codeql
codeql copied to clipboard
Python poetry alerts
I've setup basic CodeQL pipeline for python and I'm using poetry as dependency manager.
What I found out is that if file poerty.toml
with configuration below is present (venv is created in $PWD/.venv
)
[virtualenvs]
in-project = true
then the pipeline starts report bunch of alerts regarding urllib, requests, etc.
If I remove poetry.toml
the alerts are gone (venv is created in /home/runner/.cache/pypoetry/virtualenvs
)
I'm not sure if I should be getting the alerts or not. However the behavior should be consistent in both cases.
I think I get it now CodeQL searches for python files in current working directory right? Therefore when .venv
is in cwd it also scans all the dependencies. Still what is the intended way? Scan only project files or scan all files including dependencies? I gues I can just put .venv
to some path ignore to make it consistent. Feel free to close this issue.