CodeQL extension for VS Code docs update #12321
Conversation
docs/codeql/codeql-for-visual-studio-code/running-codeql-queries-at-scale-with-mrva.rst
Outdated
Show resolved
Hide resolved
docs/codeql/codeql-for-visual-studio-code/running-codeql-queries-at-scale-with-mrva.rst
Outdated
Show resolved
Hide resolved
docs/codeql/codeql-for-visual-studio-code/running-codeql-queries-at-scale-with-mrva.rst
Outdated
Show resolved
Hide resolved
docs/codeql/codeql-for-visual-studio-code/running-codeql-queries-at-scale-with-mrva.rst
Outdated
Show resolved
Hide resolved
docs/codeql/codeql-for-visual-studio-code/running-codeql-queries-at-scale-with-mrva.rst
Outdated
Show resolved
Hide resolved
docs/codeql/codeql-for-visual-studio-code/running-codeql-queries-at-scale-with-mrva.rst
Outdated
Show resolved
Hide resolved
docs/codeql/codeql-for-visual-studio-code/running-codeql-queries-at-scale-with-mrva.rst
Outdated
Show resolved
Hide resolved
| - Visibility of the repository | ||
| - Whether analysis is still running (black, moving circle) or finished (green checkmark) | ||
| - Number of stars the repository has on GitHub | ||
| - How long ago the CodeQL database that was analyzed was created |
There was a problem hiding this comment.
This is actually the time the repo was last updated (which can be various different events, not just a commit). We've had several goes at choosing the wording and there is always this confusion 😬
| - How long ago the CodeQL database that was analyzed was created | |
| - How long ago the repository was last updated |
There was a problem hiding this comment.
🤔 - so the repository could have been updated 5 minutes ago, but the CodeQL database might be a week old because analysis is broken? Or do we only analyze repositories where the CodeQL database is reasonably up to date for the codebase?
There was a problem hiding this comment.
so the repository could have been updated 5 minutes ago, but the CodeQL database might be a week old because analysis is broken? Or do we only analyze repositories where the CodeQL database is reasonably up to date for the codebase?
That's right. We have no clever ways of filtering repos based on when they were last updated.
Those metrics (stars, last updated) give the researcher some insight into the repos they are targeting: high star count = popular so impactful if a bug is found. Not updated recently = outdated and possibly vulnerable code.
There was a problem hiding this comment.
Thanks for clarifying 👍🏻
docs/codeql/codeql-for-visual-studio-code/running-codeql-queries-at-scale-with-mrva.rst
Outdated
Show resolved
Hide resolved
docs/codeql/codeql-for-visual-studio-code/running-codeql-queries-at-scale-with-mrva.rst
Outdated
Show resolved
Hide resolved
docs/codeql/codeql-for-visual-studio-code/running-codeql-queries-at-scale-with-mrva.rst
Outdated
Show resolved
Hide resolved
|
|
||
| In this example, the user ran variant analysis on a custom list of two repositories. One of the repositories was a private repository and could not be analyzed because they had a public controller repository. Only the public repository was analyzed. To analyze both repositories, they need to edit their settings and update the controller repository to a private repository. For information on how to edit the controller repository, see ":ref:`Customizing settings <customizing-settings>`." | ||
|
|
||
| CodeQL extension error: Bundling pack failed |
There was a problem hiding this comment.
This is an edge case that our internal users run into, but external users are very unlikely to. I think it belongs in our internal docs rather than here.
docs/codeql/codeql-for-visual-studio-code/customizing-settings.rst
Outdated
Show resolved
Hide resolved
Co-authored-by: James Fletcher <42464962+jf205@users.noreply.github.com>
|
|
||
| The core functionality of the CodeQL extension helps you write queries and run them locally against a CodeQL database. In contrast, variant analysis allows you to send your CodeQL query to GitHub.com to be tested against a list of repositories. | ||
|
|
||
| When you run variant analysis against a list of repositories, your query is run against each repository that has a CodeQL database available to analyze. GitHub creates and stores CodeQL databases for thousands of public repositories, including every repository that runs code scanning using CodeQL. If you want to run variant analysis on your repositories, you need to enable code scanning using CodeQL on GitHub.com before adding your repository to a list for analysis (either default setup, or advanced setup using the CodeQL action). For information about enabling code scanning using CodeQL, see "`Configuring code scanning automatically <https://docs.github.com/en/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/configuring-code-scanning-for-a-repository#configuring-code-scanning-automatically>`__." |
There was a problem hiding this comment.
