Question: C# analysis without building the code, on Azure DevOps

[keeplearning-rgb]

I want to know if it is possible to run the codeQL queries for a C# code without building it.

I am using Advanced Security inside Azure devops, which requires me to setup a build first then only I can run codeql scan.
I want to do the above directly by just setting up codeQL database and running the code scan after that.

[Malikrehman00107]

Yes, it's possible to run CodeQL queries on C# code without building it first.

Create CodeQL Database: Use the codeql database create command to create a CodeQL database from your C# source code. This command will analyze your source code and build a database that can be queried.

`codeql database create --language=csharp

Run CodeQL Queries: Once the database is created, you can run CodeQL queries against it using the codeql query run command.

codeql query run <query-file> --database=<path-to-database> --output=<output-file>

Replace with the path to your CodeQL query file, with the path to your CodeQL database, and with the desired path for the output.

[keeplearning-rgb]

Thanks for the response @Malikrehman00107

I have few follow up questions on this, first thing is can I achieve this on Azure Devops Environment and when you say running the query do we have to provide the query files one by one and then analyse it or we can provide all the queries in a single command?

[Malikrehman00107]

In short and simple answer , Yes !

First You can add a custom task to your Azure DevOps pipeline to execute CodeQL commands. This task can execute the codeql database create command to create a CodeQL database from your C# source code and the codeql query run command to run multiple queries against the created database.

Then Place all your query files in a directory, and specify this directory using the --search-path option when running the codeql query run command. CodeQL will then run all the queries found in that directory.

Example

codeql query run --database=<path-to-database> --search-path=<directory-containing-query-files> --output=<output-file>

Replace with the path to your CodeQL database and with the directory containing your query files.

[keeplearning-rgb]

Hi @Malikrehman00107

I tried doing this on my local and I am falling into build issue while trying to create the database only.
Though as per you have mentioned it shouldn't be trying to build the code.

./codeql database create --source-root /code_path --language csharp mydatabase

It is failing with build issue running the above command.

[2024-04-01 23:08:03] [build-stdout] Attempting to locate build script
[2024-04-01 23:08:03] [build-stderr] Error: Could not auto-detect a suitable build method
[2024-04-01 23:08:05] [ERROR] Spawned process exited abnormally (code 1; tried to run: [/Users/username/Desktop/tools/osx64/preload_tracer, /Users/username/Desktop/csharp/tools/autobuild.sh])
A fatal error occurred: Exit status 1 from command

Please let me know what I am doing wrong here.
Thank you

[mbg]

Hi @keeplearning-rgb 👋

Thanks for your question last week! Before I answer it, can I ask what your reason for doing this is? Generally speaking, we'd expect you to have a pipeline which creates the database (to reflect the latest version of your code) and then run the queries against that. If you don't create a database in the pipeline and use one you previously generated, it will contain information about your code at the time you generated the database only. That's fine if your code never changes and only your queries do, but then you may be better off just running the CodeQL commands locally.

To answer your question, do you already have a database for your codebase or are you looking to create one without building the project? If it's the latter, we currently require you to perform a full build in order to create the database. Are you able to create a database for your code locally? Based on your most recent comment, it seems that you aren't since you ran ./codeql database create --source-root /code_path --language csharp mydatabase and this failed. Generally, you want to place the codeql binary in your PATH somewhere and then run codeql database create --language csharp mydatabase in the root directory of the source tree. Could you post the full log leading up to the error though? The part of the error message you posted only indicates that CodeQL was unable to determine how to build your project automatically -- the reason why would be higher up in the log. Depending on what goes wrong there, there may be different options for getting the database creation to succeed, such as providing a custom build command.

Once you have a database, you would then need to place your database somewhere that your Azure DevOps pipeline can access (possibly as an artifact somewhere) and then have a custom step in your pipeline which runs codeql database analyze with either an existing query pack or a custom one. You do not have to run codeql query run for each query individually.

[keeplearning-rgb]

Hi @mbg

Thanks a lot for this detailed response.

I understood everything but I don't think codeql is able to suffice the requirement of mine as of now.
As you also mentioned that it is currently not possible to run the codeql scan on csharp code without running the build.

If I put it again in simple words, my main requirement is to take csharp based project and run codeql queries on it without doing the build. Though I have custom build commands for certain repositories some of them can't be build due to certain restrictions. So, for case of the projects in which I have custom build present it is fine, but for the others lacking it I wanted to know if I can run the queries without doing a build.

Please correct me if I am wrong in some way.

[mbg]

Hi @keeplearning-rgb,

We currently have a private beta which lifts the need to build C# code prior to analysis, similar to what we have already shipped for Java recently. This is not yet available publicly.

I have checked with our Product Manager for this and you'd be welcome to drop him an email at coadaflorin@github.com if you are interested in joining this private beta.

[keeplearning-rgb]

Hi @mbg

Thanks for this, I have emailed your Project Manager about my interest in joining the private beta.
Waiting for his response !!

Thanks for all the help.