Giters

github / codeql

CodeQL: the libraries and queries that power security researchers around the world, as well as code scanning in GitHub Advanced Security

Home Page:https://codeql.github.com

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

Create a database from a project with Bazel, can't do it

KeuntaeShin opened this issue · comments

commented

The version of codeql cli i tried:

host@machine:/tmp/bazel$ codeql version
CodeQL command-line toolchain release 2.17.1.
Copyright (C) 2019-2024 GitHub, Inc.
Unpacked in: /ssd_300GB/codeql_home/codeql
Analysis results depend critically on separately distributed query and
extractor modules. To list modules that are visible to the toolchain,
use 'codeql resolve qlpacks' and 'codeql resolve languages'.
host@machine:/tmp/bazel$

The executed result from a bazel project:

host@machine:/tmp/bazel/examples/cpp-tutorial/stage1$ codeql database create $(date +%Y%m%d_%H%M%S) --language=cpp --command="
bazel build //main:hello-world --sandbox_add_mount_pair=/tmp"
Initializing database at /tmp/bazel/examples/cpp-tutorial/stage1/20240510_171324.
Running build command: [bazel, build, //main:hello-world, --sandbox_add_mount_pair=/tmp]
Running command in /tmp/bazel/examples/cpp-tutorial/stage1: [bazel, build, //main:hello-world, --sandbox_add_mount_pair=/tmp]
[2024-05-10 17:13:25] [build-stderr] Computing main repo mapping:
[2024-05-10 17:13:25] [build-stderr] Loading:
[2024-05-10 17:13:25] [build-stderr] Loading: 0 packages loaded
[2024-05-10 17:13:25] [build-stderr] Analyzing: target //main:hello-world (1 packages loaded, 0 targets configured)
[2024-05-10 17:13:25] [build-stderr] Analyzing: target //main:hello-world (1 packages loaded, 0 targets configured)
[2024-05-10 17:13:25] [build-stderr] [0 / 1] [Prepa] BazelWorkspaceStatusAction stable-status.txt
[2024-05-10 17:13:25] [build-stderr] INFO: Analyzed target //main:hello-world (69 packages loaded, 6451 targets configured).
[2024-05-10 17:13:26] [build-stderr] [4 / 6] [Scann] Compiling main/hello-world.cc
[2024-05-10 17:13:28] [build-stderr] INFO: Found 1 target...
[2024-05-10 17:13:28] [build-stderr] Target //main:hello-world up-to-date:
[2024-05-10 17:13:28] [build-stderr] bazel-bin/main/hello-world
[2024-05-10 17:13:28] [build-stderr] INFO: Elapsed time: 2.902s, Critical Path: 1.36s
[2024-05-10 17:13:28] [build-stderr] INFO: 6 processes: 4 internal, 2 linux-sandbox.
[2024-05-10 17:13:28] [build-stderr] INFO: Build completed successfully, 6 total actions
Finalizing database at /tmp/bazel/examples/cpp-tutorial/stage1/20240510_171324.
CodeQL detected code written in C/C++ but could not process any of it. For more information, review our troubleshooting guide at https://gh.io/troubleshooting-code-scanning/no-source-code-seen-during-build.
host@machine:/tmp/bazel/examples/cpp-tutorial/stage1$

However the output does not include src.zip, taking the source code named main/hello-world.cc above:

host@machine:/tmp/bazel/examples/cpp-tutorial/stage1/20240510_171324$ ls
baseline-info.json codeql-database.yml diagnostic log working
host@machine:/tmp/bazel/examples/cpp-tutorial/stage1/20240510_171324$

Would i take other commands or ways to archive them?

commented

CodeQL for C/C++ intercepts compiler calls to figure out which source files to analyze. Bazel has a clever caching mechanism that skips calling the compiler if it can be avoided. This can lead to CodeQL not "seeing" any source files.

Have you tried the example commands for Bazel from the documentation at https://docs.github.com/en/enterprise-cloud@latest/code-security/codeql-cli/getting-started-with-the-codeql-cli/preparing-your-code-for-codeql-analysis ?

Project built using Bazel:

# Navigate to the Bazel workspace.

# Before building, remove cached objects
# and stop all running Bazel server processes.
bazel clean --expunge

# Build using the following Bazel flags, to help CodeQL detect the build:
# `--spawn_strategy=local`: build locally, instead of using a distributed build
# `--nouse_action_cache`: turn off build caching, which might prevent recompilation of source code
# `--noremote_accept_cached`, `--noremote_upload_local_results`: avoid using a remote cache
codeql database create new-database --language=<language> \
--command='bazel build --spawn_strategy=local --nouse_action_cache --noremote_accept_cached --noremote_upload_local_results //path/to/package:target'

# After building, stop all running Bazel server processes.
# This ensures future build commands start in a clean Bazel server process
# without CodeQL attached.
bazel shutdown
commented

The options you mentioned were successfully worked. Thanks!