CodeQL analyze error with exit code 2: running specific queries using a query suite

[gutakk]

Hi CodeQL team,

I found this error occur just about a week ago. I don't change anything in the codebase (because I set this workflow to run on master branch and master branch the last update is a week ago).

Right now this error is raised when my CodeQL run when the schedule time arrive

Error: Error running analysis for go: Error: The process '/opt/hostedtoolcache/CodeQL/0.0.0-20210308/x64/codeql/codeql' failed with exit code 2
CodeQLAnalysisError: Error running analysis for go: Error: The process '/opt/hostedtoolcache/CodeQL/0.0.0-20210308/x64/codeql/codeql' failed with exit code 2
    at runQueries (/home/runner/work/_actions/github/codeql-action/v1/lib/analyze.js:113:19)
    at runMicrotasks (<anonymous>)
    at processTicksAndRejections (internal/process/task_queues.js:93:5) {
  name: 'CodeQLAnalysisError',
  queriesStatusReport: {
    analyze_builtin_queries_go_duration_ms: 92593,
    analyze_failure_language: 'go'
  }
}

I still have no idea why does this happens. If you need any additional information, feel free to provide me what you want.
Thank you guys in advance.

[adityasharad]

Thanks for letting us know. Do you have the remaining logs from the CodeQL workflow? This exit code indicates CodeQL itself failed in the analysis step, and it will usually print the error logs to stderr (docs).

Try enabling Actions debug logging and running the workflow again. Then if your repository is public please share a link to the Actions run, otherwise we may ask you to share the logs in this issue or in a support ticket.

[gutakk]

Sorry for the delayed response. Unfortunately, I can't share the repository with you guys as it is a private repo.
here is the additional log after enable debug logging

