CodeQL codesign error message

[rnychyporuk-rbi]

We`re workin on CodeQL Static Application Security Testing (SAST) implementation for a Swift language using GitHub Actions. During this process, I encountered an issue with the CodeQL initialization step when integrating with a Fastlane-based build process.

When including the CodeQL initialization step (github/codeql-action/init@v2) in the GitHub Actions workflow before Fastlane-based build commands, the build job fails with a CodeSign error. The specific error message indicates that the CodeSign command has failed.

Interesting Behavior: if I remove the CodeQL initialization step from the GitHub Actions workflow, the build application process works perfectly without any issues - application builds well.

Error message from console output:

▸ ** ARCHIVE FAILED **
▸ The following build commands failed:
▸ 	CodeSign /Users/runner/Library/Developer/Xcode/DerivedData/APP-amdyapuwajsvoeelnrjmqpntrblu/Build/Intermediates.noindex/ArchiveIntermediates/APP_straging/IntermediateBuildFilesPath/UninstalledProducts/iphoneos/SaleforceNotificationService_staging.appex (in target 'SaleforceNotificationService_staging' from project 'APP')
▸ (1 failure)

From debug logs we got below entries:

/Applications/Xcode.app/Contents/Developer/Toolchains/XcodeDefault.xctoolchain/usr/bin/install_name_tool: warning: changes being made to the file will invalidate the code signature in: /Users/runner/actions-runner/_work/_temp/codeql_databases/working/copy-root/000001F6/Applications/Xcode.app/Contents/Developer/Toolchains/XcodeDefault.xctoolchain/usr/bin/clang-stat-cache.semmle.00008433.slice.x86_64
/Users/runner/actions-runner/_work/_temp/codeql_databases/working/copy-root/000001F6/Applications/Xcode.app/Contents/Developer/Toolchains/XcodeDefault.xctoolchain/usr/bin/clang-stat-cache.semmle.00008433.slice.x86_64: replacing existing signature
/Applications/Xcode.app/Contents/Developer/Toolchains/XcodeDefault.xctoolchain/usr/bin/install_name_tool: warning: changes being made to the file will invalidate the code signature in: /Users/runner/actions-runner/_work/_temp/codeql_databases/working/copy-root/000001F6/Applications/Xcode.app/Contents/Developer/Toolchains/XcodeDefault.xctoolchain/usr/bin/clang-stat-cache.semmle.00008433.slice.arm64
/Users/runner/actions-runner/_work/_temp/codeql_databases/working/copy-root/000001F6/Applications/Xcode.app/Contents/Developer/Toolchains/XcodeDefault.xctoolchain/usr/bin/clang-stat-cache.semmle.00008433.slice.arm64: replacing existing signature
[T 17:01:12 33906] Attempting to switch stdout/stderr to 7...
[T 17:01:12 33908] Attempting to switch stdout/stderr to 7...
[T 17:01:12 33909] Attempting to switch stdout/stderr to 7...
[T 17:01:12 33913] Attempting to switch stdout/stderr to 7...
/Users/runner/actions-runner/_work/_temp/codeql_databases/working/copy-root/000001F6/usr/bin/codesign.semmle.00008433.145DE1E8.slice.x86_64: replacing existing signature
[T 17:01:12 33914] Attempting to switch stdout/stderr to 7...
[T 17:01:12 33912] Initializing tracer.
[T 17:01:12 33912] Initialising tags...
[T 17:01:12 33912] ID set to 0000000000008478_0000000000000001 (parent 0000000000008433_0000000000000001)
[T 17:01:12 33912] ==== Candidate to intercept: /Applications/Xcode.app/Contents/Developer/Toolchains/XcodeDefault.xctoolchain/usr/bin/clang-stat-cache (canonical: /Applications/Xcode.app/Contents/Developer/Toolchains/XcodeDefault.xctoolchain/usr/bin/clang-stat-cache) ====
[T 17:01:12 33912] Executing the following tracer actions:
[T 17:01:12 33912] Tracer actions:
[T 17:01:12 33912] pre_invocations(0)
[T 17:01:12 33912] post_invocations(0)
[T 17:01:12 33912] trace_languages(1): [swift]
/Users/runner/actions-runner/_work/_temp/codeql_databases/working/copy-root/000001F6/usr/bin/codesign.semmle.00008433.slice.x86_64: replacing existing signature
/Users/runner/actions-runner/_work/_temp/codeql_databases/working/copy-root/000001F6/usr/bin/codesign.semmle.00008433.slice.x86_64: replacing existing signature
/Users/runner/actions-runner/_work/_temp/codeql_databases/working/copy-root/000001F6/usr/bin/codesign.semmle.00008433.slice.x86_64: replacing existing signature
/Users/runner/actions-runner/_work/_temp/codeql_databases/working/copy-root/000001F6/usr/bin/codesign.semmle.00008433.slice.x86_64: replacing existing signature

Why codeql replace signature and is it the case for failing our scan ?

