Questions to workflow integration

[safl]

Hi CodeQL people!

Regarding CodeQL@GitHUB via Workflows/Actions, I have four questions that I hope you can help answer, or direct me to the right place to ask these questions.

1. Is it possible to exclude a rule?

The use-case is that a project might disagree with some style-recommendations, e.g. "cpp/trivial-switch".
Would it be possible to have a config along the lines of:

name: "CodeQL config"

disable-default-queries: false

queries:
  - uses: security-and-quality
    exclude: cpp/trivial-switch

Is something like that possible?

One can go and filter out "post-scan" by setting to "won't fix", however, that can be very cumbersome when a project generally disagree on certain code-styles and dogmas.

2. Adding the above question, is there an extensive documentation on all options of the CodeQL config-file somewhere?

3. Is it possible to ignore parts of a statically compiled codebase?

When adding "paths" and "paths-ignore", the scanner informs that those options are only for interpreted languages.
Is there any way to have the same functionality for static compiled languages?

The use-case is that a project might have third-party code, possibly via submodules, or code for which scanning is not wanted.
One can go and filter out "post-scan" by setting to "won't fix", however, that can be very cumbersome especially when contributions arrive via PR which the scanner rejects due to some completely unrelated third-party code already known to the project maintainer.

4. When using CodeQL via lgtm.com one could get a neat "code-quality" badge to put on the project README.
   Is a similar thing available with the security scans?

Thanks!
Simon

[badcel]

I have a similar problem. The code scanning looks very promising. But my project is generating C# code which wraps native calls. This is marked as a code smell but in my case this is the sole purpose of the library.

I think it is not very user friendly that > 1000 "errors" need to be set to "False positive" manually. I suppose that after a code generation change I would need set the errors to "False positive" again? I'm not aware that some filtering is possible. Is there some possible workaround?

[badcel]

After several hours I got it working. This was a lot of try and error. Perhaps it can be more improved I stop the research for now as it works for me. It would be awesome if it could be documented that it is possible to filter out queries for compiled languages already.

Workflow:

...
    - name: Initialize CodeQL
      uses: github/codeql-action/init@v1
      with:
        languages: ${{ matrix.language }}
        config-file: ./.github/codeql/codeql-config.yml
...

I use a custom config, which disables the default queries and calls a custom query suite definition:

disable-default-queries: true

queries:
  - uses: ./.github/codeql/queries.qls

The query suite definition contains the code of the suite I wanted to use and adds additional exclude information.

- description: Security-and-quality queries for C#
- qlpack: codeql-csharp
- apply: security-and-quality-selectors.yml
  from: codeql-suite-helpers
- apply: codeql-suites/exclude-dependency-queries.yml
  from: codeql-csharp
- exclude:
    query filename: 
      - CallsUnmanagedCode.ql
      - UnmanagedCodeCheck.ql
      - XmldocMissingSummary.ql
      - SameNameAsSuper.ql
      - CompilerError.ql
      - ExtractorError.ql
      - ExtractorMessage.ql

With this configuration it looks for me like all the queries are executed except the ones I explicitly excluded.

[github-actions]

This issue is stale because it has been open 14 days with no activity. Comment or remove the stale label in order to avoid having this issue closed in 7 days.

[badcel]

I'm fine with closing this but I wonder if it would help a lot of people if my findings are somehow documented? (I did not evaluate the current documentation again.)