Running queries.
Compiling query plan for /home/runner/work/_temp/github/codeql-go/main/ql/src/experimental/CWE-369/DivideByZero.ql.
Compiling upgrade for /home/runner/work/_temp/github/codeql-go/main/ql/src/experimental/CWE-369/DivideByZero.ql
A fatal error occurred: The CodeQL database at ../../_temp/codeql_databases/go
is not compatible with the QL library ../../_temp/github/codeql-go/main/ql/src/experimental/CWE-369/DivideByZero.ql uses.
The database may be too new for the QL libraries the query is using; try upgrading them.
Alternatively, running 'codeql database upgrade ../../_temp/codeql_databases/go' with an appropriate --search-path option might help.
Error: The process '/opt/hostedtoolcache/CodeQL/0.0.0-20210308/x64/codeql/codeql' failed with exit code 2
Error: Error running analysis for go: Error: The process '/opt/hostedtoolcache/CodeQL/0.0.0-20210308/x64/codeql/codeql' failed with exit code 2
CodeQLAnalysisError: Error running analysis for go: Error: The process '/opt/hostedtoolcache/CodeQL/0.0.0-20210308/x64/codeql/codeql' failed with exit code 2
    at runQueries (/home/runner/work/_actions/github/codeql-action/v1/lib/analyze.js:113:19)
    at runMicrotasks (<anonymous>)
    at processTicksAndRejections (internal/process/task_queues.js:93:5) {
  name: 'CodeQLAnalysisError',
  queriesStatusReport: {
    analyze_builtin_queries_go_duration_ms: 91228,
    analyze_failure_language: 'go'
  }
}
##[debug]GITHUB_REF=refs/heads/test-codeql
##[debug]RUNNER_TEMP=/home/runner/work/_temp
##[debug]Sending status report: {"workflow_run_id":675390791,"workflow_name":"CodeQL","job_name":"analyze","analysis_key":".github/workflows/codeql-analysis.yml:analyze","commit_oid":"51cbf09fc744543fc04058cc72cc28e4dfa60e1b","ref":"refs/heads/test-codeql","action_name":"finish","action_ref":"v1","action_oid":"unknown","started_at":"2021-03-23T06:14:23.066Z","action_started_at":"2021-03-23T06:14:31.621Z","status":"failure","cause":"Error running analysis for go: Error: The process '/opt/hostedtoolcache/CodeQL/0.0.0-20210308/x64/codeql/codeql' failed with exit code 2","exception":"CodeQLAnalysisError: Error running analysis for go: Error: The process '/opt/hostedtoolcache/CodeQL/0.0.0-20210308/x64/codeql/codeql' failed with exit code 2\n    at runQueries (/home/runner/work/_actions/github/codeql-action/v1/lib/analyze.js:113:19)\n    at runMicrotasks (<anonymous>)\n    at processTicksAndRejections (internal/process/task_queues.js:93:5)","completed_at":"2021-03-23T06:20:53.085Z","matrix_vars":"{\n  \"language\": \"go\"\n}","analyze_builtin_queries_go_duration_ms":91228,"analyze_failure_language":"go"}
##[debug]GITHUB_REPOSITORY=opn-ooo/gcp-merchant
##[debug]GITHUB_SERVER_URL=https://github.com
Debug mode is on. Printing CodeQL debug logs...
::group::CodeQL Debug Logs - go - build-tracer.log
CodeQL Debug Logs - go - build-tracer.log
  [T 06:14:33 1755] Reading configuration file /home/runner/work/_temp/codeql_databases/go/working/tracing/compiler-tracing782992385665745353.spec...
  [T 06:14:33 1755] Compilers file as of 2021-03-23 06:14:33
  [T 06:14:33 1755] Compiler pattern: **/go-autobuilder
  [T 06:14:33 1755] Replace intercepted call: 0
  [T 06:14:33 1755] Extractor: <null>
  [T 06:14:33 1755] Compilers file as of 2021-03-23 06:14:33
  [T 06:14:33 1755] Compiler pattern: **/go
  [T 06:14:33 1755] Replace intercepted call: 0
  [T 06:14:33 1755] Extractor: /opt/hostedtoolcache/CodeQL/0.0.0-20210308/x64/codeql/go/tools/linux64/go-extractor
  [T 06:14:33 1755] Prepend[0] "--mimic"
  [T 06:14:33 1755] Prepend[1] ""${compiler}""
  [T 06:14:33 1755] Reading configuration file /home/runner/work/_temp/codeql_databases/go/working/tracing/compiler-tracing782992385665745353.spec...
  [T 06:14:33 1755] Warning: SEMMLE_EXEC and SEMMLE_EXECP not set. Falling back to path lookup on argv[0].
  [T 06:14:33 1755] ==== Candidate to intercept: /opt/hostedtoolcache/CodeQL/0.0.0-20210308/x64/codeql/tools/linux64/runner-linux (canonical: /opt/hostedtoolcache/CodeQL/0.0.0-20210308/x64/codeql/tools/linux64/runner-linux) ====
  [T 06:14:33 1755] Reading configuration file /home/runner/work/_temp/codeql_databases/go/working/tracing/compiler-tracing782992385665745353.spec...
  [T 06:14:33 1755] ==== Candidate to intercept: /opt/hostedtoolcache/CodeQL/0.0.0-20210308/x64/codeql/go/tools/autobuild.sh (canonical: /opt/hostedtoolcache/CodeQL/0.0.0-20210308/x64/codeql/go/tools/autobuild.sh) ====
  [T 06:14:34 1764] Reading configuration file /home/runner/work/_temp/codeql_databases/go/working/tracing/compiler-tracing782992385665745353.spec...
  [T 06:14:34 1764] ==== Candidate to intercept: /opt/hostedtoolcache/CodeQL/0.0.0-20210308/x64/codeql/go/tools/linux64/go-autobuilder (canonical: /opt/hostedtoolcache/CodeQL/0.0.0-20210308/x64/codeql/go/tools/linux64/go-autobuilder) ====
  [T 06:14:34 1764] === Intercepted call to /opt/hostedtoolcache/CodeQL/0.0.0-20210308/x64/codeql/go/tools/linux64/go-autobuilder === 
  [T 06:14:34 1764] Disabling tracing for this command.
  [T 06:14:34 1770] Reading configuration file /home/runner/work/_temp/codeql_databases/go/working/tracing/compiler-tracing782992385665745353.spec...

[adityasharad]

Thanks. That looks like you're running queries from the github/codeql-go main branch, which won't be compatible with the CodeQL CLI bundled into the Actions VM. Can you show me your CodeQL configuration file?

If you're trying to run the experimental queries, then I can show you how to run additional queries by checking in a query suite file and tweaking the configuration, instead of fetching from main.

