codeql icon indicating copy to clipboard operation
codeql copied to clipboard

Published 20 hours ago verified publisher icon github

Python poetry alerts

Open guderkar opened this issue 1 year ago • 1 comments

I've setup basic CodeQL pipeline for python and I'm using poetry as dependency manager.

What I found out is that if file poerty.toml with configuration below is present (venv is created in $PWD/.venv)

[virtualenvs]
in-project = true

then the pipeline starts report bunch of alerts regarding urllib, requests, etc. image

If I remove poetry.toml the alerts are gone (venv is created in /home/runner/.cache/pypoetry/virtualenvs)

I'm not sure if I should be getting the alerts or not. However the behavior should be consistent in both cases.

guderkar avatar Jul 26 '22 15:07 guderkar

I think I get it now CodeQL searches for python files in current working directory right? Therefore when .venv is in cwd it also scans all the dependencies. Still what is the intended way? Scan only project files or scan all files including dependencies? I gues I can just put .venv to some path ignore to make it consistent. Feel free to close this issue.

guderkar avatar Jul 26 '22 19:07 guderkar