Open
Description
Hello,
We have set up a CodeQL code scannig job in our Ruby project and it takes over 6 hours to run and never completes. I have tried using both the default queries as well as security-extended and security-and-quality but they hang forever and never complete. We run two jobs (for Ruby and Javascript) using a language matrix. This is our codeql-analysis.yml file. Currently the timeout-minutes is set to 25 but it is only so to limit the run time and cut the cost of the job because we pay for it but it never completes. It was set to 6 hours but it didn't complete either.
name: "CodeQL"
on:
push:
branches: [ "master" ]
pull_request:
# The branches below must be a subset of the branches above
branches: [ "master" ]
jobs:
analyze:
name: Analyze
runs-on: ubuntu-latest
timeout-minutes: 25
permissions:
actions: read
contents: read
security-events: write
strategy:
fail-fast: false
matrix:
language: [ 'ruby', 'javascript' ]
# CodeQL supports [ 'cpp', 'csharp', 'go', 'java', 'javascript', 'python', 'ruby' ]
# Learn more about CodeQL language support at https://aka.ms/codeql-docs/language-support
steps:
- name: Checkout repository
uses: actions/checkout@v3
# Initializes the CodeQL tools for scanning.
- name: Initialize CodeQL
uses: github/codeql-action/init@v2
with:
languages: ${{ matrix.language }}
# If you wish to specify custom queries, you can do so here or in a config file.
# By default, queries listed here will override any specified in a config file.
# Prefix the list here with "+" to use these queries and those in the config file.
# Details on CodeQL's query packs refer to : https://docs.github.com/en/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/configuring-code-scanning#using-queries-in-ql-packs
# queries: security-extended,security-and-quality
# Autobuild attempts to build any compiled languages (C/C++, C#, or Java).
# If this step fails, then you should remove it and run the build manually (see below)
- name: Autobuild
uses: github/codeql-action/autobuild@v2
# ℹ️ Command-line programs to run using the OS shell.
# 📚 See https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idstepsrun
# If the Autobuild fails above, remove it and uncomment the following three lines.
# modify them (or add more) to build your code if your project, please refer to the EXAMPLE below for guidance.
# - run: |
# echo "Run, Build Application using script"
# ./location_of_script_within_repo/buildscript.sh
- name: Perform CodeQL Analysis
uses: github/codeql-action/analyze@v2
with:
category: "/language:${{matrix.language}}"
Here is some logs, as you can see it just seats there and does not progress at all.
Starting evaluation of codeql/ruby-queries/queries/security/cwe-020/IncompleteUrlSubstringSanitization.ql.
Starting evaluation of codeql/ruby-queries/queries/security/cwe-020/MissingRegExpAnchor.ql.
Starting evaluation of codeql/ruby-queries/queries/security/cwe-020/OverlyLargeRange.ql.
Starting evaluation of codeql/ruby-queries/queries/security/cwe-022/PathInjection.ql.
Starting evaluation of codeql/ruby-queries/queries/security/cwe-078/CommandInjection.ql.
Starting evaluation of codeql/ruby-queries/queries/security/cwe-078/KernelOpen.ql.
Starting evaluation of codeql/ruby-queries/queries/security/cwe-078/NonConstantKernelOpen.ql.
Starting evaluation of codeql/ruby-queries/queries/security/cwe-078/UnsafeShellCommandConstruction.ql.
Starting evaluation of codeql/ruby-queries/queries/security/cwe-079/ReflectedXSS.ql.
Starting evaluation of codeql/ruby-queries/queries/security/cwe-079/StoredXSS.ql.
Starting evaluation of codeql/ruby-queries/queries/security/cwe-079/UnsafeHtmlConstruction.ql.
Starting evaluation of codeql/ruby-queries/queries/security/cwe-089/SqlInjection.ql.
Starting evaluation of codeql/ruby-queries/queries/security/cwe-094/CodeInjection.ql.
Starting evaluation of codeql/ruby-queries/queries/security/cwe-094/UnsafeCodeConstruction.ql.
Starting evaluation of codeql/ruby-queries/queries/security/cwe-116/BadTagFilter.ql.
Starting evaluation of codeql/ruby-queries/queries/security/cwe-116/IncompleteMultiCharacterSanitization.ql.