Is it important to say how often the database is created and what branch is being used?
My understanding is that a database is saved only for the default branch and only a single database is saved. So, every time a code scanning is run on main, the database that gets created is stored and the previous database is removed.
This feels like information I would want to know as a user.
There was a problem hiding this comment.
Good question @aeisenberg. I think stating that we only store the most recently created CodeQL database from the default branch should be sufficient.
There was a problem hiding this comment.
@felicitymay - this LGTM ✨
I've left a few comments and suggestions for your consideration. The only thing blocking is the link to provide feedback.
| "variantAnalysis": { | ||
| "repositoryLists": [ | ||
| { | ||
| "name": "My favourite JavaScript repos", |
There was a problem hiding this comment.
Nit: US spelling so should be "favorite"
|
|
||
| For information on the purpose and requirements for a controller repository, see ":ref:`Setting up a controller repository for variant analysis <controller-repository>`." | ||
|
|
||
| You can also edit the items shown in the Variant analysis repositories panel by editing a file in your Visual Studio Code workspace called ``databases.json``. This file contains a JSON representation of all the items displayed in the panel. To open your ``databases.json`` file in an editor window, click the **{ }** icon in the top right of the variant analysis repositories panel. You can then see a structured representation of the repos, orgs and lists in your panel. For example: |
There was a problem hiding this comment.
You're not consistent in the way that you refer to the panel here:
Variant analysis repositories panel vs variant analysis repositories panel
There was a problem hiding this comment.
I thought that I'd fixed all of these, thanks for spotting this one, I'll have another find and replace 💖
| @@ -30,6 +30,8 @@ Running path queries in VS Code | |||
| #. Click each step to jump to it in the source code and investigate the problem further. | |||
| #. To navigate the results from your keyboard, you can bind shortcuts to the **CodeQL: Navigate Up/Down/Left/Right in Result Viewer** commands. | |||
|
|
|||
| When you are ready to run a path query at scale, you can use the Variant Analysis Repositories panel to run the query against up to 1000 repositories on GitHub.com. For information on running analysis at scale across many CodeQL databases, see ":ref:`Running CodeQL queries at scale with multi-repository variant analysis <running-codeql-queries-at-scale-with-mrva>`." | |||
There was a problem hiding this comment.
Again about consistency: Variant Analysis Repositories panel (would be great to consolidate the capitalization and syntax we use for this panel)
| @@ -30,6 +30,8 @@ Running path queries in VS Code | |||
| #. Click each step to jump to it in the source code and investigate the problem further. | |||
| #. To navigate the results from your keyboard, you can bind shortcuts to the **CodeQL: Navigate Up/Down/Left/Right in Result Viewer** commands. | |||
|
|
|||
| When you are ready to run a path query at scale, you can use the Variant Analysis Repositories panel to run the query against up to 1000 repositories on GitHub.com. For information on running analysis at scale across many CodeQL databases, see ":ref:`Running CodeQL queries at scale with multi-repository variant analysis <running-codeql-queries-at-scale-with-mrva>`." | |||
There was a problem hiding this comment.
