github
Rust: Scanning project with no `Cargo.toml`
Description of the issue
In this repo, we have stand-alone scripts (sample programs) in 150+ languages, one of which is Rust. We use the same structure for all languages (archive/<first-letter>/<language-name> -- e.g., archive/r/rust). Each directory only has the sample programs, an auto-generated README, and a YAML file that describes how to build and run the sample program using a custom docker-based tool. We don't include any type of project configuration file like Cargo.toml, Cargo.lock, etc. Also, we do not allow our sample programs to include any type of dependencies. Everything must be done with built-in language functions, libraries, etc.
We do CodeQL scans for all of the supported languages. I was excited that Rust was recently added, so I did this PR. It resulted in the same "low percentage" warning as in #20643 , and I'm not sure that the scan actually did anything. Also, I tried to use manual mode, but I got an error that Rust does not support this. What do I need to do to get a proper scan of our Rust code?
I figured out a workaround. I have my workflow do the following:
- Generate
Cargo.tomlwith a simple python script - Install Rust using
rustup(not sure if that's actually necessary or not)
I'm not sure if this is the right way to do things, but it seems to work. I'm open to suggestions if there's a better way.
👋 @rzuckerm
Generating a Cargo.toml is indeed one way to go. As CodeQL analysis relies on rust-analyzer under the hood, the other possibility is to generate a rust-project.json file following this format. You should fill in the sysroot field to get the best results.