[aibaars]

CodeQL traces the build process to figure out how source files are compiled and against which libraries/header files etc. To do this it uses the DYLD_INSERT_LIBRARIES environment variable to inject the CodeQL tracer into the running build process. On macOS the use of DYLD_INSERT_LIBRARIES is restricted when System Integrity Protection is enabled (it is on by default). System Integrity Protection removes the DYLD_INSERT_LIBRARIES variable from the environment for any binaries it considers to be part of the "system" (for example binaries installed in /usr/bin). To side-step these limitations, the CodeQL tracer copies binaries to a different folder (codeql_databases/working/copy-root) before running them. This copying may invalidate the original signature, so CodeQL provides them with new signatures.

The lines from the build-tracer.log above show that the CodeQL tracer is re-signing /usr/bin/clang-stat-cache which is normal. However, also see /usr/bin/codesign being re-signed, and perhaps that is causing problems. I'll ask the team to have a look.

In the mean time, could you try disabling CodeSigning for your build? CodeQL analysis only needs to intercept compiler processes, steps like packaging and signing are not important for the CodeQL scan.

[aibaars]

@rnychyporuk-rbi Hopefully github/codeql#15134 will fix the problem.

[adityasharad]

This will be fixed in CodeQL 2.15.5.

[rnychyporuk-rbi]

Thank you @adityasharad .
Sorry for the question but how to specify 2.15.15 version for CodeQL Init Action (github/codeql-action/init@v2). I tried to force a couple options but none of them works. CodeQL Init action initialise 2.15.0 version - so I still get the same codesign error

  Found CodeQL tools version 2.15.0 in the toolcache.
  /Users/runner/actions-runner/_work/_tool/CodeQL/2.15.0/x64/codeql/codeql version --format=json
  {
    "productName" : "CodeQL",
    "vendor" : "GitHub",
    "version" : "2.15.0",
    "sha" : "d0c03afb046bf4964cf4c",
    "branches" : [
      "codeql-cli-2.15.0"
    ],
    "copyright" : "Copyright (C) 2019-2023 GitHub, Inc.",
    "unpackedLocation" : "/Users/runner/actions-runner/_work/_tool/CodeQL/2.15.0/x64/codeql",
    "configFileLocation" : "/Users/runner/.config/codeql/config",
    "configFileFound" : false,
    "features" : {
      "featuresInVersionResult" : true,
      "supportsPython312" : true
    }
  }

[aibaars]

Have you tried the tools: option? You can set it to the URL of a codeql bundle asset from the releases page of the github/codeql-action repository.

[jakobholmgrenhiq]

I am running into a similar issue when building with fastlane where my action gets stuck on the codesigning step only when CodeQL is initialized prior to building.

The failing command is the following:
set -o pipefail && xcodebuild -workspace ./REDACTED.xcodeproj/project.xcworkspace -scheme REDACTED -configuration QA-Release -destination 'generic/platform=iOS' -archivePath ./build.xcarchive archive | tee /Users/runner/Library/Logs/gym/REDACTED\ QA.log | xcbeautify

In my case, the action gets stuck indefinitely with the last readable output being the following:
[13:03:49]: ▸ Signing REDACTED.framework (in target 'REDACTED' from project 'REDACTED')

This step usually completes in seconds but will get stuck until the action times out or is cancelled. This does not happen for the exact same pipeline without CodeQL.

The initialization, build, and analysis steps looks as follows:

      - name: Initialize CodeQL
        uses: github/codeql-action/[email protected]
        with:
          languages: swift
          queries: security-and-quality
          tools: https://github.com/github/codeql-action/releases/download/codeql-bundle-v2.15.5/codeql-bundle-osx64.tar.gz

      - name: Build QA
         REDACTED fastlane step

      - name: Perform CodeQL Analysis
        uses: github/codeql-action/[email protected]
        with:
          category: "/language:swift"

Runner: macos-13
Xcode-version: 15.0.1

Let me know if there is any additional information I should provide!

[aibaars]

@jakobholmgrenhiq Thanks for the detailed report! Could you try re-running the workflow with debug logging enabled? In that case the codeql-action uploads a debug artifact. The debug artifact contains a file log/build-tracer.log . Could you have a look at that file and post any lines that have the word codesign in them?

@AlexDenisov FYI

[jakobholmgrenhiq]

@jakobholmgrenhiq Thanks for the detailed report! Could you try re-running the workflow with debug logging enabled? In that case the codeql-action uploads a debug artifact. The debug artifact contains a file log/build-tracer.log . Could you have a look at that file and post any lines that have the word codesign in them?

