I want to run custom codeql queries for Advanced Security in Azure DevOps (this is a feature that is now available in Azure DevOps not only GitHub). The built in default queries like security-and-quality works fine. I run them as batch at night.
But I am now building a new separate pipeline that will also run at night as a batch. With it I want to run a few custom queries looking for specific not wanted pattern in this rather large JavaScript git repository.
All of this is stored and run in Azure DevOps Services. I have started with a simple find all ToDo codeql query to get thing going. But I get this error, that I cant find in the documentation or Troubleshooting code scanning faq , or see anyone else have had before:
/opt/hostedtoolcache/CodeQL/2.17.2/x64/codeql/codeql database init --codescanning-config=/home/vsts/work/1/s/.azuredevops/customcodeql/customconfig.yaml --db-cluster /home/vsts/work/_temp/advancedsecurity.codeql/d --source-root=/home/vsts/work/1/s --language=javascript --calculate-baseline
A fatal error occurred: No queries defined for javascript
##[warning] Error running the 'database init' CodeQL command for javascript (2)
##[error]Error running the 'database init' CodeQL command for javascript (2)
====================================================================================================
Analyzing CodeQL execution results.
CodeQL analysis finished with exit code 2.
I have a yaml pipeline with the tasks
AdvancedSecurity-Codeql-Init@1
, AdvancedSecurity-Codeql-Autobuild@1
and AdvancedSecurity-Codeql-Analyze@1
.
The task AdvancedSecurity-Codeql-Init@1
points to a codeqlconfig yaml file and in this file I point to a simple todo codeql query. This is afaik how it has to be done according to the documentation I have read eg: Analysis with custom queries .
I once wrote the wrong path the codeql query. Then I got the error message: A fatal error occurred: ./azuredevops/customcodeql/todos.ql is not a .ql file, .qls file, a directory, or a query pack specification.
I corrected the path (added . infront so it became ./.azuredevops....) and no longer got the cant find file type of error, so I assume it finds the file now.
But now I get this other error: "No queries defined for javascript" so assume that it finds my todos.ql but it does not work anyway.
Here are the three files that I use:
Here is the todo.ql taken from the examples :
/**
* @id js/javascript/todocomment
* @name TODO_comments
* @description Finds comments containing the word TODO
* @kind problem
* @problem.severity recommendation
* @tags comment
* TODO
*/
import javascript
from Comment c
where c.getText().regexpMatch("(?si).*\\bTODO\\b.*")
select c
Here is the codeql customconfig.yaml :
name: "Run custom queries"
disable-default-queries: true
queries:
- name: TODO_comments
uses: ./.azuredevops/customcodeql/todos.ql
paths:
- src
paths-ignore:
- '**/node_modules'
- '**/*.test.js'
query-filters:
- include:
kind: problem
Here is part of the yaml pipeline that is run in Azure DevOps as a batch job.
Ehe error occur on the task AdvancedSecurity-Codeql-Init@1
version 1.1.262 after about 7 seconds
- stage: Analyze_Custom_CQL
jobs:
- job: Analyze
steps:
- task: AdvancedSecurity-Codeql-Init@1
inputs:
languages: 'javascript'
loglevel: '3'
configfilepath: '$(build.sourcesDirectory)/.azuredevops/customcodeql/customconfig.yaml'
- task: AdvancedSecurity-Codeql-Autobuild@1
displayName: 'Advanced Security Autobuild'
- task: AdvancedSecurity-Codeql-Analyze@1
Am I missing something in the todos.ql, metadata or something ? I have changes the filter and include in the customconfig.yaml. Tried with or without them.
tl;dr add qlpack.yml definition and a extra string column to todo.ql query.
In the same directory that the todo.ql query is add a yaml file eg called qlpack.yml. In this file add the following:
version: 1.0.1
dependencies:
codeql/javascript-all: "*"
codeql/javascript-queries: "*"
I also had to add an extra column in the todo select query. Else it would fail. Here I am just adding foobar ¯_(ツ)_/¯ . But you should of course add something more useful. You can eg add templates that takes data from the query. See example here for placeholders.
/**
* @id js/javascript/todocomment
* @name TODO_comments
* @description Finds comments containing the word TODO
* @kind problem
* @problem.severity recommendation
* @tags comment
* TODO
*/
import javascript
from Comment c
where c.getText().regexpMatch("(?si).*\\bTODO\\b.*")
select c,"foobar"
This answer is based on the developercommunity ticket solution and meetings with GitHub Adv Security engineers.