run-codeql 1.1.1__tar.gz → 1.2.0__tar.gz

{run_codeql-1.1.1 → run_codeql-1.2.0}/PKG-INFO

@@ -1,51 +1,28 @@
 Metadata-Version: 2.4
 Name: run-codeql
-Version: 1.1.1
+Version: 1.2.0
 Summary: Run CodeQL code-quality analysis locally, mirroring the GitHub 'Code Quality' check
-Project-URL: Homepage, https://github.com/dereknorrbom/run-codeql
-Project-URL: Repository, https://github.com/dereknorrbom/run-codeql
-Project-URL: Bug Tracker, https://github.com/dereknorrbom/run-codeql/issues
-Author-email: Derek Norrbom <dereknorrbom@gmail.com>
-License: MIT License
-        
-        Copyright (c) 2026 Derek Norrbom
-        
-        Permission is hereby granted, free of charge, to any person obtaining a copy
-        of this software and associated documentation files (the "Software"), to deal
-        in the Software without restriction, including without limitation the rights
-        to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
-        copies of the Software, and to permit persons to whom the Software is
-        furnished to do so, subject to the following conditions:
-        
-        The above copyright notice and this permission notice shall be included in all
-        copies or substantial portions of the Software.
-        
-        THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
-        IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
-        FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
-        AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
-        LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
-        OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
-        SOFTWARE.
+License-Expression: MIT
 License-File: LICENSE
-Keywords: code-quality,codeql,linting,security,static-analysis
+Keywords: codeql,static-analysis,code-quality,security,linting
+Author: Derek Norrbom
+Author-email: dereknorrbom@gmail.com
+Requires-Python: >=3.10
 Classifier: Development Status :: 4 - Beta
 Classifier: Environment :: Console
 Classifier: Intended Audience :: Developers
-Classifier: License :: OSI Approved :: MIT License
 Classifier: Operating System :: OS Independent
 Classifier: Programming Language :: Python :: 3
 Classifier: Programming Language :: Python :: 3.10
 Classifier: Programming Language :: Python :: 3.11
 Classifier: Programming Language :: Python :: 3.12
-Classifier: Topic :: Security
+Classifier: Programming Language :: Python :: 3.13
+Classifier: Programming Language :: Python :: 3.14
 Classifier: Topic :: Software Development :: Quality Assurance
-Requires-Python: >=3.10
-Provides-Extra: dev
-Requires-Dist: black; extra == 'dev'
-Requires-Dist: pytest; extra == 'dev'
-Requires-Dist: pytest-cov; extra == 'dev'
-Requires-Dist: ruff; extra == 'dev'
+Classifier: Topic :: Security
+Project-URL: Bug Tracker, https://github.com/dereknorrbom/run-codeql/issues
+Project-URL: Homepage, https://github.com/dereknorrbom/run-codeql
+Project-URL: Repository, https://github.com/dereknorrbom/run-codeql
 Description-Content-Type: text/markdown
 
 # run-codeql
@@ -84,9 +61,11 @@ rcql --lang python,actions  # scan multiple specific languages
 | `--verbose`, `-v` | Print each finding with rule ID, location, and message |
 | `--quiet`, `-q` | Suppress log output; print only final summaries (for agent/scripted use) |
 | `--files` | Comma-separated file paths or fnmatch patterns to restrict findings to (e.g. `src/foo.py` or `src/*.py`) |
+| `--exclude-files` | Comma-separated file paths or fnmatch patterns to exclude from findings (e.g. `src/generated/**`) |
 | `--rule` | Comma-separated rule IDs or fnmatch patterns to restrict findings to (e.g. `py/unused-import` or `py/*`) |
 | `--limit N` | Return at most N findings (after `--files`/`--rule` filtering) |
 | `--offset N` | Skip the first N findings before applying `--limit` (for pagination) |
+| `--include-third-party` | Include findings from third-party/vendor paths (default output suppresses common dependency noise) |
 | `--keep-db` | Reuse existing databases instead of recreating them |
 | `--keep-reports` | Do not delete prior SARIF reports before running |
 | `--no-fail` | Exit 0 even if findings or scan errors exist |
@@ -164,6 +143,8 @@ Example output:
 
 When a scan returns hundreds or thousands of findings, use `--files`, `--rule`, `--limit`, and `--offset` to slice the results. These flags work with both `--report-only` and live scans.
 
