JS Scanner Runs Extremely Slow in CodeQL Analysis

[laipz8200]

Hi,

We have observed that the JavaScript scanner in CodeQL runs extremely slowly. Below is a snippet from the logs:

[90/90 eval 156m41s] Evaluation done; writing results to codeql/javascript-queries/Security/CWE-730/RegExpInjection.bqrs.

more info

This task took 156 minutes to complete, leading to a total execution time of approximately 2.5 hours for our GitHub Actions workflow. This significantly impacts our CI/CD efficiency.

Expected Behavior

We expect the JavaScript scanning process to complete in a more reasonable timeframe to ensure smooth and efficient CI/CD pipelines.

Actual Behavior

The scanning process is taking an excessive amount of time, causing long delays in our GitHub Actions runs.

[redsun82]

👋 @laipz8200 I'm sorry to hear you encountered this problem. It seems like the RegExpInjection query explodes on your repository. I will forward this info to the internal team working on it, having your repository as a reproducer will surely help!

[asgerf]

Hi @laipz8200.

Thanks for the report.

As also mentioned in github/codeql#18584, this is a consequence of our recent switch to the same data flow library used by other languages. There are rare cases where this type of slowdown can occur and we're looking into ways to fix it, but for now I've added this reproduction case to our internal tracking issue.

In the meantime, the best workaround I can offer is to disable the specific query, by adding this to a file called .github/codeql/codeql-configuration.yml:

query-filters:
  - exclude:
      id: js/regex-injection

[laipz8200]

In the meantime, the best workaround I can offer is to disable the specific query, by adding this to a file called .github/codeql/codeql-configuration.yml:

Thank you all very much for your responses. I tried adding the configuration file to the project, but it doesn’t seem to have solved the problem. I’m using GitHub’s default configuration—should I switch to the advanced configuration?

Here is the PR I used for testing: langgenius/dify#13365