[gutakk]

codeql.yml

name: "OPN CodeQL config"

queries:
  - uses: security-and-quality
  - uses: github/codeql-go/ql/src/experimental@main

workflow file

name: "CodeQL"

on:
  push:
    branches: [master]
  pull_request:
    # The branches below must be a subset of the branches above
    branches: [master]
  schedule:
    - cron: '0 4 * * 3'

jobs:
  analyze:
    name: Analyze
    runs-on: ubuntu-latest

    strategy:
      fail-fast: false
      matrix:
        language: ['go']
    steps:
    - name: Checkout repository
      uses: actions/checkout@v2
      with:
        fetch-depth: 2
    - run: git checkout HEAD^2
      if: ${{ github.event_name == 'pull_request' }}

    # Initializes the CodeQL tools for scanning.
    - name: Initialize CodeQL
      uses: github/codeql-action/init@v1
      with:
        languages: ${{ matrix.language }}
        config-file: ./.github/codeql.yml
        # If you wish to specify custom queries, you can do so here or in a config file.
        # By default, queries listed here will override any specified in a config file.
        # Prefix the list here with "+" to use these queries and those in the config file.
        # queries: ./path/to/local/query, your-org/your-repo/queries@main

    - name: Autobuild
      uses: github/codeql-action/autobuild@v1

    # ℹ️ Command-line programs to run using the OS shell.
    # 📚 https://git.io/JvXDl

    # ✏️ If the Autobuild fails above, remove it and uncomment the following three lines
    #    and modify them (or add more) to build your code if your project
    #    uses a compiled language

    #- run: |
    #   make bootstrap
    #   make release

    - name: Perform CodeQL Analysis
      uses: github/codeql-action/analyze@v1

[adityasharad]

Thank you for sharing. Indeed the problem you're facing is from - uses: github/codeql-go/ql/src/experimental@main. In fact these queries are already bundled into the CodeQL tool installation on Actions. By checking out from main, you get a second copy of these queries that are too new for the CodeQL tools installed by default.

Since you are interested in running the experimental queries for Go, I suggest you create a query suite file (docs here) that tells CodeQL to look for the experimental folder within the CodeQL bundle already present on Actions. Check this file into your repo:

.github/codeql/experimental.qls:

- queries: experimental
  from: codeql-go

Then update your CodeQL configuration file to use this query suite:

.github/codeql.yml:

name: "OPN CodeQL config"
queries:
  - uses: security-and-quality
  - uses: ./.github/codeql/experimental.qls

Your workflow file does not need to change, since it already uses the codeql.yml configuration file.

[adityasharad]

One further suggestion for your workflow file (unrelated to the problem you reported):

It is no longer necessary to do the following when running on pull_request events:

- name: Checkout repository
  uses: actions/checkout@v2
    with:
      fetch-depth: 2
- run: git checkout HEAD^2
  if: ${{ github.event_name == 'pull_request' }}

Instead, it is enough to use:

- name: Checkout repository
  uses: actions/checkout@v2

See https://docs.github.com/en/code-security/secure-coding/configuring-code-scanning#scanning-pull-requests for more information.

[gutakk]

Thank you so much @adityasharad. I will get back to you once I have time to work on this.

Also, let me recap my understanding from your suggestion.
There are 2 ways to solve this issue

1. Create .github/codeql/experimental.qls and update the codeql.yml following your suggestion above.
2. Remove - uses: github/codeql-go/ql/src/experimental@main from the codeql.yml file as this query is already bundled into the CodeQL tool installation on Actions.

Am I correct? 😅

[gutakk]

Hi @adityasharad, I have a chance to work on this now. The second approach from my comment above is working but from your suggestion is not working with the following error.

The configuration file "/home/runner/work/gcp-merchant/gcp-merchant/.github/codeql.yml" is invalid: property "queries.uses" must be a built-in suite (security-extended or security-and-quality), a relative path, or be of the form "owner/repo[/path]@ref" Found: github/codeql/experimental.qls

What I had done

• Create .github/codeql/experimental.qls

- queries: experimental
  from: codeql-go

• Update .github/codeql.yml

name: "OPN CodeQL config"
queries:
  - uses: security-and-quality
  - uses: .github/codeql/experimental.qls

I tried to look at how to use custom queries in the documentation but still no luck.
Thanks in advance.

[gutakk]

Updated. I made it work now
At .github/codeql.yml I changed to

name: "OPN CodeQL config"

queries:
  - uses: security-and-quality
  - uses: ./.github/codeql/experimental.qls

Thank you @adityasharad

[adityasharad]

My mistake, I forgot the leading ./ that makes this a relative path from the repository root! Edited my answer to include hte correct path.

