azure-devopsazure-pipelines-yamlcodeqlgithub-advanced-security

Custom CodeQL query in Azure DevOps in yaml pipeline gives error: No queries defined for javascript


I want to run custom codeql queries for Advanced Security in Azure DevOps (this is a feature that is now available in Azure DevOps not only GitHub). The built in default queries like security-and-quality works fine. I run them as batch at night.

But I am now building a new separate pipeline that will also run at night as a batch. With it I want to run a few custom queries looking for specific not wanted pattern in this rather large JavaScript git repository.

All of this is stored and run in Azure DevOps Services. I have started with a simple find all ToDo codeql query to get thing going. But I get this error, that I cant find in the documentation or Troubleshooting code scanning faq , or see anyone else have had before:

/opt/hostedtoolcache/CodeQL/2.17.2/x64/codeql/codeql database init --codescanning-config=/home/vsts/work/1/s/.azuredevops/customcodeql/customconfig.yaml --db-cluster /home/vsts/work/_temp/advancedsecurity.codeql/d --source-root=/home/vsts/work/1/s --language=javascript --calculate-baseline
A fatal error occurred: No queries defined for javascript
##[warning] Error running the 'database init' CodeQL command for javascript (2)
##[error]Error running the 'database init' CodeQL command for javascript (2)

====================================================================================================
Analyzing CodeQL execution results.
CodeQL analysis finished with exit code 2.

I have a yaml pipeline with the tasks AdvancedSecurity-Codeql-Init@1 , AdvancedSecurity-Codeql-Autobuild@1 and AdvancedSecurity-Codeql-Analyze@1 . The task AdvancedSecurity-Codeql-Init@1 points to a codeqlconfig yaml file and in this file I point to a simple todo codeql query. This is afaik how it has to be done according to the documentation I have read eg: Analysis with custom queries .

I once wrote the wrong path the codeql query. Then I got the error message: A fatal error occurred: ./azuredevops/customcodeql/todos.ql is not a .ql file, .qls file, a directory, or a query pack specification. I corrected the path (added . infront so it became ./.azuredevops....) and no longer got the cant find file type of error, so I assume it finds the file now.

But now I get this other error: "No queries defined for javascript" so assume that it finds my todos.ql but it does not work anyway.

Here are the three files that I use:

Here is the todo.ql taken from the examples :

/**
 * @id js/javascript/todocomment
 * @name TODO_comments
 * @description Finds comments containing the word TODO
 * @kind problem
 * @problem.severity recommendation
 * @tags comment
 *       TODO
 */
import javascript

from Comment c
where c.getText().regexpMatch("(?si).*\\bTODO\\b.*")
select c

Here is the codeql customconfig.yaml :

name: "Run custom queries"
disable-default-queries: true
queries:
  - name: TODO_comments
    uses: ./.azuredevops/customcodeql/todos.ql
paths:
  - src 
paths-ignore: 
  - '**/node_modules'
  - '**/*.test.js'
query-filters:
 - include:
    kind: problem

Here is part of the yaml pipeline that is run in Azure DevOps as a batch job. Ehe error occur on the task AdvancedSecurity-Codeql-Init@1 version 1.1.262 after about 7 seconds

- stage: Analyze_Custom_CQL
  jobs:
  - job: Analyze
    steps:
    - task: AdvancedSecurity-Codeql-Init@1
      inputs:
        languages: 'javascript'
        loglevel: '3'
        configfilepath: '$(build.sourcesDirectory)/.azuredevops/customcodeql/customconfig.yaml'

    - task: AdvancedSecurity-Codeql-Autobuild@1
      displayName: 'Advanced Security Autobuild'

    - task: AdvancedSecurity-Codeql-Analyze@1   

Am I missing something in the todos.ql, metadata or something ? I have changes the filter and include in the customconfig.yaml. Tried with or without them.


Solution

  • tl;dr add qlpack.yml definition and a extra string column to todo.ql query.

    In the same directory that the todo.ql query is add a yaml file eg called qlpack.yml. In this file add the following:

    version: 1.0.1
    dependencies:
      codeql/javascript-all: "*"
      codeql/javascript-queries: "*"
    

    I also had to add an extra column in the todo select query. Else it would fail. Here I am just adding foobar ¯_(ツ)_/¯ . But you should of course add something more useful. You can eg add templates that takes data from the query. See example here for placeholders.

    /**
     * @id js/javascript/todocomment
     * @name TODO_comments
     * @description Finds comments containing the word TODO
     * @kind problem
     * @problem.severity recommendation
     * @tags comment
     *       TODO
     */
    import javascript
    
    from Comment c
    where c.getText().regexpMatch("(?si).*\\bTODO\\b.*")
    select c,"foobar"
    

    This answer is based on the developercommunity ticket solution and meetings with GitHub Adv Security engineers.