Starting evaluation of codeql/ruby-queries/queries/security/cwe-116/IncompleteSanitization.ql.
Starting evaluation of codeql/ruby-queries/queries/security/cwe-117/LogInjection.ql.
Starting evaluation of codeql/ruby-queries/queries/security/cwe-1333/PolynomialReDoS.ql.
Starting evaluation of codeql/ruby-queries/queries/security/cwe-1333/ReDoS.ql.
Starting evaluation of codeql/ruby-queries/queries/security/cwe-1333/RegExpInjection.ql.
Starting evaluation of codeql/ruby-queries/queries/security/cwe-134/TaintedFormatString.ql.
Starting evaluation of codeql/ruby-queries/queries/security/cwe-209/StackTraceExposure.ql.
Starting evaluation of codeql/ruby-queries/queries/security/cwe-295/RequestWithoutValidation.ql.
Starting evaluation of codeql/ruby-queries/queries/security/cwe-300/InsecureDependencyResolution.ql.
Starting evaluation of codeql/ruby-queries/queries/security/cwe-312/CleartextLogging.ql.
Starting evaluation of codeql/ruby-queries/queries/security/cwe-312/CleartextStorage.ql.
Starting evaluation of codeql/ruby-queries/queries/security/cwe-327/BrokenCryptoAlgorithm.ql.
Starting evaluation of codeql/ruby-queries/queries/security/cwe-352/CSRFProtectionDisabled.ql.
Starting evaluation of codeql/ruby-queries/queries/security/cwe-502/UnsafeDeserialization.ql.
Starting evaluation of codeql/ruby-queries/queries/security/cwe-506/HardcodedDataInterpretedAsCode.ql.
Starting evaluation of codeql/ruby-queries/queries/security/cwe-598/SensitiveGetQuery.ql.
Starting evaluation of codeql/ruby-queries/queries/security/cwe-601/UrlRedirect.ql.
Starting evaluation of codeql/ruby-queries/queries/security/cwe-611/Xxe.ql.
Starting evaluation of codeql/ruby-queries/queries/security/cwe-732/WeakCookieConfiguration.ql.
Starting evaluation of codeql/ruby-queries/queries/security/cwe-798/HardcodedCredentials.ql.
Starting evaluation of codeql/ruby-queries/queries/security/cwe-829/InsecureDownload.ql.
Starting evaluation of codeql/ruby-queries/queries/security/cwe-912/HttpToFileAccess.ql.
Starting evaluation of codeql/ruby-queries/queries/security/cwe-918/ServerSideRequestForgery.ql.
Starting evaluation of codeql/ruby-queries/queries/summary/LinesOfCode.ql.
[3/46 eval 2.4s] Evaluation done; writing results to codeql/ruby-queries/queries/summary/LinesOfCode.bqrs.
Starting evaluation of codeql/ruby-queries/queries/summary/LinesOfUserCode.ql.
Starting evaluation of codeql/ruby-queries/queries/summary/NumberOfFilesExtractedWithErrors.ql.
[4/46 eval 8ms] Evaluation done; writing results to codeql/ruby-queries/queries/summary/LinesOfUserCode.bqrs.
Starting evaluation of codeql/ruby-queries/queries/summary/NumberOfSuccessfullyExtractedFiles.ql.
[5/46 eval 3ms] Evaluation done; writing results to codeql/ruby-queries/queries/summary/NumberOfFilesExtractedWithErrors.bqrs.
[6/46 eval 5ms] Evaluation done; writing results to codeql/ruby-queries/queries/summary/NumberOfSuccessfullyExtractedFiles.bqrs.
[7/46 eval 1m16s] Evaluation done; writing results to codeql/ruby-queries/queries/security/cwe-020/IncompleteUrlSubstringSanitization.bqrs.
[8/46 eval 1m30s] Evaluation done; writing results to codeql/ruby-queries/queries/security/cwe-300/InsecureDependencyResolution.bqrs.
[9/46 eval 1m33s] Evaluation done; writing results to codeql/ruby-queries/queries/security/cwe-352/CSRFProtectionDisabled.bqrs.
[10/46 eval 1m36s] Evaluation done; writing results to codeql/ruby-queries/queries/security/cwe-732/WeakCookieConfiguration.bq