paths / paths-ignore DOES seem to work for Go, yet annotation says is doesnt

[erzz]

I battled for a while to get the action to only run for Go and a specific directory in a multi-language mono-repo.

I seemed to successful with the following:

- name: Initialize CodeQL
  uses: github/codeql-action/init@v3
  with:
    languages: go
    config: |
      paths:
        - ${{ inputs.path }}

By successful I mean that I can see in the SARIF reports that I am only getting locations related to the go part of the repository (before I was seeing everything from all languages in the reports).

So, the evidence suggests that this combination does what I needed - yet I get the annoying annotation below on every run:

Is it a faulty annotation?

[ginsbach]

Hi @erzz,

Thank you for the question! The annotation is not faulty (cf. our documentation here). The paths array only has an effect on interpreted languages. For compiled languages (such as Go), you can either rely on autobuild or provide explicit build steps. You can use the following documentation as a guide: https://docs.github.com/en/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/codeql-code-scanning-for-compiled-languages#adding-build-steps-for-a-compiled-language

[erzz]

Thanks @ginsbach

Hmmm then perhaps the issue is more that without that input, the SARIF report is polluted with non-Go related locations

e.g.s

"invocations" : [ {
      "toolExecutionNotifications" : [ {
        "locations" : [ {
          "physicalLocation" : {
            "artifactLocation" : {
              "uri" : "tests/node-sample-app/index.html",
              "uriBaseId" : "%SRCROOT%",
              "index" : 0
            }
          }
        } ],
        "message" : {
          "text" : ""
        },
        "level" : "none",
        "descriptor" : {
          "id" : "go/diagnostics/successfully-extracted-files",
          "index" : 1,
          "toolComponent" : {
            "index" : 0
          }
        },
        "properties" : {
          "formattedMessage" : {
            "text" : ""
          }
        }
      },

...

{
        "locations" : [ {
          "physicalLocation" : {
            "artifactLocation" : {
              "uri" : "src/components/OutputList/index.js",
              "uriBaseId" : "%SRCROOT%",
              "index" : 5
            }
          }
        } ],
        "message" : {
          "text" : ""
        },
        "level" : "none",
        "descriptor" : {
          "id" : "cli/expected-extracted-files/javascript",
          "index" : 0
        },
        "properties" : {
          "formattedMessage" : {
            "text" : ""
          }
        }
      }, {
        "locations" : [ {
          "physicalLocation" : {
            "artifactLocation" : {
              "uri" : "sidebars.js",
              "uriBaseId" : "%SRCROOT%",
              "index" : 6
            }
          }
        } ],
        "message" : {
          "text" : ""
        },
        "level" : "none",
        "descriptor" : {
          "id" : "cli/expected-extracted-files/javascript",
          "index" : 0
        },
        "properties" : {
          "formattedMessage" : {
            "text" : ""
          }
        }
      },

...

Its nothing breaking or anything - just hard work when debugging or trying to interpret the SARIF with human eyes. With the config we get a much shorter and cleaner output only on the intended resources.

[ginsbach]

I have asked the Go team for a clarification.

[smowton]

Can you post or link to your whole codeql action yaml file?

[erzz]

Hi - sure! Its actually a resusable with a bunch of security related jobs... but here is the relevant parts at least

jobs:
  # <---------------------- CODEQL ----------------------->
  codeql:
    if: ${{ inputs.codeql-enable }}
    name: CodeQL
    runs-on: ubuntu-latest
    steps:
      - name: Checkout Source
        uses: actions/checkout@v4

      - name: Setup Go
        uses: actions/setup-go@v5
        with:
          go-version-file: "${{ inputs.path }}/${{ inputs.go-version-file }}"
          check-latest: ${{ inputs.go-check-latest }}
          cache: ${{ inputs.go-cache }}
          cache-dependency-path: "${{ inputs.path }}/${{ inputs.go-cache-path }}"
          architecture: ${{ inputs.go-architecture }}

      - name: Initialize CodeQL
        uses: github/codeql-action/init@v3
        with:
          languages: go

      - name: Run build
        run: |
          cd "$GITHUB_WORKSPACE/${{ inputs.path }}"
          ${{ inputs.build-command }}

      - name: Perform CodeQL Analysis
        id: codeql
        uses: github/codeql-action/analyze@v3

      - name: Upload Reports
        uses: actions/upload-artifact@v4
        if: always()
        with:
          name: CodeQL Reports
          path: ${{ steps.codeql.outputs.sarif-output }}

[smowton]

Ah sorry, @ginsbach is right; this is expected behaviour. The various "expected-extracted-file" reports serve to inform the UI that it could be useful to enable languages other than golang if they are not already being analysed.