+By default, summary output suppresses common third-party noise paths such as `node_modules`, `vendor`, and `.codeql` mirror artifacts. Use `--include-third-party` to opt in to those findings.
+
 **Filter to a specific file:**
 
 ```sh
@@ -273,3 +254,4 @@ Contributions are welcome. Please:
 ## License
 
 MIT
+

{run_codeql-1.1.1 → run_codeql-1.2.0}/README.md

@@ -34,9 +34,11 @@ rcql --lang python,actions  # scan multiple specific languages
 | `--verbose`, `-v` | Print each finding with rule ID, location, and message |
 | `--quiet`, `-q` | Suppress log output; print only final summaries (for agent/scripted use) |
 | `--files` | Comma-separated file paths or fnmatch patterns to restrict findings to (e.g. `src/foo.py` or `src/*.py`) |
+| `--exclude-files` | Comma-separated file paths or fnmatch patterns to exclude from findings (e.g. `src/generated/**`) |
 | `--rule` | Comma-separated rule IDs or fnmatch patterns to restrict findings to (e.g. `py/unused-import` or `py/*`) |
 | `--limit N` | Return at most N findings (after `--files`/`--rule` filtering) |
 | `--offset N` | Skip the first N findings before applying `--limit` (for pagination) |
+| `--include-third-party` | Include findings from third-party/vendor paths (default output suppresses common dependency noise) |
 | `--keep-db` | Reuse existing databases instead of recreating them |
 | `--keep-reports` | Do not delete prior SARIF reports before running |
 | `--no-fail` | Exit 0 even if findings or scan errors exist |
@@ -114,6 +116,8 @@ Example output:
 
 When a scan returns hundreds or thousands of findings, use `--files`, `--rule`, `--limit`, and `--offset` to slice the results. These flags work with both `--report-only` and live scans.
 
+By default, summary output suppresses common third-party noise paths such as `node_modules`, `vendor`, and `.codeql` mirror artifacts. Use `--include-third-party` to opt in to those findings.
+
 **Filter to a specific file:**
 
 ```sh

{run_codeql-1.1.1 → run_codeql-1.2.0}/pyproject.toml

@@ -1,43 +1,49 @@
 [build-system]
-requires = ["hatchling"]
-build-backend = "hatchling.build"
+requires = ["poetry-core"]
+build-backend = "poetry.core.masonry.api"
 
 [project]
 name = "run-codeql"
-version = "1.1.1"
+version = "1.2.0"
 description = "Run CodeQL code-quality analysis locally, mirroring the GitHub 'Code Quality' check"
 readme = "README.md"
-license = { file = "LICENSE" }
+license = "MIT"
 authors = [{ name = "Derek Norrbom", email = "dereknorrbom@gmail.com" }]
-requires-python = ">=3.10"
-dependencies = []
 keywords = ["codeql", "static-analysis", "code-quality", "security", "linting"]
 classifiers = [
     "Development Status :: 4 - Beta",
     "Environment :: Console",
     "Intended Audience :: Developers",
-    "License :: OSI Approved :: MIT License",
     "Operating System :: OS Independent",
     "Programming Language :: Python :: 3",
     "Programming Language :: Python :: 3.10",
     "Programming Language :: Python :: 3.11",
     "Programming Language :: Python :: 3.12",
+    "Programming Language :: Python :: 3.13",
+    "Programming Language :: Python :: 3.14",
     "Topic :: Software Development :: Quality Assurance",
     "Topic :: Security",
 ]
+requires-python = ">=3.10"
+dependencies = []
 
 [project.urls]
 Homepage = "https://github.com/dereknorrbom/run-codeql"
 Repository = "https://github.com/dereknorrbom/run-codeql"
 "Bug Tracker" = "https://github.com/dereknorrbom/run-codeql/issues"
 