@AlexDenisov FYI

First match is unique:

[T 13:21:58 9563] Attempting to switch stdout/stderr to 6...
/Users/runner/work/_temp/codeql_databases/working/copy-root/000001F5/usr/bin/codesign.semmle.000023CF.0A82CBC0.slice.x86_64: replacing existing signature
/Users/runner/work/_temp/codeql_databases/working/copy-root/000001F5/Applications/Xcode_15.0.1.app/Contents/Developer/Toolchains/XcodeDefault.xctoolchain/usr/bin/clang-stat-cache.semmle.000023CF.09925910.slice.x86_64: replacing existing signature
/Users/runner/work/_temp/codeql_databases/working/copy-root/000001F5/usr/bin/codesign.semmle.000023CF.0B6BD7E8.slice.x86_64: replacing existing signature
/Users/runner/work/_temp/codeql_databases/working/copy-root/000001F5/usr/bin/codesign.semmle.000023CF.0BE22128.slice.x86_64: replacing existing signature

Rest looks as follows with slight variations:

[T 13:21:58 9570] Initializing tracer.
[T 13:21:58 9570] Initialising tags...
[T 13:21:58 9570] ID set to 0000000000002562_0000000000000001 (parent 00000000000023CF_0000000000000001)
[T 13:21:58 9570] ==== Candidate to intercept: /usr/bin/codesign (canonical: /usr/bin/codesign) ====
[T 13:21:58 9570] Lua: === Intercepted call to /usr/bin/codesign ===
[T 13:21:58 9570] Lua: Disabling tracing for language swift.
[T 13:21:58 9570] Executing the following tracer actions:
[T 13:21:58 9570] Tracer actions:
[T 13:21:58 9570] pre_invocations(0)
[T 13:21:58 9570] post_invocations(0)
[T 13:21:58 9570] trace_languages(0): []
[T 13:21:58 9570] Disabling tracing for this command.
/Applications/Xcode_15.0.1.app/Contents/Developer/Toolchains/XcodeDefault.xctoolchain/usr/bin/install_name_tool: warning: changes being made to the file will invalidate the code signature in: /Users/runner/work/_temp/codeql_databases/working/copy-root/000001F5/Applications/Xcode_15.0.1.app/Contents/Developer/Toolchains/XcodeDefault.xctoolchain/usr/bin/clang-stat-cache.semmle.000023CF.09925910.slice.arm64

[T 13:21:58 9573] Initializing tracer.
[T 13:21:58 9573] Initialising tags...
[T 13:21:58 9573] ID set to 0000000000002565_0000000000000001 (parent 00000000000023CF_0000000000000001)
[T 13:21:58 9573] ==== Candidate to intercept: /usr/bin/codesign (canonical: /usr/bin/codesign) ====
[T 13:21:58 9573] Lua: === Intercepted call to /usr/bin/codesign ===
[T 13:21:58 9573] Lua: Disabling tracing for language swift.
[T 13:21:58 9573] Executing the following tracer actions:
[T 13:21:58 9573] Tracer actions:
[T 13:21:58 9573] pre_invocations(0)
[T 13:21:58 9573] post_invocations(0)
[T 13:21:58 9573] trace_languages(0): []
[T 13:21:58 9573] Disabling tracing for this command.
/Users/runner/work/_temp/codeql_databases/working/copy-root/000001F5/Applications/Xcode_15.0.1.app/Contents/Developer/Toolchains/XcodeDefault.xctoolchain/usr/bin/clang-stat-cache.semmle.000023CF.09925910.slice.arm64: replacing existing signature

Let me know if you want me to attach more complete logs.

[aibaars]

Thanks!

@AlexDenisov I see that tracing is disabled after intercepting /usr/bin/codesign, however, I still see re-signed versions of codesign in the copy-root folder so I guess github/codeql@6cbf8ab did not entirely have the desired effect. I had expected that the tracer would skip all the SIP avoidance once it was turned "off". I suppose this is because it is only turned off for swift, and there could in theory still be another language that requires tracing of the process.

[angelapwen]

Is there any downside to adding the fix from github/codeql@6cbf8ab to all traced languages? If not we can try that out and see how it goes.

[jakobholmgrenhiq]

Let me know if I can assist by testing some release candidate, if at all possible, in our pipelines to see if it resolves it.

[aibaars]

Is there any downside to adding the fix from github/codeql@6cbf8ab to all traced languages? If not we can try that out and see how it goes.

I'm afraid that the above fix doesn't actually work. Even with trace: false the tracer will still relocate binaries, and I believe codesign does not "like" being relocated.

[aeisenberg]

Any ideas on other ways we can solve this? Perhaps we can special-case codesign so that it's not even relocated?

[angelapwen]

Following up — yes, Alex had a PR for exactly that in https://github.com/github/semmle-code/pull/48593 but it had to be reverted because it was failing integration tests on SIP-disabled ARM runners. I believe Alex is now working on the (separate) fix behind that issue https://github.com/github/codeql-c-team/issues/2160 and then https://github.com/github/semmle-code/pull/48593 can go in again. So, this issue is blocked on https://github.com/github/codeql-c-team/issues/2160 (correct me if wrong!)

[jakobholmgrenhiq]

Sorry to bump this if it is still blocked on another issue (which I sadly cant check before posting as it is internal). Do you have any estimates on when we can see this resolved?