Glad to help. Please don't hesitate to reopen or file a new issue if you have further questions.

[a-z-i-z]

Hi @adityasharad. Faced the same issue but my requirement is a bit different. I've made the three files: codeql.yml, config.yml and custom-queries.qls. Attaching the files for your reference.

I want to use security-and-quality and lgtm-full but want to exclude some of the rules/queries that shouldn't be executed while scanning the code. The rules are:

• cs/dereferenced-value-may-be-null
• cs/virtual-call-in-constructor
  Just for the heads up - I followed this doc to exclude one rule just for testing but no luck.

Is it possible to achieve this ? Also let me know if there is an alternative way to achieve this.
Thank you in advance.

codeql.yml file

name: "CodeQL"
on:
  push:
    branches: [ 'feature/code-scanning' ]
jobs:
  analyze:
    name: Analyze
    runs-on: ubuntu-latest
    strategy:
      fail-fast: false
      matrix:
        language: [ 'csharp' ]
    steps:
    - name: Checkout repository
      uses: actions/checkout@v2
    - name: Setup .NET Core
      uses: actions/setup-dotnet@v1
      with:
        dotnet-version: 5.0.x
      env:
        NUGET_AUTH_TOKEN: ${{secrets.PERSONAL_ACCESS_TOKEN}}
    - name: Initialize CodeQL
      uses: github/codeql-action/init@v1
      with:
        languages: ${{ matrix.language }}
        config-file: ./.github/workflows/codeql/codeql-config.yml      
    - name: Autobuild
      uses: github/codeql-action/autobuild@v1
    - name: Perform CodeQL Analysis
      uses: github/codeql-action/analyze@v1

codeql-config.yml file

name: "My CodeQL config"
disable-default-queries: true
queries:
  - uses: ./.github/workflows/codeql/custom-queries.qls

custom-queries.qls file

- queries: codeql-suites/csharp-security-and-quality.qls
  from: codeql-csharp
- exclude:
    id:
    - CatchOfNullReferenceException.ql

[adityasharad]

@a-z-i-z the use of the config file looks fine, but please try changing your custom-queries.qls file as follows, to import the original query suite and then filter using the query ID rather than the query filename. For example:

- import: codeql-suites/csharp-security-and-quality.qls
  from: codeql-csharp
- exclude:
    id:
      - cs/dereferenced-value-may-be-null
      - cs/virtual-call-in-constructor

[a-z-i-z]

@adityasharad Thanks Aditya. This worked well and the mentioned queries were eliminated among all. Thanks again.

[ArielSAdamsNASA]

@adityasharad I was redirected to this thread from github/codeql#6778 as I am having similar problems with the JPL_C queries from CodeQL. The JPL_C queries can be found here https://github.com/github/codeql/tree/main/cpp/ql/src/JPL_C. I have also tried to change @main to the latest release which is @lgtm/v1.28.0, but it still failed saying that the database may be too new. Any help would be appreciated. Thank you!

When creating a .qls file, it states that A fatal error occurred: The QL pack 'codeql@latest' which is referenced from /home/runner/work/osal/osal/.github/codeql/jpl.qls cannot be found.

jpl.qls

- queries: JPL_C
  from: codeql

codeql-coding-standard.yml

name: "CodeQL Coding Standard Configuration File"

disable-default-queries: true

queries:
  - name: JPL Rules
    uses: ./.github/codeql/jpl.qls

[adityasharad]

@ArielSAdamsNASA thanks for asking. Could you please try changing your jpl.qls file to

- queries: JPL_C
  from: codeql/cpp-queries

The name expected in the from field is the name of the query pack, which is defined in https://github.com/github/codeql/blob/main/cpp/ql/src/qlpack.yml.
codeql-cpp should also work in place of codeql/cpp-queries, much like the examples earlier in this thread. That is the old name, and CodeQL handles both.

[ArielSAdamsNASA]

@adityasharad Thank you! I reran the workflow again, six days later, and the workflows are no longer failing. I am not sure why the JPL queries from main did not work, but it has been resolved. I will use jpl.qls if this happens again.

[adityasharad]

Glad to hear it is working. I would generally recommend using a query suite instead of referencing the queries directly from github/codeql:main, because the query libraries on main are not guaranteed to exactly match the query libraries bundled with the cached copy of CodeQL on Actions. Using a query suite in this way ensures you get the queries and libraries straight out of the cached CodeQL instead.

