source-root is not applied in SARIF output

[meriouma]

I'm not sure if I got the doc wrong, but I have a project with multiple folders and when running CodeQL on a single sub-folder using source-root like this :

runs:
  using: composite
  steps:
    - name: Initialize CodeQL
      uses: github/codeql-action/init@v2
      with:
        languages: ${{ inputs.languages }}
        source-root: packages/react

    - name: Perform CodeQL Analysis
      uses: github/codeql-action/analyze@v2
      with:
        category: ${{ inputs.category }}
        checkout_path: packages/react # Tried with or without this

In the sarif output, the artifactLocation.uri properties are relative to packages/react, which once uploaded to Github code scanning, yields invalid paths in the repository, as they are relative from the source-root, instead of the repository root.

[edoardopirovano]

Greetings, many thanks for getting in touch with this question. That is indeed what the source-root option will do, and it is almost certainly not the option you want to be using. Is your goal to only scan files in the packages/react folder? If so, I would recommend using the paths property of the configuration file as documented here.

In particular, you'll want to make a file called ./.github/codeql/codeql-config.yml (or add to your exist one if you already have it) that contains:

paths:
  - packages/react

Then, in your init step do:

    - name: Initialize CodeQL
      uses: github/codeql-action/init@v2
      with:
        languages: ${{ inputs.languages }}
        config-file: ./.github/codeql/codeql-config.yml

I hope that's helpful! Do let me know if that works for you or if you have any further questions.

[meriouma]

Thank you @edoardopirovano. This makes sense.
I was hoping to be able to pass the paths to scan as an input to the init action, as I have multiple folders that I wanted to scan individually with a different category. As a workaround I am now writing the config file in the action to output the path based on the inputs.working-directory I am passing.

[edoardopirovano]

Aha, I see. That is an interesting use case that we don't have an easy path for. Your workaround sounds reasonable, and is what I would've suggested too. We'll certainly keep your scenario in mind if we ever do a major reshuffle of how these parameters are configured!

cc. @aeisenberg as the above is likely to be of interest to you.

[aeisenberg]

Thanks for the issue. I think the feature you want is to be able to pass the paths and paths-ignore config options as action inputs. This is straightforward enough to do. It's not on our roadmap right now and if we get any more requests for a feature like this, we will consider it. Though, it sounds like you have a reasonable workaround.