codeql cli results multiple languages

[sam-cha-tfs]

We have a repo that uses JS and C#. Our CI/CD uses the CLI to upload the results to GItHub but I don't see any notification if there were vulnerabilities on GitHub. The CLI outputs the sarif files were uploaded. I also only see the "last scanned" timestamp on GitHub. Below is a picture of the timestamp and commands I used. When I ran codeql locally I got vulnerabilities for one of the sarif files. Am I uploading correctly? What notifications do we receive from GitHub if there are no vulnerabilities?

codeql database create codeql-db --db-cluster --language=javascript,csharp --command=<build.pl>

codeql database analyze codeql-db/cpp cpp-security-extended.qls --format=sarif-latest --output=cpp.sarif --sarif-add-baseline-file-info

codeql database analyze codeql-db/javascript javascript-security-extended.qls --format=sarif-latest --output=js.sarif --sarif-add-baseline-file-info

codeql github upload-results --repository=<org/repo_name> --refs=ref/heads/master --sarif=cpp.sarif --commit=<commit id>

codeql github upload-results --repository=<org/repo_name> --refs=ref/heads/master --sarif=js.sarif --commit=<commit id>

[smowton]

I note that in https://docs.github.com/en/code-security/codeql-cli/getting-started-with-the-codeql-cli/analyzing-your-code-with-codeql-queries#running-codeql-database-analyze the blue box recommends using --sarif-category to distinguish the two different languages. Does including that option help?

[smowton]

You can look at the SARIF using jq or anything else that parses JSON and verify that it contains results. Otherwise I would recommending analysing a toy project that will generate at least one hit, and which you would be able to share the project and/or its SARIF output so we can reproduce the problem.

[sam-cha-tfs]

Looks like I figured the issue. The file is uploaded to GitHub correctly. Alerts are only shown for the default branch as stated here in the link below. We would then need to filter the branch for the alerts. I can see alerts now but I still can't see the scan information. Is this because we don't have the scan enabled on the default branch? See my examples below where one repo has code scan enabled on the default branch and the other does not have it enabled on it's default branch.

https://docs.github.com/en/github-ae@latest/code-security/code-scanning/managing-code-scanning-alerts/managing-code-scanning-alerts-for-your-repository#viewing-the-alerts-for-a-repository

Fig 1. The default branch does not have code scan enabled but the dev branch does. There is no "tool status"

Fig 2A. A repo where the default branch has code scan enabled which enables the feature branch "main-2" and shows "tool status"

Fig 2B. I can click the tool status and view the scan results

[smowton]

Yes that's right, as per @jketema's response at https://github.com/orgs/community/discussions/61263

[smowton]

Since those are both JS results by the way, do check that use of sarif-category is enabling both C# and JS results to appear concurrently, perhaps by experimentally introducing a deliberate mistake in the C#.

[sam-cha-tfs]

Yes that's what I am unsure. I will check and experiment with it.

[felickz]

I know this is pseudo code but you are creating a charp DB and then attempting to analyze with cpp. In practice you likely got an error where you already corrected that but FYI!