codeql cli to get the list of issues based on severity after analyze

[fazith27]

Hi, We just started using codeql cli for our code scanning.

I am looking for a codeql cli to give the list of issues based on severity once we run codeql analyze. I have checked the codeql cli manual and am unable to find anything. I understand codeql cli will produce SARIF output file when we run analyze but it is too big with lot of details which I don't want. I am just looking for a simplified result to get the list of issues based on severity. I can write a parser to parse the SARIF file, but before that just want to know if any cli is already available to do give me the result what I am looking for.

Thanks in advance.

[adityasharad]

codeql database analyze is capable of producing CSV output instead of SARIF, with the flag --format=csv. Each CSV row includes information about the query as well as the alert. This includes the query severity metadata (error/warning/recommendation), however it does not currently contain the security-severity metadata.
Would that be useful for your purpose?

If you are using GitHub code scanning and uploading the CodeQL results there, then the code scanning UI and API will also be able to show you the list of alerts that were uploaded.

[fazith27]

Hi @adityasharad, Thanks for your reply. Actually I am looking to break a build if there are any high severity alerts identified just after analyze step and also looking something for developers to get quick feedback even before they are committing their changes. Can you suggest if there is a way we can do without parsing an output file (either SARIF or CSV)?

I tried "--format=csv" and the result is not having the header field so not clear on what each fields are? Below is the command I have used. Am I missing anything?
codeql database analyze mydatabasename python-code-scanning.qls --format=csv --output=myoutput.csv

[adityasharad]

Actually I am looking to break a build if there are any high severity alerts identified just after analyze step

Are you uploading the CodeQL results to GitHub code scanning? If so, this is a built-in feature for code scanning on PRs.

If you want to do this entirely locally, then I think you will have to parse either the CSV or SARIF -- there is no option for changing CodeQL's exit code based on the alert severities.

I tried "--format=csv" and the result is not having the header field so not clear on what each fields are? Below is the command I have used. Am I missing anything?

Thank you for pointing this out. You are not missing anything; the CSV output does not include the headers by default. We've logged an internal issue for adding this option to a future CLI version; apologies for the confusion.
The third column has the severity, but be aware that results with multiple locations may have multiple rows, which may trip up a simple CSV parser. SARIF may be a better bet if that gives you trouble.

[fazith27]

Hi @adityasharad, Thanks for your reply. Yes we are uploading the results to Github and I have tested the code scanning check on PRs. It is looking good but as I told earlier, we are looking to get quicker feedback so that the developer no need to wait for the pipeline to fail when raising PR. Just to clarify my requirement, I am not looking for the codeql cli to give an exit code when there are high vulnerabilities but looking for an option to list the vulnerabilities or error (based on filter) something like below,

codeql database get-results --filter=error

This will help the developer to test the code in their local/sandbox even before committing and also to configure our pipelines on how we want based on the scan results.

From our discussion and the cli docs, I understand there is no such option available. Do you think is this worth an option?

[scotbellamy]

We are starting to implement Advanced Security, and same as @fazith27, we are looking to provide developers tools to help them identify security issues that need fixed to prevent the PR from failing. It appears that the issue raised 2+ years ago has not been addressed. Any plans to address this soon?