Description of the issue
My company is setting up CodeQL scans for all our products using the codeql CLI and Jenkins as the orchestrator. I'm cloning the full git repo so all history of the repos is available to CodeQL but the violations that show up on GitHub Enterprise tie all found issues to the latest commit of the repo instead of the actual commit that brought in the violation. I'm wondering if I'm doing something wrong here. I've also tried using sarif-tools to add git blame information but new violations are still not pointing to the actual commit that changed the code. I would appreciate any pointers on this. Here's example code of that I'm doing.
stage('analyze') {
echo('\ninfo: analyze\n')
// the results of the analysis are saved in SARIF format to be uploaded to github and reported in Jenkins. The
// sarif tool will be used to filter results and add blame information before uploading the results to github
sh('''#!/bin/bash -x
codeql database analyze codeql-db \
--format=sarifv2.1.0 \
--output=${REPO}/codeql_raw.sarif \
--sarif-add-baseline-file-info \
--threads=0 \
|| exit 1
/usr/local/devops/python/bin/sarif copy --filter ${REPO}/.codeql --output ${REPO}/codeql.sarif ${REPO}/codeql_raw.sarif || exit 1
/usr/local/devops/python/bin/sarif blame --code ${REPO} ${REPO}/codeql.sarif || exit 1
''')
}
stage('upload') {
echo('\ninfo: upload\n')
// upload the results to github to see the issues on the CodeQL dashboard. Set GITHUB_TOKEN, which is required for
// the upload-results codeql command and set the ref to main for the results to be viewable on the default dashboard
withCredentials([usernamePassword(credentialsId: 'github_app', usernameVariable: 'GITHUB_APP', passwordVariable: 'GITHUB_TOKEN')]) {
sh('''#!/bin/bash -x
codeql github upload-results \
--checkout-path=${REPO} \
--ref=refs/heads/main \
--sarif=${REPO}/codeql.sarif
''')
}
}
Description of the issue
My company is setting up CodeQL scans for all our products using the codeql CLI and Jenkins as the orchestrator. I'm cloning the full git repo so all history of the repos is available to CodeQL but the violations that show up on GitHub Enterprise tie all found issues to the latest commit of the repo instead of the actual commit that brought in the violation. I'm wondering if I'm doing something wrong here. I've also tried using sarif-tools to add git blame information but new violations are still not pointing to the actual commit that changed the code. I would appreciate any pointers on this. Here's example code of that I'm doing.