New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Question: C# analysis without building the code, on Azure DevOps #16070
Comments
Yes, it's possible to run CodeQL queries on C# code without building it first. Create CodeQL Database: Use the codeql database create command to create a CodeQL database from your C# source code. This command will analyze your source code and build a database that can be queried. `codeql database create --language=csharp Run CodeQL Queries: Once the database is created, you can run CodeQL queries against it using the codeql query run command.
Replace with the path to your CodeQL query file, with the path to your CodeQL database, and with the desired path for the output. |
Thanks for the response @Malikrehman00107 I have few follow up questions on this, first thing is can I achieve this on Azure Devops Environment and when you say running the query do we have to provide the query files one by one and then analyse it or we can provide all the queries in a single command? |
In short and simple answer , Yes ! First You can add a custom task to your Azure DevOps pipeline to execute CodeQL commands. This task can execute the codeql database create command to create a CodeQL database from your C# source code and the codeql query run command to run multiple queries against the created database. Then Place all your query files in a directory, and specify this directory using the --search-path option when running the codeql query run command. CodeQL will then run all the queries found in that directory. Example
Replace with the path to your CodeQL database and with the directory containing your query files. |
I tried doing this on my local and I am falling into build issue while trying to create the database only. ./codeql database create --source-root /code_path --language csharp mydatabase It is failing with build issue running the above command. [2024-04-01 23:08:03] [build-stdout] Attempting to locate build script Please let me know what I am doing wrong here. |
Hi @keeplearning-rgb 👋 Thanks for your question last week! Before I answer it, can I ask what your reason for doing this is? Generally speaking, we'd expect you to have a pipeline which creates the database (to reflect the latest version of your code) and then run the queries against that. If you don't create a database in the pipeline and use one you previously generated, it will contain information about your code at the time you generated the database only. That's fine if your code never changes and only your queries do, but then you may be better off just running the CodeQL commands locally. To answer your question, do you already have a database for your codebase or are you looking to create one without building the project? If it's the latter, we currently require you to perform a full build in order to create the database. Are you able to create a database for your code locally? Based on your most recent comment, it seems that you aren't since you ran Once you have a database, you would then need to place your database somewhere that your Azure DevOps pipeline can access (possibly as an artifact somewhere) and then have a custom step in your pipeline which runs |
Hi @mbg Thanks a lot for this detailed response. I understood everything but I don't think codeql is able to suffice the requirement of mine as of now. If I put it again in simple words, my main requirement is to take csharp based project and run codeql queries on it without doing the build. Though I have custom build commands for certain repositories some of them can't be build due to certain restrictions. So, for case of the projects in which I have custom build present it is fine, but for the others lacking it I wanted to know if I can run the queries without doing a build. Please correct me if I am wrong in some way. |
We currently have a private beta which lifts the need to build C# code prior to analysis, similar to what we have already shipped for Java recently. This is not yet available publicly. I have checked with our Product Manager for this and you'd be welcome to drop him an email at coadaflorin@github.com if you are interested in joining this private beta. |
Hi @mbg Thanks for this, I have emailed your Project Manager about my interest in joining the private beta. Thanks for all the help. |
I want to know if it is possible to run the codeQL queries for a C# code without building it.
I am using Advanced Security inside Azure devops, which requires me to setup a build first then only I can run codeql scan.
I want to do the above directly by just setting up codeQL database and running the code scan after that.
The text was updated successfully, but these errors were encountered: