From e086492f82a683f6353d9993407ad18f28537838 Mon Sep 17 00:00:00 2001 From: Felicity Chapman Date: Thu, 19 Sep 2024 09:24:42 +0100 Subject: [PATCH] Remove redundant versioning from articles part 1: Code scanning (#52329) --- ...ql-code-scanning-for-compiled-languages.md | 21 ++++--------------- ...efault-setup-for-code-scanning-at-scale.md | 4 ++-- ...iguring-default-setup-for-code-scanning.md | 14 ++++++------- ...luating-default-setup-for-code-scanning.md | 2 +- .../about-code-scanning-with-codeql.md | 2 +- ...ing-your-configuration-of-default-setup.md | 18 ++-------------- .../no-source-code-seen-during-build.md | 8 +++---- .../alerts-found-in-generated-code.md | 4 ++-- .../autobuild-compiled-languages.md | 8 ------- data/variables/code-scanning.yml | 2 +- 10 files changed, 24 insertions(+), 59 deletions(-) diff --git a/content/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/codeql-code-scanning-for-compiled-languages.md b/content/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/codeql-code-scanning-for-compiled-languages.md index 3d8fc7376361..7fe6079ad724 100644 --- a/content/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/codeql-code-scanning-for-compiled-languages.md +++ b/content/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/codeql-code-scanning-for-compiled-languages.md @@ -137,16 +137,12 @@ To use `autobuild` or manual build steps, you can use advanced setup. ## About Autobuild for {% data variables.product.prodname_codeql %} -{% ifversion codeql-no-build or code-scanning-without-workflow-310 %} - The {% data variables.product.prodname_codeql %} action uses `autobuild` to analyze compiled languages in the following cases. * Default setup is enabled{% ifversion codeql-no-build %} and the language does not support `none` build (supported for {% data variables.code-scanning.no_build_support %}). * Advanced setup is enabled and the workflow specifies `build-mode: autobuild`{% endif %}. * Advanced setup is enabled and the workflow has an Autobuild step for the language using the `autobuild` action (`{% data reusables.actions.action-codeql-action-autobuild %}`). -{% endif %} - {% ifversion codeql-no-build %} ### Example using the `build-mode` option @@ -173,11 +169,7 @@ steps: ### Example using the Autobuild step -{% elsif ghes and code-scanning-without-workflow-310 %} - - - -{% elsif ghes %} +{% elsif ghes < 3.14 %} The basic {% data variables.code-scanning.codeql_workflow %} uses the `autobuild` action to build your code. @@ -196,8 +188,7 @@ The basic {% data variables.code-scanning.codeql_workflow %} uses the `autobuild ## About specifying build steps manually -{% ifversion codeql-no-build or code-scanning-without-workflow-310 %} -You can only specify manual build steps if you have enabled advanced setup, see "[AUTOTITLE](/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/configuring-advanced-setup-for-code-scanning#configuring-advanced-setup-for-a-repository)."{% endif %} +You can only specify manual build steps if you have enabled advanced setup, see "[AUTOTITLE](/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/configuring-advanced-setup-for-code-scanning#configuring-advanced-setup-for-a-repository)." {% data reusables.code-scanning.autobuild-add-build-steps %} For information on how to edit the workflow file, see "[AUTOTITLE](/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/customizing-your-advanced-setup-for-code-scanning#editing-a-code-scanning-workflow)." @@ -266,8 +257,8 @@ If you added manual build steps for compiled languages and {% data variables.pro {% ifversion fpt or ghec %}{% data variables.product.prodname_dotcom %}-hosted runners are always run with the software required by `autobuild`.{% endif %} If you use self-hosted runners for {% data variables.product.prodname_actions %}, you may need to install additional software to use the `autobuild` process. Additionally, if your repository requires a specific version of a build tool, you may need to install it manually. {% ifversion code-scanning-default-setup-self-hosted-310 or default-setup-self-hosted-runners-GHEC %} For self-hosted runners, you should install dependencies directly in the runners themselves. We provide examples of common dependencies for C/C++, C#, and Java in each of the `autobuild` sections of this article for those languages. For more information, see "[AUTOTITLE](/actions/hosting-your-own-runners/managing-self-hosted-runners/about-self-hosted-runners)."{% endif %} * [Building C/C++](#building-cc) -* [Building C#](#building-c){% ifversion codeql-go-autobuild %} -* [Building Go](#building-go){% endif %} +* [Building C#](#building-c) +* [Building Go](#building-go) * [Building Java and Kotlin](#building-java-and-kotlin) * [Building Swift](#building-swift) @@ -400,8 +391,6 @@ If you plan to create {% data variables.product.prodname_codeql %} databases usi {% endif %} -{% ifversion codeql-go-autobuild %} - ## Building Go {% ifversion codeql-no-build %}{% data variables.product.prodname_codeql %} supports build modes `autobuild` or `manual` for Go code. @@ -428,8 +417,6 @@ The `autobuild` process attempts to autodetect a suitable way to install the dep {% endnote %} -{% endif %} - ## Building Java and Kotlin {% ifversion codeql-no-build %}{% data variables.product.prodname_codeql %} supports the following build modes. diff --git a/content/code-security/code-scanning/enabling-code-scanning/configuring-default-setup-for-code-scanning-at-scale.md b/content/code-security/code-scanning/enabling-code-scanning/configuring-default-setup-for-code-scanning-at-scale.md index 6092445f6b9a..613bce4ae17b 100644 --- a/content/code-security/code-scanning/enabling-code-scanning/configuring-default-setup-for-code-scanning-at-scale.md +++ b/content/code-security/code-scanning/enabling-code-scanning/configuring-default-setup-for-code-scanning-at-scale.md @@ -49,7 +49,7 @@ A repository must meet all the following criteria to be eligible for default set * {% ifversion fpt %}{% data variables.product.prodname_code_scanning_caps %}{% else %}Advanced setup for {% data variables.product.prodname_code_scanning %}{% endif %} is not already enabled. * {% data variables.product.prodname_actions %} are enabled.{% ifversion default-setup-pre-enablement %}{% elsif code-scanning-default-setup-recommended-languages %} -* Uses {% ifversion code-scanning-default-setup-go %} Go, {% endif %}JavaScript/TypeScript, Python, or Ruby.{% endif %}{% ifversion fpt %} +* Uses Go, JavaScript/TypeScript, Python, or Ruby.{% endif %}{% ifversion fpt %} * Publicly visible.{%- elsif ghec %} * Publicly visible, or {% data variables.product.prodname_GH_advanced_security %} is enabled.{%- elsif ghes %} * {% data variables.product.prodname_GH_advanced_security %} is enabled.{% endif %} @@ -68,7 +68,7 @@ A repository must meet all the following criteria to be eligible for default set ### About adding languages to an existing default setup configuration -If the code in a repository changes to include {% ifversion code-scanning-default-setup-recommended-languages %}{% ifversion code-scanning-default-setup-go %}Go, {% endif %}JavaScript/TypeScript, Python, or Ruby,{% else %}a {% data variables.product.prodname_codeql %}-supported language,{% endif %} {% data variables.product.prodname_dotcom %} will automatically update the {% data variables.product.prodname_code_scanning %} configuration to include the new language. If {% data variables.product.prodname_code_scanning %} fails with the new configuration, {% data variables.product.prodname_dotcom %} will resume the previous configuration automatically so the repository does not lose {% data variables.product.prodname_code_scanning %} coverage. +If the code in a repository changes to include {% ifversion code-scanning-default-setup-recommended-languages %}Go, JavaScript/TypeScript, Python, or Ruby,{% else %}a {% data variables.product.prodname_codeql %}-supported language,{% endif %} {% data variables.product.prodname_dotcom %} will automatically update the {% data variables.product.prodname_code_scanning %} configuration to include the new language. If {% data variables.product.prodname_code_scanning %} fails with the new configuration, {% data variables.product.prodname_dotcom %} will resume the previous configuration automatically so the repository does not lose {% data variables.product.prodname_code_scanning %} coverage. {% endif %} diff --git a/content/code-security/code-scanning/enabling-code-scanning/configuring-default-setup-for-code-scanning.md b/content/code-security/code-scanning/enabling-code-scanning/configuring-default-setup-for-code-scanning.md index e960a0e02800..2fb6f03acab3 100644 --- a/content/code-security/code-scanning/enabling-code-scanning/configuring-default-setup-for-code-scanning.md +++ b/content/code-security/code-scanning/enabling-code-scanning/configuring-default-setup-for-code-scanning.md @@ -48,9 +48,10 @@ If you need more granular control over your {% data variables.product.prodname_c ### Requirements for using default setup -Your repository is eligible for default setup for {% data variables.product.prodname_code_scanning %} if:{% ifversion default-setup-pre-enablement %}{% else %}{% ifversion code-scanning-without-workflow-310 %} -* It includes at least one {% data variables.product.prodname_codeql %}-supported language{% ifversion codeql-swift-advanced-setup %} aside from Swift{% endif %}.{% else %} -* It includes only the following {% data variables.product.prodname_codeql %}-supported languages: {% ifversion code-scanning-default-setup-go %}Go, {% endif %}JavaScript/TypeScript, Python, or Ruby.{% endif %}{% endif %} +Your repository is eligible for default setup for {% data variables.product.prodname_code_scanning %} if:{% ifversion default-setup-pre-enablement %} + +{% else %} +* It includes at least one {% data variables.product.prodname_codeql %}-supported language{% ifversion codeql-swift-advanced-setup %} aside from Swift{% endif %}.{% endif %} * {% data variables.product.prodname_actions %} are enabled.{% ifversion fpt %} * It is publicly visible.{%- elsif ghec %} * It is publicly visible, or {% data variables.product.prodname_GH_advanced_security %} is enabled.{%- elsif ghes %} @@ -70,12 +71,12 @@ You can use default setup with self-hosted runners for all {% data variables.pro We recommend that you start using {% data variables.product.prodname_code_scanning %} with default setup. After you've initially configured default setup, you can evaluate {% data variables.product.prodname_code_scanning %} to see how it's working for you. If you find that something isn't working as you expect, you can customize default setup to better meet your code security needs. For more information, see "[AUTOTITLE](/code-security/code-scanning/enabling-code-scanning/evaluating-default-setup-for-code-scanning)." -{% ifversion code-scanning-default-setup-recommended-languages and code-scanning-without-workflow-310 %} +{% ifversion code-scanning-default-setup-recommended-languages %} ### About adding {% ifversion code-scanning-default-setup-automatic-311 %}non-compiled and {% endif %}compiled languages to your default setup {% ifversion code-scanning-default-setup-automatic-311 %} -If the code in a repository changes to include {% ifversion code-scanning-default-setup-go %}Go, {% endif %}JavaScript/TypeScript, Python, or Ruby, {% data variables.product.prodname_dotcom %} will automatically update the {% data variables.product.prodname_code_scanning %} configuration to include the new language. If {% data variables.product.prodname_code_scanning %} fails with the new configuration, {% data variables.product.prodname_dotcom %} will resume the previous configuration automatically so the repository does not lose {% data variables.product.prodname_code_scanning %} coverage. +If the code in a repository changes to include Go, JavaScript/TypeScript, Python, or Ruby, {% data variables.product.prodname_dotcom %} will automatically update the {% data variables.product.prodname_code_scanning %} configuration to include the new language. If {% data variables.product.prodname_code_scanning %} fails with the new configuration, {% data variables.product.prodname_dotcom %} will resume the previous configuration automatically so the repository does not lose {% data variables.product.prodname_code_scanning %} coverage. {% endif %} Compiled languages are not automatically included in default setup configuration because they often require more advanced configuration, but you can manually select any {% data variables.product.prodname_codeql %}-supported compiled language{% ifversion codeql-swift-advanced-setup %} other than Swift{% endif %} for analysis. @@ -114,13 +115,12 @@ At least one {% data variables.product.prodname_codeql %}-supported language's a You will then see a "{% data variables.product.prodname_codeql %} default configuration" dialog summarizing the {% data variables.product.prodname_code_scanning %} configuration automatically created by default setup. {% ifversion code-scanning-default-setup-recommended-languages %} - {% ifversion code-scanning-without-workflow-310 %} + {% note %} **Note:** If your repository contains _only_ compiled {% data variables.product.prodname_codeql %}-supported languages (for example, Java), you will be taken to the settings page to select the languages you want to add to your default setup configuration. {% endnote %} - {% endif %} 1. Optionally, to customize your {% data variables.product.prodname_code_scanning %} setup, click {% octicon "pencil" aria-hidden="true" %} **Edit**. * To add or remove a language from the analysis performed by default setup, select or deselect that language in the "Languages" section. {% ifversion code-scanning-default-setup-recommended-languages %}If you would like to analyze a {% data variables.product.prodname_codeql %}-supported compiled language with default setup, select that language here.{% endif %} diff --git a/content/code-security/code-scanning/enabling-code-scanning/evaluating-default-setup-for-code-scanning.md b/content/code-security/code-scanning/enabling-code-scanning/evaluating-default-setup-for-code-scanning.md index a9462d6daf0f..5fdd67777cf4 100644 --- a/content/code-security/code-scanning/enabling-code-scanning/evaluating-default-setup-for-code-scanning.md +++ b/content/code-security/code-scanning/enabling-code-scanning/evaluating-default-setup-for-code-scanning.md @@ -17,7 +17,7 @@ When you first start using {% data variables.product.prodname_code_scanning %}, ## Customizing {% data variables.product.prodname_code_scanning %} -When you first configure default setup, or after an initial analysis of your code, you can edit{% ifversion code-scanning-without-workflow-310 %} which languages default setup will analyze and{% endif %} the query suite run during analysis. The `default` query suite contains a set of queries that are carefully designed to look for the most relevant security issues, while minimizing false positive results. However, you can use the `security-extended` suite to run additional queries, which have slightly lower precision. For more information on the available query suites, see "[AUTOTITLE](/code-security/code-scanning/managing-your-code-scanning-configuration/codeql-query-suites)." +When you first configure default setup, or after an initial analysis of your code, you can edit which languages default setup will analyze and the query suite run during analysis. The `default` query suite contains a set of queries that are carefully designed to look for the most relevant security issues, while minimizing false positive results. However, you can use the `security-extended` suite to run additional queries, which have slightly lower precision. For more information on the available query suites, see "[AUTOTITLE](/code-security/code-scanning/managing-your-code-scanning-configuration/codeql-query-suites)." For more information about customizing default setup, see "[AUTOTITLE](/code-security/code-scanning/managing-your-code-scanning-configuration/editing-your-configuration-of-default-setup)." diff --git a/content/code-security/code-scanning/introduction-to-code-scanning/about-code-scanning-with-codeql.md b/content/code-security/code-scanning/introduction-to-code-scanning/about-code-scanning-with-codeql.md index 640044e156a3..960c44cd837c 100644 --- a/content/code-security/code-scanning/introduction-to-code-scanning/about-code-scanning-with-codeql.md +++ b/content/code-security/code-scanning/introduction-to-code-scanning/about-code-scanning-with-codeql.md @@ -23,7 +23,7 @@ topics: There are three main ways to use {% data variables.product.prodname_codeql %} analysis for {% data variables.product.prodname_code_scanning %}: -* Use default setup to quickly configure {% data variables.product.prodname_codeql %} analysis for {% data variables.product.prodname_code_scanning %} on your repository. Default setup automatically chooses the languages to analyze, query suite to run, and events that trigger scans. If you prefer, you can manually select the query suite to run{% ifversion code-scanning-without-workflow-310 %} and languages to analyze{% endif %}. After you enable {% data variables.product.prodname_codeql %}, {% data variables.product.prodname_actions %} will execute workflow runs to scan your code. For more information, see "[AUTOTITLE](/code-security/code-scanning/enabling-code-scanning/configuring-default-setup-for-code-scanning)." +* Use default setup to quickly configure {% data variables.product.prodname_codeql %} analysis for {% data variables.product.prodname_code_scanning %} on your repository. Default setup automatically chooses the languages to analyze, query suite to run, and events that trigger scans. If you prefer, you can manually select the query suite to run and languages to analyze. After you enable {% data variables.product.prodname_codeql %}, {% data variables.product.prodname_actions %} will execute workflow runs to scan your code. For more information, see "[AUTOTITLE](/code-security/code-scanning/enabling-code-scanning/configuring-default-setup-for-code-scanning)." * Use advanced setup to add the {% data variables.product.prodname_codeql %} workflow to your repository. This generates a customizable workflow file which uses the [github/codeql-action](https://github.com/github/codeql-action/) to run the {% data variables.product.prodname_codeql_cli %}. For more information, see "[AUTOTITLE](/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/configuring-advanced-setup-for-code-scanning#configuring-advanced-setup-for-code-scanning-with-codeql)." * Run the {% data variables.product.prodname_codeql_cli %} directly in an external CI system and upload the results to {% data variables.product.github %}. For more information, see "[AUTOTITLE](/code-security/code-scanning/integrating-with-code-scanning/using-code-scanning-with-your-existing-ci-system)." diff --git a/content/code-security/code-scanning/managing-your-code-scanning-configuration/editing-your-configuration-of-default-setup.md b/content/code-security/code-scanning/managing-your-code-scanning-configuration/editing-your-configuration-of-default-setup.md index bec28dd0fa59..8b44d4f3fea4 100644 --- a/content/code-security/code-scanning/managing-your-code-scanning-configuration/editing-your-configuration-of-default-setup.md +++ b/content/code-security/code-scanning/managing-your-code-scanning-configuration/editing-your-configuration-of-default-setup.md @@ -15,9 +15,9 @@ topics: ## About editing your configuration of default setup -After running an initial analysis of your code with default setup, you may need to make changes to your configuration to better meet your code security needs. For existing configurations of default setup, you can edit{% ifversion code-scanning-without-workflow-310 %}: +After running an initial analysis of your code with default setup, you may need to make changes to your configuration to better meet your code security needs. For existing configurations of default setup, you can edit: * Which languages default setup will analyze. -* {% endif %} The query suite run during analysis. For more information on the available query suites, see "[AUTOTITLE](/code-security/code-scanning/managing-your-code-scanning-configuration/codeql-query-suites)."{% ifversion codeql-threat-models %} +* The query suite run during analysis. For more information on the available query suites, see "[AUTOTITLE](/code-security/code-scanning/managing-your-code-scanning-configuration/codeql-query-suites)."{% ifversion codeql-threat-models %} * The threat models (beta) to use for analysis. Your choice of threat model determines which sources of tainted data are treated as a risk to your application. During the beta, threat models are supported only for analysis of {% data variables.code-scanning.code_scanning_threat_model_support %}. For more information about threat models, see "[Including local sources of tainted data in default setup](#including-local-sources-of-tainted-data-in-default-setup)." {% endif %} @@ -29,8 +29,6 @@ If your codebase depends on a library or framework that is not recognized by the If you need to change any other aspects of your {% data variables.product.prodname_code_scanning %} configuration, consider configuring advanced setup. For more information, see "[AUTOTITLE](/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/configuring-advanced-setup-for-code-scanning)." -{% ifversion code-scanning-without-workflow-310 %} - ## Customizing your existing configuration of default setup {% data reusables.repositories.navigate-to-repo %} @@ -44,18 +42,6 @@ If you need to change any other aspects of your {% data variables.product.prodna {% endif %} 1. To update your configuration, as well as run an initial analysis of your code with the new configuration, click **Save changes**. All future analyses will use your new configuration. -{% else %} - -## Changing the selected query suite for your configuration of default setup - -{% data reusables.repositories.navigate-to-repo %} -{% data reusables.repositories.sidebar-settings %} -{% data reusables.user-settings.security-analysis %} -1. In the "{% data variables.product.prodname_codeql %} analysis" row of the "{% data variables.product.prodname_code_scanning_caps %}" section, select {% octicon "kebab-horizontal" aria-label="Menu" %}, then click {% octicon "gear" aria-hidden="true" %} **View {% data variables.product.prodname_codeql %} configuration**. -1. In the "Query suites" row of the "{% data variables.product.prodname_codeql %} default configuration" window, select **QUERY SUITE** {% octicon "triangle-down" aria-hidden="true" %}, then click the new query suite for your {% data variables.product.prodname_code_scanning %} configuration to run. -1. To update your configuration of default setup, click **Enable {% data variables.product.prodname_codeql %}**. -{% endif %} - ## Defining the alert severities that cause a check failure for a pull request {% ifversion code-scanning-merge-protection-rulesets %} diff --git a/content/code-security/code-scanning/troubleshooting-code-scanning/no-source-code-seen-during-build.md b/content/code-security/code-scanning/troubleshooting-code-scanning/no-source-code-seen-during-build.md index acf773c978cc..efeb4c7476ae 100644 --- a/content/code-security/code-scanning/troubleshooting-code-scanning/no-source-code-seen-during-build.md +++ b/content/code-security/code-scanning/troubleshooting-code-scanning/no-source-code-seen-during-build.md @@ -28,13 +28,13 @@ If your workflow fails with `Error: "No source code was seen during the build"` For more information, see the workflow extract in "[AUTOTITLE](/code-security/code-scanning/troubleshooting-code-scanning/some-languages-were-not-analyzed)". -1. _Compilation of a compiled language failed:_ Your {% data variables.product.prodname_code_scanning %} workflow tries to compile a compiled language (C, C++, C#,{% ifversion codeql-go-autobuild %} Go,{% endif %} or Java), but the code was not compiled. {% ifversion codeql-no-build %}When a workflow specifies `build-mode: autobuild` for a language or contains an `autobuild` step,{% elsif ghes %}By default, the {% data variables.product.prodname_codeql %} analysis workflow contains an `autobuild` step and{% endif %} {% data variables.product.prodname_codeql %} makes a best effort to detect a suitable build method and build your code. The `autobuild` process may not succeed in building your code, depending on your specific build environment. Compilation may also fail if you have removed the `autobuild` step and did not include build steps manually. For more information about defining build steps, see {% ifversion codeql-no-build %}"[AUTOTITLE](/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/codeql-code-scanning-for-compiled-languages#using-build-mode-manual-and-specifying-build-steps){% elsif ghes %}"[AUTOTITLE](/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/codeql-code-scanning-for-compiled-languages#adding-build-steps-for-a-compiled-language){% endif %}." +1. _Compilation of a compiled language failed:_ Your {% data variables.product.prodname_code_scanning %} workflow tries to compile a compiled language (C, C++, C#, Go, or Java), but the code was not compiled. {% ifversion codeql-no-build %}When a workflow specifies `build-mode: autobuild` for a language or contains an `autobuild` step,{% elsif