You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: docs/codeql/codeql-cli/about-codeql-packs.rst
+12-2Lines changed: 12 additions & 2 deletions
Original file line number
Diff line number
Diff line change
@@ -9,8 +9,8 @@ CodeQL packs are used to create, share, depend on, and run CodeQL queries and li
9
9
10
10
There are two types of CodeQL packs: query packs and library packs.
11
11
12
-
* Query packs are designed to be run. When a query pack is published, the bundle includes all the transitive dependencies and a compilation cache. This ensures consistent and efficient execution of the queries in the pack.
13
-
* Library packs are designed to be used by query packs (or other library packs) and do not contain queries themselves. The libraries are not compiled and there is no compilation cache included when the pack is published.
12
+
* Query packs are designed to be run. When a query pack is published, the bundle includes all the transitive dependencies and pre-compiled representations of each query, in addition to the query sources. This ensures consistent and efficient execution of the queries in the pack.
13
+
* Library packs are designed to be used by query packs (or other library packs) and do not contain queries themselves. The libraries are not compiled separately.
14
14
15
15
You can use the package management commands in the CodeQL CLI to create CodeQL packs, add dependencies to packs, and install or update dependencies. For more information, see ":ref:`Creating and working with CodeQL packs <creating-and-working-with-codeql-packs>`." You can also publish and download CodeQL packs using the CodeQL CLI. For more information, see ":doc:`Publishing and using CodeQL packs <publishing-and-using-codeql-packs>`."
16
16
@@ -31,6 +31,16 @@ The other files and directories within the pack should be logically organized. F
31
31
- Queries for specific products, libraries, and frameworks are organized into
32
32
their own top-level directories.
33
33
34
+
About published packs
35
+
~~~~~~~~~~~~~~~~~~~~~~~~~
36
+
37
+
When a pack is published for use in analyses, the ``codeql pack create`` or ``codeql pack publish`` command verifies that the content is complete and also adds some additional pieces of content to it:
38
+
39
+
* For query packs, a copy of each of the library packs it depends on, in the precise versions it has been developed with. Users of the query pack won't need to download these library packs separately.
40
+
* For query packs, precompiled representations of each of the queries. These are faster to execute than it would be to compile the QL source for the query at each analysis.
41
+
42
+
Most of this data is located in a directory named ``.codeql`` in the published pack, but precompiled queries are in files with a ``.qlx`` suffix next to the ``.ql`` source for each query. When analyzing a database with a query from a published pack, CodeQL will load these files instead of the ``.ql`` source. If you need to modify the content of a *published* pack, be sure to remove all of the ``.qlx`` files, since they may prevent modifications in the ``.ql`` files from taking effect.
Copy file name to clipboardExpand all lines: docs/codeql/codeql-cli/creating-and-working-with-codeql-packs.rst
+14-2Lines changed: 14 additions & 2 deletions
Original file line number
Diff line number
Diff line change
@@ -14,11 +14,13 @@ With CodeQL packs and the package management commands in the CodeQL CLI, you can
14
14
15
15
There are two types of CodeQL packs: query packs and library packs.
16
16
17
-
* Query packs are designed to be run. When a query pack is published, the bundle includes all the transitive dependencies and a compilation cache. This ensures consistent and efficient execution of the queries in the pack.
18
-
* Library packs are designed to be used by query packs (or other library packs) and do not contain queries themselves. The libraries are not compiled and there is no compilation cache included when the pack is published.
17
+
* Query packs are designed to be run. When a query pack is published, the bundle includes all the transitive dependencies and pre-compiled representations of each query, in addition to the query sources. This ensures consistent and efficient execution of the queries in the pack.
18
+
* Library packs are designed to be used by query packs (or other library packs) and do not contain queries themselves. The libraries are not compiled separately.
19
19
20
20
You can use the ``pack`` command in the CodeQL CLI to create CodeQL packs, add dependencies to packs, and install or update dependencies. You can also publish and download CodeQL packs using the ``pack`` command. For more information, see ":doc:`Publishing and using CodeQL packs <publishing-and-using-codeql-packs>`."
21
21
22
+
For more information about compatibility between published query packs and different CodeQL releases, see ":ref:`About CodeQL pack compatibility <about-codeql-pack-compatibility>`."
23
+
22
24
Creating a CodeQL pack
23
25
----------------------
24
26
You can create a CodeQL pack by running the following command from the checkout root of your project:
@@ -81,3 +83,13 @@ This command downloads all dependencies to the shared cache on the local disk.
81
83
By default ``codeql pack install`` will install dependencies from the Container registry on GitHub.com.
82
84
You can install dependencies from a GitHub Enterprise Server Container registry by creating a ``qlconfig.yml`` file.
83
85
For more information, see ":doc:`Publishing and using CodeQL packs <publishing-and-using-codeql-packs>`."
The recommended way to experiment with changes to a pack is to clone the repository containing its source code.
