CodeQL for unity

[Burnout156]

First congratulations to everyone for the CodeQL project, which has even helped me with web projects.

But my request is that you manage to make a version for the Unity game engine.

[hmakholm]

I don't have any first-hand knowledge of Unity, but Google tells me it uses C# as a programming language, which means you're in luck: CodeQL already understands C#.

You'll need a way to build your project from a command line. If that is a standard msbuild command, our usual documentation for using CodeQL for C# should to apply. If Unity has its own build tool, chances are still good that it will work out of the box with the codeql database create command if you give it a try.

We don't currently ship any queries that look specifically for unsafe uses of the Unity framework, but the generic C# queries would still apply, and would scan for problems with your use of the C# language itself, or, say, security implications of network transactions that you use the .NET APIs directly to do.

It's not likely we will devote resources to making Unity-specific security queries in the near future, but we would welcome such queries as external contributions against this repository, from anyone who makes the effort to climb the (admittedly somewhat steep) learning curve.

[ah1053]

I second @Burnout156 it would be nice to have Unity Support or template flow

Running CodeQL against a Unity Project out of the box results in Build Issues

This error log is out of CodeQL git action

  Error: We were unable to automatically build your code. Please replace the call to the autobuild action with your custom build steps.  Failure invoking /opt/hostedtoolcache/CodeQL/2.12.3-20230217/x64/codeql/csharp/tools/autobuild.sh with arguments .

@hmakholm Unity requires a different build flow, a good example of this will be here https://game.ci/

[hmakholm]

Right, if our attempts to autobuild the project doesn't work, you'll have to provide your own build steps in place of it, as explicit workflow steps between the github/codeql-action/initialize and github/codeql-action/analyze steps.

Unfortunately this does mean that the "default setup" for Code Scanning cannot be used and you need to explicitly check a custom workflow definition for CodeQL into the repo.

[Burnout156]

Thanks for the help @ah1053, in fact it needs a different construction, and I still don't have enough skill to implement it

[armando-fandango]

@Burnout156 I think you will need your custom container and Unity Editor in that custom container with License to build.

[rk-limitbreak]

Using indirect tracing with csharp for Unity, causes compiler errors

codeql database init \
    --source-root ~/unity-project \
    --language=csharp \
    --begin-tracing \
    --overwrite ~/codeql/codeql-db

. ~/codeql/codeql-db/temp/tracingEnvironment/start-tracing.sh

/Applications/Unity/Hub/Editor/2021.3.22f1/Unity.app/Contents/MacOS/Unity \
    -projectPath ~/unity-project \
    -quit \
    -batchmode \
    -nographics \
    -buildTarget android \
    -executeMethod BuildScript.BuildAndroid \
    -logFile android-build.log

Aborting batchmode due to failure:
Scripts have compiler errors.

android-build.log:

...
ExitCode: 134 Duration: 0s69ms
mono_os_sem_post: semaphore_signal failed with error 15
Internal build system error. Backend exited with code 134.
mono_os_sem_post: semaphore_signal failed with error 15
AssetDatabase: script compilation time: 0.345457s
Scripts have compiler errors.