[aeisenberg]

No worries asking for an update. We are actively working on a fix. I can't make any promises on when it will be released. We will have more clarity next week as we collect more data.

[aeisenberg]

This fix is unlikely to make it into the next CodeQL release 2.16.2, which is expected this week.

[SviatikLetsin]

We are still receiving the same issue with "replacing existing signature" using CodeQL 2.16.3:

[T 08:32:07 67951] Attempting to switch stdout/stderr to 3...
/Users/runner/actions-runner/_work/_temp/codeql_databases/working/copy-root/000001F6/Applications/Xcode.app/Contents/Developer/usr/bin/git.semmle.0001096B.29181888.slice.x86_64: replacing existing signature
/Users/runner/actions-runner/_work/_temp/codeql_databases/working/copy-root/000001F6/Applications/Xcode.app/Contents/Developer/usr/bin/git.semmle.0001096B.29181888.slice.arm64: replacing existing signature
[T 08:32:07 67947] Initializing tracer.
[T 08:32:07 67947] Initializing tags.

codeql version --format=json
{
  "productName" : "CodeQL",
  "vendor" : "GitHub",
  "version" : "2.16.3",
  "sha" : "89973abb6e1d3083dfb8426eb0e210df19ca36be"

Could you notify me about the progress, and when it might be fixed?

[aeisenberg]

This appears to be a different problem. Previously, the error was with the codesign binary. Now, there are log messages about resigning the relocated git binary. This in and of itself isn't a problem.

Can you share more of your log that has the error message?

[SviatikLetsin]

Here is the whole log file:

[T 08:32:01 67898] Initializing tracer.
[T 08:32:01 67898] Initializing tags.
[T 08:32:01 67898] ID set to 000000000001093A_0000000000000001 (parent root)
[T 08:32:01 67898] Warning: SEMMLE_EXEC and SEMMLE_EXECP not set. Falling back to path lookup on argv[0].
[T 08:32:01 67898] ==== Candidate to intercept: df (canonical: /bin/df) ====
[T 08:32:01 67898] Executing the following tracer actions:
[T 08:32:01 67898] Tracer actions:
[T 08:32:01 67898] pre_invocations(0)
[T 08:32:01 67898] post_invocations(0)
[T 08:32:01 67898] trace_languages(1): [swift]
[T 08:32:03 67899] Initializing tracer.
[T 08:32:03 67899] Initializing tags.
[T 08:32:03 67899] ID set to 000000000001093B_0000000000000001 (parent root)
[T 08:32:03 67899] Warning: SEMMLE_EXEC and SEMMLE_EXECP not set. Falling back to path lookup on argv[0].
[T 08:32:03 67899] ==== Candidate to intercept: /Users/runner/actions-runner/externals/node16/bin/node (canonical: /Users/runner/actions-runner/externals/node16/bin/node) ====
[T 08:32:03 67899] Executing the following tracer actions:
[T 08:32:03 67899] Tracer actions:
[T 08:32:03 67899] pre_invocations(0)
[T 08:32:03 67899] post_invocations(0)
[T 08:32:03 67899] trace_languages(1): [swift]
[T 08:32:03 67901] Attempting to switch stdout/stderr to 5...
/Users/runner/actions-runner/_work/_temp/codeql_databases/working/copy-root/000001F6/bin/df.semmle.0001093C.23844518.slice.x86_64: replacing existing signature
[T 08:32:03 67900] Initializing tracer.
[T 08:32:03 67900] Initializing tags.
[T 08:32:03 67900] ID set to 000000000001093C_0000000000000001 (parent 000000000001093B_0000000000000001)
[T 08:32:03 67900] ==== Candidate to intercept: /bin/df (canonical: /bin/df) ====
[T 08:32:03 67900] Executing the following tracer actions:
[T 08:32:03 67900] Tracer actions:
[T 08:32:03 67900] pre_invocations(0)
[T 08:32:03 67900] post_invocations(0)
[T 08:32:03 67900] trace_languages(1): [swift]
[T 08:32:03 67905] Attempting to switch stdout/stderr to 5...
/Users/runner/actions-runner/_work/_temp/codeql_databases/working/copy-root/000001F6/bin/sh.semmle.00010940.36F67328.slice.x86_64: replacing existing signature
[T 08:32:03 67904] Initializing tracer.
[T 08:32:03 67904] Initializing tags.
[T 08:32:03 67904] ID set to 0000000000010940_0000000000000001 (parent 000000000001093B_0000000000000001)
[T 08:32:03 67904] ==== Candidate to intercept: /Users/runner/actions-runner/_work/_tool/CodeQL/2.16.3/x64/codeql/codeql (canonical: /Users/runner/actions-runner/_work/_tool/CodeQL/2.16.3/x64/codeql/codeql) ====
[T 08:32:03 67904] Executing the following tracer actions:
[T 08:32:03 67904] Tracer actions:
[T 08:32:03 67904] pre_invocations(0)
[T 08:32:03 67904] post_invocations(0)
[T 08:32:03 67904] trace_languages(1): [swift]
[T 08:32:03 67908] Attempting to switch stdout/stderr to 3...
/Users/runner/actions-runner/_work/_temp/codeql_databases/working/copy-root/000001F6/bin/bash.semmle.00010940.39C84068.slice.x86_64: replacing existing signature
[T 08:32:04 67904] Initializing tracer.
[T 08:32:04 67904] Initializing tags.
[T 08:32:04 67904] ID set to 0000000000010940_0000000000000002 (parent 0000000000010940_0000000000000001)
[T 08:32:04 67904] ==== Candidate to intercept: /bin/bash (canonical: /bin/bash) ====
[T 08:32:04 67904] Executing the following tracer actions:
[T 08:32:04 67904] Tracer actions:
[T 08:32:04 67904] pre_invocations(0)
[T 08:32:04 67904] post_invocations(0)
[T 08:32:04 67904] trace_languages(1): [swift]
[T 08:32:04 67912] Attempting to switch stdout/stderr to 3...
/Users/runner/actions-runner/_work/_temp/codeql_databases/working/copy-root/000001F6/usr/bin/uname.semmle.00010947.01AB46D0.slice.x86_64: replacing existing signature
[T 08:32:04 67911] Initializing tracer.
[T 08:32:04 67911] Initializing tags.
[T 08:32:04 67911] ID set to 0000000000010947_0000000000000001 (parent 0000000000010940_0000000000000002)
[T 08:32:04 67911] ==== Candidate to intercept: /usr/bin/uname (canonical: /usr/bin/uname) ====
[T 08:32:04 67911] Executing the following tracer actions:
[T 08:32:04 67911] Tracer actions:
[T 08:32:04 67911] pre_invocations(0)
[T 08:32:04 67911] post_invocations(0)
[T 08:32:04 67911] trace_languages(1): [swift]
[T 08:32:04 67916] Attempting to switch stdout/stderr to 3...
/Users/runner/actions-runner/_work/_temp/codeql_databases/working/copy-root/000001F6/usr/bin/mktemp.semmle.0001094B.04840950.slice.x86_64: replacing existing signature
[T 08:32:04 67915] Initializing tracer.
[T 08:32:04 67915] Initializing tags.
[T 08:32:04 67915] ID set to 000000000001094B_0000000000000001 (parent 0000000000010940_0000000000000002)