-[project.optional-dependencies]
-dev = [
-    "pytest",
-    "pytest-cov",
-    "black",
-    "ruff",
-]
+[project.scripts]
+run-codeql = "run_codeql.cli:main"
+rcql = "run_codeql.cli:main"
+
+[tool.poetry]
+packages = [{ include = "run_codeql" }]
+
+[tool.poetry.group.dev.dependencies]
+pytest = ">=8.0"
+pytest-cov = ">=6.0"
+black = ">=25.0"
+ruff = ">=0.9"
 
 [tool.black]
 line-length = 100
@@ -50,15 +56,11 @@ target-version = "py310"
 [tool.ruff.lint]
 select = ["E", "F", "W", "I"]
 
-[project.scripts]
-run-codeql = "run_codeql.cli:main"
-rcql = "run_codeql.cli:main"
-
 [tool.semantic_release]
 version_toml = ["pyproject.toml:project.version"]
 branch = "main"
 changelog_file = "CHANGELOG.md"
-build_command = "pip install build && python -m build"
+build_command = "pip install poetry && poetry build"
 dist_path = "dist/"
 upload_to_vcs_release = true
 

{run_codeql-1.1.1 → run_codeql-1.2.0}/run_codeql/cli.py

@@ -11,7 +11,7 @@ from run_codeql.download import fetch_codeql
 from run_codeql.logging_utils import configure_logging, err, log
 from run_codeql.sarif import build_sarif_summary
 from run_codeql.scanner import cleanup_reports, detect_langs, run_lang
-from run_codeql.settings import TOOLS_DIR
+from run_codeql.settings import DEFAULT_SARIF_EXCLUDE_PATTERNS, TOOLS_DIR
 
 
 def main() -> None:
@@ -73,6 +73,22 @@ def main() -> None:
             "(e.g. 'src/foo.py' or 'src/*.py')"
         ),
     )
+    parser.add_argument(
+        "--exclude-files",
+        default=None,
+        help=(
+            "Comma-separated file paths (or fnmatch patterns) to exclude findings from. "
+            "Applied after URI normalization."
+        ),
+    )
+    parser.add_argument(
+        "--include-third-party",
+        action="store_true",
+        help=(
+            "Include third-party findings. By default, rcql suppresses common "
+            "noise paths like node_modules/vendor/.codeql."
+        ),
+    )
     parser.add_argument(
         "--rule",
         default=None,
@@ -102,6 +118,13 @@ def main() -> None:
         print("[codeql-local] running in quiet mode", file=sys.stderr, flush=True)
 
     file_patterns = [p.strip() for p in args.files.split(",") if p.strip()] if args.files else None
+    exclude_file_patterns: list[str] = (
+        [] if args.include_third_party else list(DEFAULT_SARIF_EXCLUDE_PATTERNS)
+    )
+    if args.exclude_files:
+        exclude_file_patterns.extend(
+            [p.strip() for p in args.exclude_files.split(",") if p.strip()]
+        )
     rule_patterns = [p.strip() for p in args.rule.split(",") if p.strip()] if args.rule else None
 
     repo_root = Path.cwd()
@@ -129,6 +152,7 @@ def main() -> None:
                 sarif,
                 verbose=args.verbose,
                 files=file_patterns,
+                exclude_files=exclude_file_patterns,
                 rules=rule_patterns,
                 limit=args.limit,
                 offset=args.offset,
@@ -184,6 +208,7 @@ def main() -> None:
                 sarif,
                 verbose=args.verbose,
                 files=file_patterns,
+                exclude_files=exclude_file_patterns,
                 rules=rule_patterns,
                 limit=args.limit,
                 offset=args.offset,

{run_codeql-1.1.1 → run_codeql-1.2.0}/run_codeql/sarif.py

@@ -6,6 +6,8 @@ import re
 from dataclasses import dataclass
 from pathlib import Path
 
+_DB_MIRROR_RE = re.compile(r"(?:^|/)\.codeql/db-[^/]+/src/(?P<src>.+)$")
+
 
 @dataclass(frozen=True)
 class SarifSummary:
@@ -31,10 +33,47 @@ def _uri_matches(uri: str, patterns: list[str]) -> bool:
     return False
 