Should it be 1,000 here?
|
|
||
| .. include:: ../reusables/beta-note-mrva.rst | ||
|
|
||
| This article explains how to debug problems with variant analysis. That is, analysis run using GitHub Actions |
There was a problem hiding this comment.
| This article explains how to debug problems with variant analysis. That is, analysis run using GitHub Actions | |
| This article explains how to debug problems with variant analysis, that is, analysis run using GitHub Actions |
docs/codeql/codeql-for-visual-studio-code/troubleshooting-variant-analysis.rst
Show resolved
Hide resolved
| :width: 600 | ||
| :alt: Screenshot of the "Variant Analysis Results" view showing a warning banner with the text "warning: Problem with controller repository" and "Publicly visible controller repository can't be used to analyze private repositories. 1 private repository was not analyzed." The "Show logs" button is highlighted with a dark orange outline. | ||
|
|
||
| In this example, the user ran variant analysis on a custom list of two repositories. One of the repositories was a private repository and could not be analyzed because they had a public controller repository. Only the public repository was analyzed. To analyze both repositories, they need to edit their settings and update the controller repository to a private repository. For information on how to edit the controller repository, see ":ref:`Customizing settings <customizing-settings>`." |
There was a problem hiding this comment.
| In this example, the user ran variant analysis on a custom list of two repositories. One of the repositories was a private repository and could not be analyzed because they had a public controller repository. Only the public repository was analyzed. To analyze both repositories, they need to edit their settings and update the controller repository to a private repository. For information on how to edit the controller repository, see ":ref:`Customizing settings <customizing-settings>`." | |
| In this example, the user ran variant analysis on a custom list of two repositories. One of the repositories was a private repository and could not be analyzed because they had a public controller repository. Only the public repository was analyzed. To analyze both repositories, this user needs to edit their settings and update the controller repository to a private repository. For information on how to edit the controller repository, see ":ref:`Customizing settings <customizing-settings>`." |
|
|
||
| Note | ||
|
|
||
| Multi-repository variant analysis is currently available as a beta release and is subject to change. To use this feature you must upgrade the CodeQL extension for Visual Studio Code to a minimum of version 1.8.0. |
There was a problem hiding this comment.
| Multi-repository variant analysis is currently available as a beta release and is subject to change. To use this feature you must upgrade the CodeQL extension for Visual Studio Code to a minimum of version 1.8.0. | |
| Multi-repository variant analysis is currently available as a beta release and is subject to change. To use this feature, you must upgrade the CodeQL extension for Visual Studio Code to a minimum of version 1.8.0. |
docs/codeql/codeql-for-visual-studio-code/running-codeql-queries-at-scale-with-mrva.rst
Outdated
Show resolved
Hide resolved
|
|
||
| The core functionality of the CodeQL extension helps you write queries and run them locally against a CodeQL database. In contrast, variant analysis allows you to send your CodeQL query to GitHub.com to be tested against a list of repositories. | ||
|
|
||
| When you run variant analysis against a list of repositories, your query is run against each repository that has a CodeQL database available to analyze. GitHub creates and stores CodeQL databases for thousands of public repositories, including every repository that runs code scanning using CodeQL. If you want to run variant analysis on your repositories, you need to enable code scanning using CodeQL on GitHub.com before adding your repository to a list for analysis (either default setup, or advanced setup using the CodeQL action). For information about enabling code scanning using CodeQL, see "`Configuring code scanning automatically <https://docs.github.com/en/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/configuring-code-scanning-for-a-repository#configuring-code-scanning-automatically>`__." |
There was a problem hiding this comment.
Good question @aeisenberg. I think stating that we only store the most recently created CodeQL database from the default branch should be sufficient.
Co-authored-by: James Fletcher <42464962+jf205@users.noreply.github.com>
There was a problem hiding this comment.
One final suggestion, but otherwise this looks great (pending the last few missing links). Thanks @felicitymay (and @mchammer01 for the review) ❤️
docs/codeql/codeql-for-visual-studio-code/running-codeql-queries-at-scale-with-mrva.rst
Outdated
Show resolved
Hide resolved
…es-at-scale-with-mrva.rst Co-authored-by: James Fletcher <42464962+jf205@users.noreply.github.com>
docs/codeql/codeql-for-visual-studio-code/running-codeql-queries-at-scale-with-mrva.rst
Outdated
Show resolved
Hide resolved
…es-at-scale-with-mrva.rst Co-authored-by: James Fletcher <42464962+jf205@users.noreply.github.com>
This is ready for review now. The changes have had a general review by stakeholders and the initial feedback addressed.
For a link to a workflow run that generates the preview docs, see the associated content issue or ask me.