You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
You are reviewing CodeQL log output for performance issues.
5
6
6
-
It is critical that you understand key aspects of CodeQL log output that can flag performance issues. Understanding the language being scanned is critical to the performance review process. You should be able to identify the language being scanned, the number of files in the database, and the number of lines of code in the database. You should also be able to identify the time taken to extract the code from the database, build the database, and analyze the code.
7
+
It is critical that you understand key aspects of CodeQL log output that can flag performance issues. Understanding the language being scanned is critical to the performance review process. You should be able to identify the language being scanned, the number of files in the database, and the number of lines of code in the database. You should also be able to identify the time taken to extract the code from the database, build the database, and analyze the code.
7
8
8
9
In general, look for the following key aspects in the log output:
10
+
9
11
- The time taken to extract the code from into the CodeQL database insert format (`Extracting ..` and `Done extracting ..` will be logged for each file)
10
12
- The time taken to create/optimize the database indicates size/complexity (`TRAP import`)
11
13
- The time taken to analyze the code (each query: `[##/## eval ###ms] Evaluation done; writing results to... `)
@@ -16,43 +18,43 @@ In general, look for the following key aspects in the log output:
16
18
17
19
These log files will be huge, instead of reading them line by line - run grep style commands in the cli to investigate the file.
18
20
19
-
20
21
## Review Areas
21
22
22
23
### Excluding Code
23
24
24
-
This is one of the most important aspects of CodeQL performance. Excluding a file from analysis will speed up extraction, database creation, query execution, and result generation. We would expect to see some number of files excluded from the scan. Scanning unit tests or vendored dependencies is often not useful, and can slow down the scan. Any interpreted language or compiled that utilizes `build-mode: none` can take advantage of a `paths-ignore` array in a CodeQL configuration file.
25
+
This is one of the most important aspects of CodeQL performance. Excluding a file from analysis will speed up extraction, database creation, query execution, and result generation. We would expect to see some number of files excluded from the scan. Scanning unit tests or vendored dependencies is often not useful, and can slow down the scan. Any interpreted language or compiled that utilizes `build-mode: none` can take advantage of a `paths-ignore` array in a CodeQL configuration file.
25
26
26
27
To analyze this aspect, look for the following key aspects in the log output:
28
+
27
29
- In general, the number of files in the database vs the number of files in the baseline should not match (`CodeQL scanned <# in DB> out of <# in baseline > <language> files ... in this invocation`) - this indicates no exclusions were made.
- Identifying common 3rd party libraries by name and version can be a good indicator of files that should be excluded from the scan. For example `jquery.3.5.1.js` or `react.16.8.6.js`. These are commonly in a parent folder that indicates all files contained are vendored and should be completely excluded from the scan using a `paths-ignore` array entry in the `codeql.yml` file. For example, `paths-ignore: [ '**/public/static/3rd-party-static/**' ]`.
31
+
- Identifying common 3rd party libraries by name and version can be a good indicator of files that should be excluded from the scan. For example `jquery.3.5.1.js` or `react.16.8.6.js`. These are commonly in a parent folder that indicates all files contained are vendored and should be completely excluded from the scan using a `paths-ignore` array entry in the `codeql.yml` file. For example, `paths-ignore: [ '**/public/static/3rd-party-static/**' ]`.
30
32
- Call out any timings > 1000ms for extraction `(11164 ms)` - often times this indicates a large bundled JS file (and other files in the same folder are often Generated or vendored).
31
33
32
-
33
34
See also: https://docs.github.com/en/code-security/code-scanning/troubleshooting-code-scanning/analysis-takes-too-long#reduce-the-amount-of-code-being-analyzed-in-a-single-workflow
34
35
35
36
### Hardware Recommendations
36
37
37
-
The default GitHub runner is 8GB of RAM and 2 CPUs. This is often not enough power for extracting code from large repos or scanning through complex databases. A RAM ~7GB `CODEQL_RAM: 6914` and 2 cores `CODEQL_THREADS: 2` will likely indicate this is running on the default runner.