 
+def _normalize_uri(uri: str) -> str:
+    """Normalize SARIF artifact URIs to stable, source-like paths.
+
+    CodeQL may emit artifact URIs that point into the generated database mirror,
+    e.g. ``.codeql/db-python/src/<abs-repo-path>/src/file.py``. This function
+    maps those back to repository-relative paths when possible so findings are
+    not shown twice (real path + mirror path).
+    """
+    if not uri:
+        return ""
+
+    normalized = uri.replace("\\", "/")
+    if normalized.startswith("file://"):
+        normalized = normalized[7:]
+
+    match = _DB_MIRROR_RE.search(normalized)
+    if match:
+        normalized = match.group("src")
+
+    cwd_posix = str(Path.cwd().resolve()).replace("\\", "/")
+    cwd_no_leading = cwd_posix.lstrip("/")
+    if (
+        cwd_posix.startswith("/")
+        and not normalized.startswith("/")
+        and (normalized == cwd_no_leading or normalized.startswith(cwd_no_leading + "/"))
+    ):
+        normalized = "/" + normalized
+
+    if normalized.startswith(cwd_posix + "/"):
+        normalized = normalized[len(cwd_posix) + 1 :]
+    elif normalized == cwd_posix:
+        normalized = "."
+
+    return normalized
+
+
 def build_sarif_summary(
     sarif: Path,
     verbose: bool = False,
     files: list[str] | None = None,
+    exclude_files: list[str] | None = None,
     rules: list[str] | None = None,
     limit: int | None = None,
     offset: int = 0,
@@ -45,6 +84,7 @@ def build_sarif_summary(
         sarif:   Path to the ``.sarif`` file.
         verbose: Include per-finding details in the output text.
         files:   Optional list of fnmatch patterns matched against artifact URIs.
+        exclude_files: Optional list of fnmatch patterns excluded from artifact URIs.
         rules:   Optional list of fnmatch patterns matched against rule IDs
                  (e.g. ``['py/unused-import']`` or ``['py/*']``).
         limit:   If set, return at most this many findings (after *offset*).
@@ -60,21 +100,37 @@ def build_sarif_summary(
     # Collect all matching results first so we can apply offset/limit uniformly.
     matched: list[dict] = []
     rules_map: dict[str, dict] = {}
+    seen_keys: set[tuple[str, str, int | str, str, str]] = set()
 
     for run in data.get("runs", []):
         rules_map.update(
             {r["id"]: r for r in run.get("tool", {}).get("driver", {}).get("rules", [])}
         )
         for result in run.get("results", []):
+            loc = result.get("locations", [{}])[0]
+            phys = loc.get("physicalLocation", {})
+            raw_uri = phys.get("artifactLocation", {}).get("uri", "")
+            uri = _normalize_uri(raw_uri)
+            line = phys.get("region", {}).get("startLine", "")
+            rule_id = result.get("ruleId", "")
+            level = result.get("level", "warning")
+            message = re.sub(
+                r"\[([^\]]+)\]\(\d+\)", r"\1", result.get("message", {}).get("text", "")
+            )
+
             if files is not None:
-                loc = result.get("locations", [{}])[0]
-                uri = loc.get("physicalLocation", {}).get("artifactLocation", {}).get("uri", "")
                 if not _uri_matches(uri, files):
                     continue
+            if exclude_files is not None and _uri_matches(uri, exclude_files):
+                continue
             if rules is not None:
-                rule_id = result.get("ruleId", "")
                 if not any(fnmatch.fnmatch(rule_id, pat) for pat in rules):
                     continue
+
+            dedupe_key = (rule_id, level, line, uri, message)
+            if dedupe_key in seen_keys:
+                continue
+            seen_keys.add(dedupe_key)
             matched.append(result)
 
     # Apply pagination.
@@ -97,7 +153,7 @@ def build_sarif_summary(
             message = re.sub(r"\[([^\]]+)\]\(\d+\)", r"\1", message)
             loc = result.get("locations", [{}])[0]
             phys = loc.get("physicalLocation", {})
-            uri = phys.get("artifactLocation", {}).get("uri", "")
+            uri = _normalize_uri(phys.get("artifactLocation", {}).get("uri", ""))
             line = phys.get("region", {}).get("startLine", "")
             location = f"{uri}:{line}" if line else uri
             finding_lines.append(

