You may be able to use the --codescanning-config=<path> option to specify a path to a .yml file with the format from the documentation you linked to. In other words, invoke codeql database create with --codescanning-config=/path/to/your.yml and place

paths-ignore:
  - '**/*.Test.java'

in that file. You can skip the /Users/<user>/.config/codeql/config file entirely or use it to store the --codescanning-config=/path/to/your.yml as a default argument for codeql database create.

mbg avatar Apr 08 '24 16:04 mbg

I think I tried that before but it did not work. Retried and I get

Writing logs to /Users/<user>/<repo>/codeqlDB/log/database-create-20240409.101317.682.log.
Initializing database at /Users/<user>/<repo>/codeqlDB.
A fatal error occurred: Query pack codeql/java-queries cannot be found. Check the spelling of the pack.

The command I am running is codeql database create codeqlDB --overwrite --source-root . --working-dir ./ --language=java --threads=0 --ram=4000 -v --build-mode none --codescanning-config=<absolute path to config>. Without the --codescanning-config argument it works.

Seems not so easy to just ignore some files from the CodeQL check. I would not even know how to verify what files are actually checked and which are not, based on the output of the CLI. I looked into some of the generated files but did not identify clear evidence. For example, I saw the baseline-info.json which contains java files from my repo, but it contains all, also the *Test.java files. Should the creation of the DB already skip adding files to the DB? Is there a way to see which files got used for the DB?

Kiemes avatar Apr 09 '24 08:04 Kiemes

Hi @Kiemes,

You could try running codeql pack download codeql/java-queries to make sure the pack is installed.

I also saw your comment in https://github.com/github/codeql/issues/8689 which I assume is related to this.

Is there a way to see which files got used for the DB?

The database contains information about all extracted files, which can be queried with something like from File f select f. For just extracted source files, from File f where f.isSourceFile() select f will work.

mbg avatar Apr 13 '24 00:04 mbg