codeql icon indicating copy to clipboard operation
codeql copied to clipboard
verified publisher icon github

[Rust] Including dependencies in the analysis

Open drank40 opened this issue 3 months ago • 4 comments

Hi, is there any way to include cargo dependencies within the generated dbs? Right now im generating it like this

codeql database create rust-db \
  --language=rust \
  --source-root . \
  --command "cargo build --all-targets --all-features" \
  --extractor-option rust.cargo_all_targets=true \
  --extractor-option rust.extract_dependencies_as_source=true \
  --overwrite

But my queries still dont seem to go down into my dependecies

drank40 avatar Sep 26 '25 14:09 drank40

Hi @drank40 👋🏻

Do you have any custom queries that you think should work, but don't? Or do you expect some of the default queries to find results that they aren't?

Have you tried querying the database for information about the dependencies?

mbg avatar Sep 26 '25 19:09 mbg

Hi, I've done a bit more digging, and it seems like if I vendor my dependencies with cargo vendor , they show up in the analysis with basic broad queries.

drank40 avatar Sep 29 '25 12:09 drank40

👋 @drank40

We're still unsure why your initial command with the rust.extract_dependencies_as_source=true option didn't work and we're looking it up. That should make all code in the dependencies be extracted in the DB. In particular, that should mean that if you select a function from the dependencies, you should be able to have an f.getBody() out of that.

What could be different between that and your experience with vendoring is features. Our extractor uses --all-features by default, but only on the source crates. Dependencies are pulled in with what features the cargo manifests enable for them. However when you move the dependencies in the vendor directory, then suddenly all of them will have all features enabled.

In the meantime, there are two other problems with that invocation:

  • rust analysis only supports build mode none, so the --command flag will be ignored
  • we just found out a bug where --extractor-option rust.cargo_all_targets=true has no effect. We will be fixing it (and we might actually make that the default in the future) but in the meantime that flag is only selectable via environment variables, i.e. setting CODEQL_RUST_EXTRACTOR_OPTION_CARGO_ALL_TARGETS=true in the environment.

Just so you know, as I already mentioned --all-features is already the default way in which we carry out analysis, so that doesn't require anything in the invocation.

redsun82 avatar Oct 14 '25 10:10 redsun82

Thank you for claryfing and pointing out that bug to me, its already pretty good with vendoring but trying with the CODEQL_RUST_EXTRACTOR_OPTION_CARGO_ALL_TARGETS=true doesn't seem to change much.

Is there an env var equivalent to --extractor-option rust.extract_dependencies_as_source=true ? Maybe that option has the same issue as the other one

drank40 avatar Oct 19 '25 11:10 drank40