{run_codeql-1.1.1 → run_codeql-1.2.0}/run_codeql/settings.py

@@ -76,3 +76,13 @@ LANG_CONFIG = {
         "suite": "codeql/actions-queries:codeql-suites/actions-security-and-quality.qls",
     },
 }
+
+# Default SARIF artifact URI excludes for summary output. These reduce triage
+# noise from third-party and generated paths while preserving an opt-in path
+# to include them via CLI flags.
+DEFAULT_SARIF_EXCLUDE_PATTERNS: list[str] = [
+    "**/node_modules/**",
+    "**/vendor/**",
+    ".codeql/**",
+    "**/.codeql/**",
+]

run_codeql-1.1.1/.github/workflows/ci.yml

@@ -1,38 +0,0 @@
-name: CI
-
-on:
-  push:
-    branches: ["**"]
-  pull_request:
-    branches: ["**"]
-
-permissions:
-  contents: read
-
-jobs:
-  lint:
-    name: Lint
-    runs-on: ubuntu-latest
-    steps:
-      - uses: actions/checkout@v4
-      - uses: actions/setup-python@v5
-        with:
-          python-version: "3.12"
-      - run: pip install black ruff
-      - run: black --check run_codeql tests
-      - run: ruff check run_codeql tests
-
-  test:
-    name: Test (Python ${{ matrix.python-version }})
-    runs-on: ubuntu-latest
-    strategy:
-      fail-fast: false
-      matrix:
-        python-version: ["3.10", "3.11", "3.12"]
-    steps:
-      - uses: actions/checkout@v4
-      - uses: actions/setup-python@v5
-        with:
-          python-version: ${{ matrix.python-version }}
-      - run: pip install -e ".[dev]"
-      - run: pytest tests/ -v

run_codeql-1.1.1/.github/workflows/release.yml

@@ -1,72 +0,0 @@
-name: Release
-
-on:
-  push:
-    branches: [main]
-
-permissions:
-  contents: write
-  id-token: write  # required for PyPI trusted publishing
-
-jobs:
-  ci:
-    name: Test (Python ${{ matrix.python-version }})
-    runs-on: ubuntu-latest
-    permissions:
-      contents: read
-    strategy:
-      fail-fast: false
-      matrix:
-        python-version: ["3.10", "3.11", "3.12"]
-    steps:
-      - uses: actions/checkout@v4
-      - uses: actions/setup-python@v5
-        with:
-          python-version: ${{ matrix.python-version }}
-      - run: pip install -e ".[dev]"
-      - run: pytest tests/ -v
-
-  lint:
-    name: Lint
-    runs-on: ubuntu-latest
-    permissions:
-      contents: read
-    steps:
-      - uses: actions/checkout@v4
-      - uses: actions/setup-python@v5
-        with:
-          python-version: "3.12"
-      - run: pip install black ruff
-      - run: black --check run_codeql tests
-      - run: ruff check run_codeql tests
-
-  release:
-    name: Semantic Release
-    runs-on: ubuntu-latest
-    needs: [ci, lint]
-    concurrency: release
-    steps:
-      - uses: actions/checkout@v4
-        with:
-          fetch-depth: 0
-          token: ${{ secrets.GITHUB_TOKEN }}
-
-      - uses: actions/setup-python@v5
-        with:
-          python-version: "3.12"
-
-      - run: pip install python-semantic-release build twine
-
-      - name: Semantic Release
-        id: release
-        env:
-          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-        run: semantic-release version --push
-
-      - name: Build distribution
-        if: steps.release.outputs.released == 'true'
-        run: python -m build
-
-      - name: Publish to PyPI
-        if: steps.release.outputs.released == 'true'
-        uses: pypa/gh-action-pypi-publish@ed0c53931b1dc9bd32cbe73a98c7f6766f8a527e  # v1.13.0

run_codeql-1.1.1/.gitignore

@@ -1,14 +0,0 @@
-__pycache__/
-*.pyc
-*.pyo
-.pytest_cache/
-.codeql/
-*.egg-info/
-dist/
-build/
-.venv/
-venv/
-tests/.DS_Store
-.coverage
-.ruff_cache/
-CHANGELOG.md