91
+
92
+
If no source respository is available and you need to base modifications on a pack downloaded from the Container registry, be aware that these packs are not intended to be modified or customized after downloading, and their format may change in the future without much notice. We recommend taking the following steps after downloading a pack if you need to modify the content:
93
+
94
+
- Change the pack *name* in ``qlpack.yml`` so you avoid confusion with results from the unmodified pack.
95
+
- Remove all files named ``*.qlx`` anywhere in the unpacked directory structure. These files contain precompiled versions of the queries, and in some situations CodeQL will use them in preference to the QL source you have modified.
Copy file name to clipboardExpand all lines: docs/codeql/codeql-cli/publishing-and-using-codeql-packs.rst
+42Lines changed: 42 additions & 0 deletions
Original file line number
Diff line number
Diff line change
@@ -53,6 +53,9 @@ To run a pack that someone else has created, you must first download it by runni
53
53
54
54
This command accepts arguments for multiple packs.
55
55
56
+
If you write scripts that specify a particular version number of a query pack to download, keep in mind that when you update your version of CodeQL to a newer one, you may also need to switch to a newer version of the query pack. Newer versions of CodeQL *may* provide
57
+
degraded performance when used with query packs that have been pinned to a very old version. For more information, see ":ref:`About CodeQL pack compatibility <about-codeql-pack-compatibility>`."
58
+
56
59
Using a CodeQL pack to analyze a CodeQL database
57
60
------------------------------------------------
58
61
@@ -74,6 +77,45 @@ The ``analyze`` command will run the default suite of any specified CodeQL packs
The ``codeql pack download`` command stores the pack it downloads in an internal location that is not intended for local modification. Unexpected (and hard to troubleshoot) behavior may result if the pack is modified after downloading. For more information about customizing packs, see ":ref:`Creating and working with CodeQL packs <creating-and-working-with-codeql-packs>`."
85
+
86
+
.. _about-codeql-pack-compatibility:
87
+
88
+
About CodeQL pack compatibility
89
+
-------------------------------
90
+
91
+
When a query pack is published, it includes pre-compiled representations of all the queries in it. These pre-compiled queries are generally much faster to execute than it is to compile the QL source from scratch during the analysis. However, the pre-compiled queries also depend on certain internals of the QL evaluator, so if the version of CodeQL that performs the analysis is too different from the version that ran ``codeql pack publish``, it may be necessary to compile the queries from source instead during analysis. The recompilation happens automatically and will not affect the *results* of the analysis, but it can make the
92
+
analysis significantly slower.
93
+
94
+
It can generally be assumed that if a pack is published with one release of CodeQL, the precompiled queries in it can be used directly by *later* releases of CodeQL, as long as there is no more than 6 months between the release dates. We will make reasonable efforts to keep new releases compatible for longer than that, but make no promises.
95
+
96
+
It can also be assumed that a pack published by the *latest* public release of CodeQL will be useable by the version of CodeQL that is used by code scanning and GitHub Actions, even though that is often a slightly older release.
97
+
98
+
As an exception to the above, packs published with versions of CodeQL *earlier than 2.12.0* are not compatible with any earlier or later versions. These old versions did not write pre-compiled queries in a format that supported compatibility between releases. Packs published by these versions can still be *used* by newer versions, but the analysis will be slower because the queries have to be recompiled first.
99
+
100
+
As a user of a published query pack, you can check that the CodeQL makes use of the precompiled queries in it by inspecting the terminal output from an analysis runs that uses the query pack. If it contains lines looking like the following, then the precompiled queries were used successfully:
101
+
102
+
::
103
+
104
+
[42/108] Loaded /long/path/to/query/Filename.qlx.
105
+
106
+
However, if they instead look like the following, then usage of the precompiled queries failed:
107
+
108
+
::
109
+
110
+
Compiling query plan for /long/path/to/query/Filename.ql.
The results of the analysis will still be good in this case, but to get optimal performance you may need to upgrade to a newer version of the CodeQL CLI and/or of the query pack.
114
+
115
+
If you publish query packs on the Container registry on GitHub.com for others to use, we recommend that you use a recent release of CodeQL to run ``codeql pack publish``, and that you publish a fresh version of your pack with an updated CodeQL version before the version you used turns 6 months old. That way you can ensure that users of your pack who keep *their* CodeQL up to date will benefit from the pre-compiled queries in your pack.
116
+
117
+
If you publish query packs with the intention of using them on a GitHub Enterprise Server installation that uses its bundled CodeQL binaries, use the same CodeQL version to run ``codeql pack publish``. Newer versions might produce pre-compiled queries that the one in GitHub Enterprise Server may not recognize. Your GitHub Enterprise Server administrator may choose to upgrade to a newer version of CodeQL periodically. If so, follow their lead.
118
+
77
119
.. _working-with-codeql-packs-on-ghes:
78
120
79
121
Working with CodeQL packs on GitHub Enterprise Server
0 commit comments