My .NET solution has a project that uses a dotnet tool command to generate code from an OpenApi spec, this works fine in my GH workflows and local environment but fails in the CodeQL action. The CodeQL action attempts to inject invalid parameters to this command. I've found an old PR that attempts to fix a very similar issue github/codeql#13794, but that does not seem to fix my issue. I think this issue happened on the version v2 of the codeql actions as well.
dotnet-tools.json file:
"version": 1,
"isRoot": true,
"tools": {
"nswag.consolecore": {
"version": "14.0.3",
"commands": [
"nswag"
]
}
}
}
global.json (This already happened when the project was in .NET 6):
{
"sdk": {
"version": "8.0.200",
"rollForward": "latestFeature",
"allowPrerelease": false
}
}
SwaggerDefinition.csproj of the project that fails:
<Project Sdk="Microsoft.NET.Sdk.Web">
<PropertyGroup>
<OutputType>Library</OutputType>
<NoDefaultLaunchSettingsFile>true</NoDefaultLaunchSettingsFile>
</PropertyGroup>
<ItemGroup>
<OpenApiSpec Include="api-spec.json" />
<NSwagServer Include="nswag-server.json" />
<NSwagClient Include="nswag-client.json" />
<GeneratedServerCode Include="ApiServer_generated.cs" />
<GeneratedClientCode Include="ApiClient_generated.cs" />
<NSwagDependencies Include="SwaggerDefinition.csproj;@(OpenApiSpec);@(NSwagServer);@(NSwagClient)" />
<NSwagGenerated Include="@(GeneratedServerCode);@(GeneratedClientCode)" />
</ItemGroup>
<Target Name="RunNSwag" BeforeTargets="BeforeCompile;CoreCompile" Inputs="@(NSwagDependencies)" Outputs="@(NSwagGenerated)">
<Exec Command="dotnet tool restore" />
<Message Importance="High" Text="Generating code from OpenApi spec..." />
<Exec Command="dotnet nswag run @(NSwagServer) /variables:OpenApiSpecFile=@(OpenApiSpec),Namespace=Api.Server,Output=@(GeneratedServerCode)" />
<Exec Command="dotnet nswag run @(NSwagClient) /variables:OpenApiSpecFile=@(OpenApiSpec),Namespace=Api.Client,Output=@(GeneratedClientCode)" />
</Target>
<ItemGroup>
<Compile Remove="*_generated.cs" />
</ItemGroup>
</Project>
SwaggerDefinition project content:
SwaggerDefinition
|
-- SwaggerDefinition.csproj
-- api-spec.json
-- nswag-client.json
-- nswag-server.json
The error in the CodeQL GH workflow:
2024-03-04T06:54:29.5538939Z Running /home/runner/work/_temp/codeql_databases/csharp/working/.dotnet/dotnet build --no-incremental /home/runner/work/svalbuena/Solution.sln
2024-03-04T06:54:29.7120349Z MSBuild version 17.9.4+90725d08d for .NET
2024-03-04T06:54:31.0562838Z Determining projects to restore...
2024-03-04T06:54:31.7560432Z All projects are up-to-date for restore.
2024-03-04T06:54:34.2140644Z Skipping NuGet package signature verification.
2024-03-04T06:54:34.6077126Z Tool 'nswag.consolecore' (version '14.0.3') was restored. Available commands: nswag
2024-03-04T06:54:34.6081509Z
2024-03-04T06:54:34.6153772Z Restore was successful.
2024-03-04T06:54:34.6279022Z Generating code from OpenApi spec...
2024-03-04T06:54:35.0473533Z NSwag command line tool for .NET Core Net80, toolchain v14.0.3.0 (NJsonSchema v11.0.0.0 (Newtonsoft.Json v13.0.0.0))
2024-03-04T06:54:35.0488160Z Visit http://NSwag.org for more information.
2024-03-04T06:54:35.0510648Z NSwag bin directory: /home/runner/.nuget/packages/nswag.consolecore/14.0.3/tools/net8.0/any
2024-03-04T06:54:35.0806802Z NConsole.UnusedArgumentException: Unrecognised arguments are present: [-p:EmitCompilerGeneratedFiles=true, --, nswag-server.json]
2024-03-04T06:54:35.0808872Z at NConsole.CommandLineProcessor.ProcessSingleAsync(String[] args, Object input)
2024-03-04T06:54:35.0810075Z at NConsole.CommandLineProcessor.ProcessAsync(String[] args, Object input)
2024-03-04T06:54:35.1001386Z at NSwag.Commands.NSwagCommandProcessor.ProcessAsync(String[] args) in /_/src/NSwag.Commands/NSwagCommandProcessor.cs:line 62
2024-03-04T06:54:35.1004640Z /home/runner/work/Solution/src/SwaggerDefinition/SwaggerDefinition.csproj(23,5): error MSB3073: The command "dotnet nswag run nswag-server.json /variables:OpenApiSpecFile=api-spec.json,Namespace=Api.Server,Output=ApiServer_generated.cs" exited with code 255.
2024-03-04T06:54:35.1456954Z
2024-03-04T06:54:35.1457702Z Build FAILED.
2024-03-04T06:54:35.1458351Z
2024-03-04T06:54:35.1461039Z /home/runner/work/Solution/src/SwaggerDefinition/SwaggerDefinition.csproj(23,5): error MSB3073: The command "dotnet nswag run nswag-server.json /variables:OpenApiSpecFile=api-spec.json,Namespace=Api.Server,Output=ApiServer_generated.cs" exited with code 255.
2024-03-04T06:54:35.1463938Z 0 Warning(s)
2024-03-04T06:54:35.1543634Z 1 Error(s)
2024-03-04T06:54:35.1543897Z
2024-03-04T06:54:35.1544051Z Time Elapsed 00:00:05.30
2024-03-04T06:54:35.1813354Z Exit code 1
codeql.yaml:
name: CodeQL
on:
push:
branches:
- main
pull_request:
branches:
- main
schedule:
- cron: 16 5 * * 5
jobs:
analyze:
name: Analyze
runs-on: ubuntu-latest
timeout-minutes: 360
permissions:
actions: read
contents: read
security-events: write
strategy:
fail-fast: false
matrix:
language:
- csharp
- javascript
steps:
- name: Checkout Repository
uses: actions/checkout@v4
- name: Initialize CodeQL
uses: github/codeql-action/init@v3
with:
languages: ${{ matrix.language }}
- name: Autobuild
uses: github/codeql-action/autobuild@v3
- name: Perform CodeQL Analysis
uses: github/codeql-action/analyze@v3
with:
category: "/language:${{matrix.language}}"
My .NET solution has a project that uses a
dotnet toolcommand to generate code from an OpenApi spec, this works fine in my GH workflows and local environment but fails in the CodeQL action. The CodeQL action attempts to inject invalid parameters to this command. I've found an old PR that attempts to fix a very similar issue github/codeql#13794, but that does not seem to fix my issue. I think this issue happened on the version v2 of the codeql actions as well.dotnet-tools.jsonfile:global.json(This already happened when the project was in .NET 6):SwaggerDefinition.csprojof the project that fails:SwaggerDefinition projectcontent:The error in the CodeQL GH workflow:
codeql.yaml: