CodeQL: Setting paths in Github Advanced Security for Azure Devops

[woeterman94]

I'm using Github Advanced Security in Azure devops in a monorepo. With the given folder structure:

.
└── apps/
    ├── frontend/
    │   ├── green-app
    │   └── red-app
    └── backend/
        ├── green-app
        └── red-app

By default the codeql task will scan the ENTIRE code base. Which is not what I want.

How can I configure Github advanced security to only scan one project? For example the front-end and backend folder for the green-app.

I tried setting the sources folder to the back-end folder. But then I'm not able to "reach" the front-end folder when I set the codeqlpathstoinclude parameter. When I try this:

  - task: AdvancedSecurity-Codeql-Init@1
    condition: and(succeededOrFailed(), ${{parameters.runGithubAdvancedSecurity}})
    displayName: 'Github Advanced Security: Initialize 🛡'
    inputs:
      languages: 'csharp,javascript'
      sourcesfolder: '$(System.DefaultWorkingDirectory)/apps/backend/green-app'
      codeqlpathstoinclude: '../frontend/green-app'

(Following the docs: "The paths must be relative to the sourcesfolder where CodeQL is running, which defaults to the Build.SourcesDirectory pipeline environment variable. For example, to include the $(Build.SourcesDirectory)/app directory, set codeqlpathstoinclude: app rather than codeqlpathstoinclude: $(Build.SourcesDirectory)/app.")

I get:

Only found JavaScript or TypeScript files that were empty or contained syntax errors

Wildcards are also giving issues:
apps/*/green-app/**/*

What am I doing wrong here? Any other way i can accomplish this?

[jketema]

Hi @woeterman94,

I've asked people knowledgeable about the Azure Devops setup to take a look at your question. Note that their response might be somewhat delayed, because many people have holidays around this time of year.

[felickz]

I would suggest a similar approach:

• remove sources folder directive, you are accomplishing that with paths include filter
• use paths include with glob: apps/**/green-app/**
  • Standard glob rules for CodeQL apply: here
• CSharp paths include/ignore filtering only works if you switch to none for buildtype , testing with your JS should still work though (docs). Otherwise CodeQL CSharp will scan everything that compiles between Init and Analyze steps.

[woeterman94]

you are accomplishing that with paths include filter

I thought the paths include filter only works for typescript code and not C#?

codeqlpathstoinclude setting applies only when you run the CodeQL tasks on an interpreted language (Python, Ruby, and JavaScript/TypeScript).

How can I include only the C# code for the project I'm building?
Also, how can I set buildtype in codeQL for Azure Devops?

[felickz]

I thought the paths include filter only works for typescript code and not C#?

Ah great catch, need a docs update to support the scanning without a build feature: MicrosoftDocs/azure-devops-yaml-schema#360

How can I include only the C# code for the project I'm building?
Also, how can I set buildtype in codeQL for Azure Devops?

The docs for setting the build type none are @Code scanning build mode customization
(task documentation)

• none - the CodeQL database is created directly from the codebase without building the codebase (all C# source code under the source root - observes the path / paths-ignore filters)
• manual - (this is the out of the box behavior) everything you build between the Init and Analyze steps is included.