run_codeql-1.1.1/Makefile

@@ -1,40 +0,0 @@
-.PHONY: help test lint fmt fmt-check typecheck check fix install
-
-PYTHON := python
-SRC    := run_codeql tests
-
-help:
-	@echo "Usage: make <target>"
-	@echo ""
-	@echo "  test        Run the test suite"
-	@echo "  cov         Run tests with coverage report"
-	@echo "  lint        Run ruff (check only)"
-	@echo "  fmt         Auto-format with black and ruff --fix"
-	@echo "  fmt-check   Check formatting without modifying files"
-	@echo "  fix         lint + fmt combined (auto-fix everything)"
-	@echo "  check       fmt-check + lint (CI-safe, no modifications)"
-	@echo "  install     Install package in editable mode with dev deps"
-
-test:
-	$(PYTHON) -m pytest tests/
-
-cov:
-	$(PYTHON) -m pytest tests/ --cov=run_codeql --cov-report=term-missing
-
-lint:
-	ruff check $(SRC)
-
-fmt:
-	black $(SRC)
-	ruff check --fix $(SRC)
-
-fmt-check:
-	black --check $(SRC)
-	ruff check $(SRC)
-
-fix: fmt lint
-
-check: fmt-check lint
-
-install:
-	pip install -e ".[dev]"

run_codeql-1.1.1/tests/fixtures/empty-code-quality.sarif

@@ -1,14 +0,0 @@
-{
-  "version": "2.1.0",
-  "runs": [
-    {
-      "tool": {
-        "driver": {
-          "name": "CodeQL",
-          "rules": []
-        }
-      },
-      "results": []
-    }
-  ]
-}

run_codeql-1.1.1/tests/fixtures/python-code-quality.sarif

@@ -1,77 +0,0 @@
-{
-  "version": "2.1.0",
-  "runs": [
-    {
-      "tool": {
-        "driver": {
-          "name": "CodeQL",
-          "rules": [
-            {
-              "id": "py/sql-injection",
-              "name": "SqlInjection",
-              "shortDescription": { "text": "SQL injection" },
-              "defaultConfiguration": { "level": "error" }
-            },
-            {
-              "id": "py/unused-import",
-              "name": "UnusedImport",
-              "shortDescription": { "text": "Unused import" },
-              "defaultConfiguration": { "level": "warning" }
-            }
-          ]
-        }
-      },
-      "results": [
-        {
-          "ruleId": "py/sql-injection",
-          "level": "error",
-          "message": { "text": "This query depends on [user-provided value](1)." },
-          "locations": [
-            {
-              "physicalLocation": {
-                "artifactLocation": { "uri": "src/db.py", "uriBaseId": "%SRCROOT%" },
-                "region": { "startLine": 42, "startColumn": 5 }
-              }
-            }
-          ],
-          "relatedLocations": [
-            {
-              "id": 1,
-              "physicalLocation": {
-                "artifactLocation": { "uri": "src/views.py", "uriBaseId": "%SRCROOT%" },
-                "region": { "startLine": 10 }
-              },
-              "message": { "text": "user-provided value" }
-            }
-          ]
-        },
-        {
-          "ruleId": "py/unused-import",
-          "level": "warning",
-          "message": { "text": "Import of 'os' is not used." },
-          "locations": [
-            {
-              "physicalLocation": {
-                "artifactLocation": { "uri": "src/utils.py", "uriBaseId": "%SRCROOT%" },
-                "region": { "startLine": 3, "startColumn": 1 }
-              }
-            }
-          ]
-        },
-        {
-          "ruleId": "py/unused-import",
-          "level": "warning",
-          "message": { "text": "Import of 'sys' is not used." },
-          "locations": [
-            {
-              "physicalLocation": {
-                "artifactLocation": { "uri": "src/utils.py", "uriBaseId": "%SRCROOT%" },
-                "region": { "startLine": 4, "startColumn": 1 }
-              }
-            }
-          ]
-        }
-      ]
-    }
-  ]
-}