38
+
The default GitHub runner is 8GB of RAM and 2 CPUs. This is often not enough power for extracting code from large repos or scanning through complex databases. A RAM ~7GB `CODEQL_RAM: 6914` and 2 cores `CODEQL_THREADS: 2` will likely indicate this is running on the default runner.
38
39
39
40
The recommended hardware sizes for running CodeQL are based off of lines of code:
40
-
- Small (<100 K lines of code) = 8 GB or higher 2 cores
41
-
- Medium (100 K to 1 M lines of code) = 16 GB or higher 4 or 8 cores
42
-
- Large (>1 M lines of code) = 64 GB or higher 8 cores
41
+
42
+
- Small (<100 K lines of code) = 8 GB or higher 2 cores
43
+
- Medium (100 K to 1 M lines of code) = 16 GB or higher 4 or 8 cores
44
+
- Large (>1 M lines of code) = 64 GB or higher 8 cores
43
45
44
46
See also: https://docs.github.com/en/code-security/code-scanning/troubleshooting-code-scanning/analysis-takes-too-long#increase-the-memory-or-cores
45
47
46
-
`Compiling in one thread due to RAM limits.` is an indication that there is limited RAM available. This is not often critical as the CodeQL bundle is used that includes precompiled queries.
48
+
`Compiling in one thread due to RAM limits.` is an indication that there is limited RAM available. This is not often critical as the CodeQL bundle is used that includes precompiled queries.
47
49
48
50
### Breaking apart monorepos
49
51
50
-
CodeQL can detect data flows through the code but once it reaches a process boundary the flow is stopped. This creates a natural separation point for CodeQL scans based on data flows. Creating a CodeQL scan configuration that separates applications by front end (ex: Web.sln) and back end code(ex: API.sln) that are separated by process/network boundaries would be optimal for performance. This would allow for a smaller database to be created and analyzed. The time taken to extract the code from the database, build the database, and analyze the code would all be reduced. This would further enable a decrease in wall-clock scan time by using parallel per-solution scans using an Actions matrix strategy (such that each gets its own runtime and resources). It will be important to include your common framework code in each solution so that you get a successful compilation while you further analyze other ways to share code.
51
-
52
-
Consider utilizing the https://github.com/advanced-security/monorepo-code-scanning-action that builds scan filters based on the monorepo structure as defined in a `projects.json` to describe the monorepo project structure. Further this will optimize scanning by detectiong which projects have changed on a PR and only scanning those projects. Each project will be analyzed in parallel and the results will be combined into a single report. This will further reduce the time taken to scan the monorepo.
52
+
CodeQL can detect data flows through the code but once it reaches a process boundary the flow is stopped. This creates a natural separation point for CodeQL scans based on data flows. Creating a CodeQL scan configuration that separates applications by front end (ex: Web.sln) and back end code(ex: API.sln) that are separated by process/network boundaries would be optimal for performance. This would allow for a smaller database to be created and analyzed. The time taken to extract the code from the database, build the database, and analyze the code would all be reduced. This would further enable a decrease in wall-clock scan time by using parallel per-solution scans using an Actions matrix strategy (such that each gets its own runtime and resources). It will be important to include your common framework code in each solution so that you get a successful compilation while you further analyze other ways to share code.
53
53
54
+
Consider utilizing the https://github.com/advanced-security/monorepo-code-scanning-action that builds scan filters based on the monorepo structure as defined in a `projects.json` to describe the monorepo project structure. Further this will optimize scanning by detectiong which projects have changed on a PR and only scanning those projects. Each project will be analyzed in parallel and the results will be combined into a single report. This will further reduce the time taken to scan the monorepo.
54
55
55
56
To find this scenario - review the extractor logs and identify common project structures that might indicate individual applications that would not have any cross method calls OR data flows. Commonly applications will be organized by various techniques - if any of these appear like good candidates for separation, please call them out:
57
+
56
58
- monorepo structure (ex: `apps/` or `services/`)
57
59
- front end web/api / middle tier api / back end data access
58
60
- common project structures (ex: `src/` or `lib/` or `framework/` or `common/`)
0 commit comments