No results from csharp analysis under GitHub Security

[Kielek]

I am re-enabling CodeQL analysis for OpenTelemetry .NET Automatic Instrumentation. Jobs are finishing successfully with following warning Timed out waiting for analysis to finish processing. Continuing..

Based on the documentation, it might happen, but there is not GitHub results occurring under the security tab even after 3+ hours from the executions.

You can find all executions under https://github.com/open-telemetry/opentelemetry-dotnet-instrumentation/actions/workflows/codeql-analysis.yml.

The job definition is under https://github.com/open-telemetry/opentelemetry-dotnet-instrumentation/blob/d641fa1bfac7706b101668dad611c5c537a0f7e0/.github/workflows/codeql-analysis.yml

And the debug log results with the SARIFF file: debug-artifacts-csharp.zip

Could you please advice? Help to debug the issue?

[aibaars]

Thanks for reporting.

The problem appears to be caused by missing data when comparing against the previous run, likely because the previous run is very old and alerts data has been (partially) removed.

In your case I'd recommend to update the workflow and specify an explicit "category" for uploading results. CodeScanning compares current and previous runs of the same category to determine which alerts are new or fixed. Using a new category causes CodeScanning to start from scratch.

Normally changing category is a little tricky because it would leave pre-existing alerts open. However in your case this is no problem because there are no pre-existing alerts.

This pull request should update your workflow. It was made by merging your existing workflow with the CodeQL template from https://github.com/actions/starter-workflows/blob/main/code-scanning/codeql.yml .

[Kielek]

Thank you for the fixes and additional answers. I will clean-up older results later (probably tomorrow).