Skip to content

Auto-download CodeQL query packs before analysis#38

Open
AndrewMohawk wants to merge 1 commit intogadievron:mainfrom
AndrewMohawk:fix/codeql-auto-download-packs
Open

Auto-download CodeQL query packs before analysis#38
AndrewMohawk wants to merge 1 commit intogadievron:mainfrom
AndrewMohawk:fix/codeql-auto-download-packs

Conversation

@AndrewMohawk
Copy link

@AndrewMohawk AndrewMohawk commented Dec 22, 2025

Summary

  • Fixes "Query pack cannot be found" errors by automatically downloading required query packs before running analysis
  • Adds _ensure_pack_downloaded() method to QueryRunner
  • Caches downloaded packs to avoid redundant downloads

Problem

When running CodeQL analysis, the query packs need to be downloaded first:

A fatal error occurred: Query pack codeql/javascript-queries:codeql-suites/javascript-security-and-quality.qls cannot be found.

Solution

Automatically download query packs before analysis by extracting the pack name from the suite reference and calling codeql pack download.

Test plan

  • Run CodeQL analysis on TypeScript project
  • Verify pack is downloaded automatically
  • Verify analysis completes with findings

🤖 Generated with Claude Code

@AndrewMohawk @claude
Auto-download CodeQL query packs before analysis
f08f80a 
Fixes "Query pack cannot be found" errors by automatically downloading
required query packs before running analysis.

Changes:
- Add _ensure_pack_downloaded() method to QueryRunner
- Automatically downloads packs like codeql/javascript-queries
- Caches downloaded packs to avoid redundant downloads
- Extracts pack name from suite reference (e.g., codeql/javascript-queries:...)

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
danielcuthbert
danielcuthbert reviewed Dec 26, 2025
View reviewed changes
packages/codeql/query_runner.py
# Ensure query pack is downloaded (extract pack name from suite reference)
if ":" in suite_name:
pack_name = suite_name.split(":")[0]
self._ensure_pack_downloaded(pack_name)
Copy link
Collaborator

@danielcuthbert danielcuthbert Dec 26, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I guess we need to add an if statement here to ascertain if the pack was actually downloaded, if not fail and alert and not just continue

danielcuthbert
danielcuthbert requested changes Dec 26, 2025
View reviewed changes
Copy link
Collaborator

@danielcuthbert danielcuthbert left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

this is a good first stab and yes, we do need to download the suites and packs. Currently they should live in engine/codeql/suites but that is empty. This PR calls run_suite() when the workflow is already underway, and if it fails to download, will still run. What I think is a better approach is we check to see if packs exist before database creation and analysis, if not pull them down and validate and then go from there.

we could add this into packages/codeql/querty_runner.py

During testing, I set CODEQL_QUERIES env var and that was wrong

so if we could move this earlier in the workflow, that would be better imho

@danielcuthbert danielcuthbert mentioned this pull request Dec 26, 2025
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@danielcuthbert danielcuthbert danielcuthbert requested changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@AndrewMohawk @danielcuthbert