[ArielSAdamsNASA]

@adityasharad That makes sense. I will use query suites instead. How would one call an individual query like jsf/4.20 Unions and Bit Fields/AV Rule 153.ql? Does each individual query need to be in a separate .qls file or can they be placed together in the same file? Thanks again!

[adityasharad]

@adityasharad That makes sense. I will use query suites instead. How would one call an individual query like jsf/4.20 Unions and Bit Fields/AV Rule 153.ql? Does each individual query need to be in a separate .qls file or can they be placed together in the same file? Thanks again!

Can you tell me a bit more about what you're trying to do? Are you trying to run different queries in different workflows, or a set of specific queries but all in the same workflow? Am I correct in thinking this is still in the context of GitHub Actions?

[ArielSAdamsNASA]

@adityasharad Yes, this is still in the context of GitHub Actions. I have one workflow that needs all of the JPL queries, but only a selected few of jsf queries. This is what the configuration looks like right now before the query suites.

name: "CodeQL Coding Standard Configuration File"

disable-default-queries: true

queries:
  - name: JPL Rules
    uses: github/codeql/cpp/ql/src/JPL_C@main
  - name: MISRA Rule 9-5-1
    uses: github/codeql/cpp/ql/src/jsf/4.20 Unions and Bit Fields/AV Rule 153.ql@main
  - name: MISRA Rule 5-18-1
    uses: github/codeql/cpp/ql/src/jsf/4.21 Operators/AV Rule 168.ql@main
  - name: MISRA 6-2-2
    uses: github/codeql/cpp/ql/src/jsf/4.25 Expressions/AV Rule 202.ql@main
  - name: MISRA Rule 5-14-1
    uses: github/codeql/cpp/ql/src/jsf/4.21 Operators/AV Rule 165.ql@main
  - name: MISRA Rule 5-3-2
    uses: github/codeql/cpp/ql/src/jsf/4.21 Operators/AV Rule 165.ql@main
  - name: MISRA Rule 7-5-2
    uses: github/codeql/cpp/ql/src/jsf/4.22 Pointers and References/AV Rule 173.ql@main

[adityasharad]

Exactly the information I needed, thank you @ArielSAdamsNASA.
Try the following in your jpl.qls query suite file:

# Start with all the queries in the codeql/cpp-queries pack.
- queries: .
  from: codeql/cpp-queries
# Restrict to only the queries with the following ID patterns.
- include:
    id:
      # Regular expression matching all query IDs that start with `cpp/jpl-c/`
      # This covers all queries in the `JPL_C` directory,
      # but matching on query ID is more stable.
      - /cpp/jpl-c/*/
      # Specific JSF queries, identified by query ID.
      - cpp/jsf/av-rule-153
      - cpp/jsf/av-rule-168
      - cpp/jsf/av-rule-202
      - cpp/jsf/av-rule-165
      - cpp/jsf/av-rule-173

Each query's ID can be found in the query metadata section at the top of the query file, starting with @id.

To help you with future query suite writing:

• The query suite format is documented at https://codeql.github.com/docs/codeql-cli/creating-codeql-query-suites.
• To locally test that a query suite contains the queries you intended (before you try it on Actions), you can set up the CodeQL CLI and run

  codeql resolve queries jpl.qls --search-path <path to your checkout of github/codeql>
  

  This will print a list of query file paths.

[amalay]

Hi Guys, I have monorepo and it contains multiple services written on multiple languages and separated by sub-directory. I want run codeQL analysis on sub-directory level only. And it is working perfectly for JavaScript, TypeScript, Python sub-directories using paths/paths-ignore in codeql-config.yml file as mentioned in GitHub doc. But the same is not working for go language sub-directory. For go lang, it is start scanning all the repository's folders instead of specific go folder. Is there any limitation with go lang? or something different need to be done for go lang?

[adityasharad]

Hi Guys, I have monorepo and it contains multiple services written on multiple languages and separated by sub-directory. I want run codeQL analysis on sub-directory level only. And it is working perfectly for JavaScript, TypeScript, Python sub-directories using paths/paths-ignore in codeql-config.yml file as mentioned in GitHub doc. But the same is not working for go language sub-directory. For go lang, it is start scanning all the repository's folders instead of specific go folder. Is there any limitation with go lang? or something different need to be done for go lang?

Answered in github/codeql#9844. Please don't hesitate to create new issues or discussions for new problems that you encounter.