CodeQL Dependency Graph Action is focused on capturing as much information from CodeQL databases and build out a bill of materials that was discovered during analysis. This is them uploaded as a snapshot to the Dependency Graph to discover if the versions of software contain any security issues.
- name: CodeQL Dependency Graph
uses: geekmasher/[email protected]Sample Action Workflow
- name: Initialize CodeQL
uses: github/codeql-action/init@v2
with:
languages: ${{ matrix.language }}
# autobuild or manual build
- name: CodeQL Dependency Graph
uses: geekmasher/[email protected]
- name: Perform CodeQL Analysis
uses: github/codeql-action/analyze@v2| Language | Query | Completeness |
|---|---|---|
| C/C++ | ✅ query | 🔶 [1] |
| C# | 🔴 | |
| Go | 🔴 | |
| Java | ✅ query | ✅ [2] |
| JavaScript | 🔴 | |
| Python | ✅ query | 🔶 [3] |
| Ruby | 🔴 |
Notes:
- C/C++ information is incomplete. The query is able to some data on dependencies, but the information is not complete. This is due to the fact that the CodeQL C/C++ extractor does not extract all the information needed to build a complete the dependency information.
- Java information is pretty complete. Both Gradle and Maven are supported well.
- Python's data is incomplete. Not all the information is available to build a complete dependency graph.