[T 08:32:04 67915] ==== Candidate to intercept: /usr/bin/mktemp (canonical: /usr/bin/mktemp) ====
[T 08:32:04 67915] Executing the following tracer actions:
[T 08:32:04 67915] Tracer actions:
[T 08:32:04 67915] pre_invocations(0)
[T 08:32:04 67915] post_invocations(0)
[T 08:32:04 67915] trace_languages(1): [swift]
[T 08:32:04 67920] Attempting to switch stdout/stderr to 3...
/Applications/Xcode.app/Contents/Developer/Toolchains/XcodeDefault.xctoolchain/usr/bin/install_name_tool: warning: changes being made to the file will invalidate the code signature in: /Users/runner/actions-runner/_work/_temp/codeql_databases/working/copy-root/000001F6/Users/runner/actions-runner/_work/_tool/CodeQL/2.16.3/x64/codeql/tools/osx64/java/bin/java.semmle.0001094F.076ABE20.slice.x86_64
/Applications/Xcode.app/Contents/Developer/Toolchains/XcodeDefault.xctoolchain/usr/bin/install_name_tool: warning: changes being made to the file will invalidate the code signature in: /Users/runner/actions-runner/_work/_temp/codeql_databases/working/copy-root/000001F6/Users/runner/actions-runner/_work/_tool/CodeQL/2.16.3/x64/codeql/tools/osx64/java/bin/java.semmle.0001094F.076ABE20.slice.x86_64
/Users/runner/actions-runner/_work/_temp/codeql_databases/working/copy-root/000001F6/Users/runner/actions-runner/_work/_tool/CodeQL/2.16.3/x64/codeql/tools/osx64/java/bin/java.semmle.0001094F.076ABE20.slice.x86_64: replacing existing signature
[T 08:32:04 67919] Initializing tracer.
[T 08:32:04 67919] Initializing tags.
[T 08:32:04 67919] ID set to 000000000001094F_0000000000000001 (parent 0000000000010940_0000000000000002)
[T 08:32:04 67919] ==== Candidate to intercept: /Users/runner/actions-runner/_work/_tool/CodeQL/2.16.3/x64/codeql/tools/osx64/java/bin/java (canonical: /Users/runner/actions-runner/_work/_tool/CodeQL/2.16.3/x64/codeql/tools/osx64/java/bin/java) ====
[T 08:32:04 67919] Executing the following tracer actions:
[T 08:32:04 67919] Tracer actions:
[T 08:32:04 67919] pre_invocations(0)
[T 08:32:04 67919] post_invocations(0)
[T 08:32:04 67919] trace_languages(1): [swift]
[T 08:32:04 67919] Loading extra JVM options from SEMMLE_JAVA_TOOL_OPTIONS instead of in-process variable.
[T 08:32:04 67919] Warning: Ignored JNI_CreateJavaVM because codeql_extra_jvm_options/SEMMLE_JAVA_TOOL_OPTIONS is not set. JVM tracing is disabled for this process.
[T 08:32:04 67926] Attempting to switch stdout/stderr to 3...
/Users/runner/actions-runner/_work/_temp/codeql_databases/working/copy-root/000001F6/bin/rm.semmle.00010955.258E0380.slice.x86_64: replacing existing signature
[T 08:32:04 67925] Initializing tracer.
[T 08:32:04 67925] Initializing tags.
[T 08:32:04 67925] ID set to 0000000000010955_0000000000000001 (parent 0000000000010940_0000000000000002)
[T 08:32:04 67925] ==== Candidate to intercept: /bin/rm (canonical: /bin/rm) ====
[T 08:32:04 67925] Executing the following tracer actions:
[T 08:32:04 67925] Tracer actions:
[T 08:32:04 67925] pre_invocations(0)
[T 08:32:04 67925] post_invocations(0)
[T 08:32:04 67925] trace_languages(1): [swift]
[T 08:32:04 67929] Initializing tracer.
[T 08:32:04 67929] Initializing tags.
[T 08:32:04 67929] ID set to 0000000000010959_0000000000000001 (parent 000000000001093B_0000000000000001)
[T 08:32:04 67929] ==== Candidate to intercept: /Users/runner/actions-runner/_work/_tool/CodeQL/2.16.3/x64/codeql/codeql (canonical: /Users/runner/actions-runner/_work/_tool/CodeQL/2.16.3/x64/codeql/codeql) ====
[T 08:32:04 67929] Executing the following tracer actions:
[T 08:32:04 67929] Tracer actions:
[T 08:32:04 67929] pre_invocations(0)
[T 08:32:04 67929] post_invocations(0)
[T 08:32:04 67929] trace_languages(1): [swift]
[T 08:32:04 67929] Initializing tracer.
[T 08:32:04 67929] Initializing tags.
[T 08:32:04 67929] ID set to 0000000000010959_0000000000000002 (parent 0000000000010959_0000000000000001)
[T 08:32:04 67929] ==== Candidate to intercept: /bin/bash (canonical: /bin/bash) ====
[T 08:32:04 67929] Executing the following tracer actions:
[T 08:32:04 67929] Tracer actions:
[T 08:32:04 67929] pre_invocations(0)
[T 08:32:04 67929] post_invocations(0)
[T 08:32:04 67929] trace_languages(1): [swift]
[T 08:32:04 67930] Initializing tracer.
[T 08:32:04 67930] Initializing tags.
[T 08:32:04 67930] ID set to 000000000001095A_0000000000000001 (parent 0000000000010959_0000000000000002)
[T 08:32:04 67930] ==== Candidate to intercept: /usr/bin/uname (canonical: /usr/bin/uname) ====
[T 08:32:04 67930] Executing the following tracer actions:
[T 08:32:04 67930] Tracer actions:
[T 08:32:04 67930] pre_invocations(0)
[T 08:32:04 67930] post_invocations(0)
[T 08:32:04 67930] trace_languages(1): [swift]
[T 08:32:04 67931] Initializing tracer.
[T 08:32:04 67931] Initializing tags.
[T 08:32:04 67931] ID set to 000000000001095B_0000000000000001 (parent 0000000000010959_0000000000000002)
[T 08:32:04 67931] ==== Candidate to intercept: /usr/bin/mktemp (canonical: /usr/bin/mktemp) ====
[T 08:32:04 67931] Executing the following tracer actions:
[T 08:32:04 67931] Tracer actions:
[T 08:32:04 67931] pre_invocations(0)
[T 08:32:04 67931] post_invocations(0)
[T 08:32:04 67931] trace_languages(1): [swift]
[T 08:32:04 67932] Initializing tracer.
[T 08:32:04 67932] Initializing tags.
[T 08:32:04 67932] ID set to 000000000001095C_0000000000000001 (parent 0000000000010959_0000000000000002)
[T 08:32:04 67932] ==== Candidate to intercept: /Users/runner/actions-runner/_work/_tool/CodeQL/2.16.3/x64/codeql/tools/osx64/java/bin/java (canonical: /Users/runner/actions-runner/_work/_tool/CodeQL/2.16.3/x64/codeql/tools/osx64/java/bin/java) ====
[T 08:32:04 67932] Executing the following tracer actions:
[T 08:32:04 67932] Tracer actions:
[T 08:32:04 67932] pre_invocations(0)
[T 08:32:04 67932] post_invocations(0)
[T 08:32:04 67932] trace_languages(1): [swift]
[T 08:32:04 67932] Loading extra JVM options from SEMMLE_JAVA_TOOL_OPTIONS instead of in-process variable.
[T 08:32:04 67932] Warning: Ignored JNI_CreateJavaVM because codeql_extra_jvm_options/SEMMLE_JAVA_TOOL_OPTIONS is not set. JVM tracing is disabled for this process.
[T 08:32:05 67933] Initializing tracer.
[T 08:32:05 67933] Initializing tags.
[T 08:32:05 67933] ID set to 000000000001095D_0000000000000001 (parent 0000000000010959_0000000000000002)
[T 08:32:05 67933] ==== Candidate to intercept: /bin/rm (canonical: /bin/rm) ====
[T 08:32:05 67933] Executing the following tracer actions:
[T 08:32:05 67933] Tracer actions:
[T 08:32:05 67933] pre_invocations(0)
[T 08:32:05 67933] post_invocations(0)
[T 08:32:05 67933] trace_languages(1): [swift]
[T 08:32:05 67934] Initializing tracer.
[T 08:32:05 67934] Initializing tags.
[T 08:32:05 67934] ID set to 000000000001095E_0000000000000001 (parent 000000000001093B_0000000000000001)
[T 08:32:05 67934] ==== Candidate to intercept: /bin/df (canonical: /bin/df) ====
[T 08:32:05 67934] Executing the following tracer actions:
[T 08:32:05 67934] Tracer actions:
[T 08:32:05 67934] pre_invocations(0)
[T 08:32:05 67934] post_invocations(0)
[T 08:32:05 67934] trace_languages(1): [swift]
[T 08:32:05 67935] Initializing tracer.
[T 08:32:05 67935] Initializing tags.
[T 08:32:05 67935] ID set to 000000000001095F_0000000000000001 (parent root)
[T 08:32:05 67935] Warning: SEMMLE_EXEC and SEMMLE_EXECP not set. Falling back to path lookup on argv[0].
[T 08:32:05 67935] ==== Candidate to intercept: /Users/runner/actions-runner/externals/node16/bin/node (canonical: /Users/runner/actions-runner/externals/node16/bin/node) ====
[T 08:32:05 67935] Executing the following tracer actions:
[T 08:32:05 67935] Tracer actions:
[T 08:32:05 67935] pre_invocations(0)
[T 08:32:05 67935] post_invocations(0)
[T 08:32:05 67935] trace_languages(1): [swift]
[T 08:32:05 67936] Initializing tracer.
[T 08:32:05 67936] Initializing tags.
[T 08:32:05 67936] ID set to 0000000000010960_0000000000000001 (parent root)
[T 08:32:05 67936] Warning: SEMMLE_EXEC and SEMMLE_EXECP not set. Falling back to path lookup on argv[0].
[T 08:32:05 67936] ==== Candidate to intercept: /Users/runner/actions-runner/externals/node16/bin/node (canonical: /Users/runner/actions-runner/externals/node16/bin/node) ====
[T 08:32:05 67936] Executing the following tracer actions:
[T 08:32:05 67936] Tracer actions:
[T 08:32:05 67936] pre_invocations(0)
[T 08:32:05 67936] post_invocations(0)
[T 08:32:05 67936] trace_languages(1): [swift]
[T 08:32:06 67937] Initializing tracer.
[T 08:32:06 67937] Initializing tags.
[T 08:32:06 67937] ID set to 0000000000010961_0000000000000001 (parent 0000000000010960_0000000000000001)
[T 08:32:06 67937] ==== Candidate to intercept: /Users/runner/actions-runner/_work/_tool/CodeQL/2.16.3/x64/codeql/codeql (canonical: /Users/runner/actions-runner/_work/_tool/CodeQL/2.16.3/x64/codeql/codeql) ====
[T 08:32:06 67937] Executing the following tracer actions:
[T 08:32:06 67937] Tracer actions:
[T 08:32:06 67937] pre_invocations(0)
[T 08:32:06 67937] post_invocations(0)
[T 08:32:06 67937] trace_languages(1): [swift]
[T 08:32:06 67937] Initializing tracer.
[T 08:32:06 67937] Initializing tags.
[T 08:32:06 67937] ID set to 0000000000010961_0000000000000002 (parent 0000000000010961_0000000000000001)