ghes %}By default, the {% data variables.product.prodname_codeql %} analysis workflow contains an `autobuild` step and{% endif %} {% data variables.product.prodname_codeql %} makes a best effort to detect a suitable build method and build your code. The `autobuild` process may not succeed in building your code, depending on your specific build environment. Compilation may also fail if you have removed the `autobuild` step and did not include build steps manually. For more information about defining build steps, see {% ifversion codeql-no-build %}"[AUTOTITLE](/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/codeql-code-scanning-for-compiled-languages#using-build-mode-manual-and-specifying-build-steps){% elsif ghes %}"[AUTOTITLE](/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/codeql-code-scanning-for-compiled-languages#adding-build-steps-for-a-compiled-language){% endif %}." -1. _Cached components not detected:_ Your workflow builds a compiled language (C, C++, C#,{% ifversion codeql-go-autobuild %} Go,{% endif %} or Java) to create a {% data variables.product.prodname_codeql %} database for analysis, but portions of your build are cached to improve performance (most likely to occur with build systems like Gradle or Bazel). Since {% data variables.product.prodname_codeql %} observes the activity of the compiler to understand the data flows in a repository, {% data variables.product.prodname_codeql %} requires a complete build to take place in order to perform analysis. +1. _Cached components not detected:_ Your workflow builds a compiled language (C, C++, C#, Go, or Java) to create a {% data variables.product.prodname_codeql %} database for analysis, but portions of your build are cached to improve performance (most likely to occur with build systems like Gradle or Bazel). Since {% data variables.product.prodname_codeql %} observes the activity of the compiler to understand the data flows in a repository, {% data variables.product.prodname_codeql %} requires a complete build to take place in order to perform analysis. -1. _Compilation outside `init` and `analyze` steps:_ Your workflow builds a compiled language (C, C++, C#,{% ifversion codeql-go-autobuild %} Go,{% endif %} or Java), but compilation does not occur between the `init` and `analyze` steps in the workflow. {% data variables.product.prodname_codeql %} requires that your build happens in between these two steps in order to observe the activity of the compiler and perform analysis. +1. _Compilation outside `init` and `analyze` steps:_ Your workflow builds a compiled language (C, C++, C#, Go, or Java), but compilation does not occur between the `init` and `analyze` steps in the workflow. {% data variables.product.prodname_codeql %} requires that your build happens in between these two steps in order to observe the activity of the compiler and perform analysis. -1. _Compilation not detected by {% data variables.product.prodname_codeql %}:_ Your compiled code (in C, C++, C#,{% ifversion codeql-go-autobuild %} Go,{% endif %} or Java) was compiled successfully, but {% data variables.product.prodname_codeql %} was unable to detect the compiler invocations. The most common causes are: +1. _Compilation not detected by {% data variables.product.prodname_codeql %}:_ Your compiled code (in C, C++, C#, Go, or Java) was compiled successfully, but {% data variables.product.prodname_codeql %} was unable to detect the compiler invocations. The most common causes are: * Running your build process in a separate container to {% data variables.product.prodname_codeql %}. For more information, see "[AUTOTITLE](/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/running-codeql-code-scanning-in-a-container)." * Building using a distributed build system external to GitHub Actions, using a daemon process. diff --git a/data/reusables/code-scanning/alerts-found-in-generated-code.md b/data/reusables/code-scanning/alerts-found-in-generated-code.md index 904988afb82f..4a75de4510a2 100644 --- a/data/reusables/code-scanning/alerts-found-in-generated-code.md +++ b/data/reusables/code-scanning/alerts-found-in-generated-code.md @@ -1,3 +1,3 @@ -For compiled languages like Java, Kotlin, {% ifversion codeql-go-autobuild %} Go,{% endif %} C, C++, and C#, {% data variables.product.prodname_codeql %} analyzes all of the code which was built during the workflow run. To limit the amount of code being analyzed, build only the code which you wish to analyze by specifying your own build steps in a `run` block. You can combine specifying your own build steps with using the `paths` or `paths-ignore` filters on the `pull_request` and `push` events to ensure that your workflow only runs when specific code is changed. For more information, see "[AUTOTITLE](/actions/using-workflows/workflow-syntax-for-github-actions#onpushpull_requestpull_request_targetpathspaths-ignore)." +For compiled languages like Java, Kotlin, Go, C, C++, and C#, {% data variables.product.prodname_codeql %} analyzes all of the code which was built during the workflow run. To limit the amount of code being analyzed, build only the code which you wish to analyze by specifying your own build steps in a `run` block. You can combine specifying your own build steps with using the `paths` or `paths-ignore` filters on the `pull_request` and `push` events to ensure that your workflow only runs when specific code is changed. For more information, see "[AUTOTITLE](/actions/using-workflows/workflow-syntax-for-github-actions#onpushpull_requestpull_request_targetpathspaths-ignore)." -For languages like{% ifversion codeql-go-autobuild %}{% else %} Go,{% endif %} JavaScript, Python, and TypeScript, that {% data variables.product.prodname_codeql %} analyzes without compiling the source code, you can specify additional configuration options to limit the amount of code to analyze. For more information, see "[AUTOTITLE](/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/customizing-your-advanced-setup-for-code-scanning#specifying-directories-to-scan)." +For languages like JavaScript, Python, and TypeScript, that {% data variables.product.prodname_codeql %} analyzes without compiling the source code, you can specify additional configuration options to limit the amount of code to analyze. For more information, see "[AUTOTITLE](/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/customizing-your-advanced-setup-for-code-scanning#specifying-directories-to-scan)." diff --git a/data/reusables/code-scanning/autobuild-compiled-languages.md b/data/reusables/code-scanning/autobuild-compiled-languages.md index e2b8dd0a7220..efd028d5e909 100644 --- a/data/reusables/code-scanning/autobuild-compiled-languages.md +++ b/data/reusables/code-scanning/autobuild-compiled-languages.md @@ -1,9 +1 @@ -{% ifversion code-scanning-without-workflow-310 %} - If you enable default setup, the `autobuild` build mode will be used to build compiled languages, as part of your automatically configured {% data variables.code-scanning.codeql_workflow %}. If you enable advanced setup, the basic {% data variables.code-scanning.codeql_workflow %} uses the `autobuild` build mode. Alternatively, you can change the build mode for your compiled languages to `manual` and instead specify explicit build commands to analyze only the files that are built by these custom commands. - -{% else %} - -The basic {% data variables.code-scanning.codeql_workflow %} uses the `autobuild` action to build your code. Alternatively, you can disable `autobuild` and instead specify explicit build commands to analyze only the files that are built by these custom commands. - -{% endif %} diff --git a/data/variables/code-scanning.yml b/data/variables/code-scanning.yml index e99ffbd195d8..0a8faa5e6c69 100644 --- a/data/variables/code-scanning.yml +++ b/data/variables/code-scanning.yml @@ -10,7 +10,7 @@ tool_status_page: 'tool status page' no_build_support: '{% ifversion codeql-no-build-csharp %}C# and{% endif %} Java' # List of compiled languages -compiled_languages: 'C/C++, C#, {% ifversion codeql-go-autobuild %} Go,{% endif %} Java, and Swift' +compiled_languages: 'C/C++, C#, Go, Java, Kotlin, and Swift' # List of languages where the libraries support expansion using CodeQL model packs at the repository level. codeql_model_packs_support: '{% ifversion fpt or ghec or ghes > 3.14 %}C#, Java/Kotlin, Python, and Ruby{% elsif ghes > 3.12 %}C#, Java/Kotlin, and Ruby{% elsif ghes > 3.10 %}Java/Kotlin{% endif %}'