[T 08:32:06 67937] ==== Candidate to intercept: /bin/bash (canonical: /bin/bash) ====
[T 08:32:06 67937] Executing the following tracer actions:
[T 08:32:06 67937] Tracer actions:
[T 08:32:06 67937] pre_invocations(0)
[T 08:32:06 67937] post_invocations(0)
[T 08:32:06 67937] trace_languages(1): [swift]
[T 08:32:06 67938] Initializing tracer.
[T 08:32:06 67938] Initializing tags.
[T 08:32:06 67938] ID set to 0000000000010962_0000000000000001 (parent 0000000000010961_0000000000000002)
[T 08:32:06 67938] ==== Candidate to intercept: /usr/bin/uname (canonical: /usr/bin/uname) ====
[T 08:32:06 67938] Executing the following tracer actions:
[T 08:32:06 67938] Tracer actions:
[T 08:32:06 67938] pre_invocations(0)
[T 08:32:06 67938] post_invocations(0)
[T 08:32:06 67938] trace_languages(1): [swift]
[T 08:32:06 67939] Initializing tracer.
[T 08:32:06 67939] Initializing tags.
[T 08:32:06 67939] ID set to 0000000000010963_0000000000000001 (parent 0000000000010961_0000000000000002)
[T 08:32:06 67939] ==== Candidate to intercept: /usr/bin/mktemp (canonical: /usr/bin/mktemp) ====
[T 08:32:06 67939] Executing the following tracer actions:
[T 08:32:06 67939] Tracer actions:
[T 08:32:06 67939] pre_invocations(0)
[T 08:32:06 67939] post_invocations(0)
[T 08:32:06 67939] trace_languages(1): [swift]
[T 08:32:06 67940] Initializing tracer.
[T 08:32:06 67940] Initializing tags.
[T 08:32:06 67940] ID set to 0000000000010964_0000000000000001 (parent 0000000000010961_0000000000000002)
[T 08:32:06 67940] ==== Candidate to intercept: /Users/runner/actions-runner/_work/_tool/CodeQL/2.16.3/x64/codeql/tools/osx64/java/bin/java (canonical: /Users/runner/actions-runner/_work/_tool/CodeQL/2.16.3/x64/codeql/tools/osx64/java/bin/java) ====
[T 08:32:06 67940] Executing the following tracer actions:
[T 08:32:06 67940] Tracer actions:
[T 08:32:06 67940] pre_invocations(0)
[T 08:32:06 67940] post_invocations(0)
[T 08:32:06 67940] trace_languages(1): [swift]
[T 08:32:06 67940] Loading extra JVM options from SEMMLE_JAVA_TOOL_OPTIONS instead of in-process variable.
[T 08:32:06 67940] Warning: Ignored JNI_CreateJavaVM because codeql_extra_jvm_options/SEMMLE_JAVA_TOOL_OPTIONS is not set. JVM tracing is disabled for this process.
[T 08:32:06 67941] Initializing tracer.
[T 08:32:06 67941] Initializing tags.
[T 08:32:06 67941] ID set to 0000000000010965_0000000000000001 (parent 0000000000010961_0000000000000002)
[T 08:32:06 67941] ==== Candidate to intercept: /bin/rm (canonical: /bin/rm) ====
[T 08:32:06 67941] Executing the following tracer actions:
[T 08:32:06 67941] Tracer actions:
[T 08:32:06 67941] pre_invocations(0)
[T 08:32:06 67941] post_invocations(0)
[T 08:32:06 67941] trace_languages(1): [swift]
[T 08:32:06 67942] Initializing tracer.
[T 08:32:06 67942] Initializing tags.
[T 08:32:06 67942] ID set to 0000000000010966_0000000000000001 (parent 0000000000010960_0000000000000001)
[T 08:32:06 67942] ==== Candidate to intercept: /Users/runner/actions-runner/_work/_tool/CodeQL/2.16.3/x64/codeql/codeql (canonical: /Users/runner/actions-runner/_work/_tool/CodeQL/2.16.3/x64/codeql/codeql) ====
[T 08:32:06 67942] Executing the following tracer actions:
[T 08:32:06 67942] Tracer actions:
[T 08:32:06 67942] pre_invocations(0)
[T 08:32:06 67942] post_invocations(0)
[T 08:32:06 67942] trace_languages(1): [swift]
[T 08:32:06 67942] Initializing tracer.
[T 08:32:06 67942] Initializing tags.
[T 08:32:06 67942] ID set to 0000000000010966_0000000000000002 (parent 0000000000010966_0000000000000001)
[T 08:32:06 67942] ==== Candidate to intercept: /bin/bash (canonical: /bin/bash) ====
[T 08:32:06 67942] Executing the following tracer actions:
[T 08:32:06 67942] Tracer actions:
[T 08:32:06 67942] pre_invocations(0)
[T 08:32:06 67942] post_invocations(0)
[T 08:32:06 67942] trace_languages(1): [swift]
[T 08:32:07 67943] Initializing tracer.
[T 08:32:07 67943] Initializing tags.
[T 08:32:07 67943] ID set to 0000000000010967_0000000000000001 (parent 0000000000010966_0000000000000002)
[T 08:32:07 67943] ==== Candidate to intercept: /usr/bin/uname (canonical: /usr/bin/uname) ====
[T 08:32:07 67943] Executing the following tracer actions:
[T 08:32:07 67943] Tracer actions:
[T 08:32:07 67943] pre_invocations(0)
[T 08:32:07 67943] post_invocations(0)
[T 08:32:07 67943] trace_languages(1): [swift]
[T 08:32:07 67944] Initializing tracer.
[T 08:32:07 67944] Initializing tags.
[T 08:32:07 67944] ID set to 0000000000010968_0000000000000001 (parent 0000000000010966_0000000000000002)
[T 08:32:07 67944] ==== Candidate to intercept: /usr/bin/mktemp (canonical: /usr/bin/mktemp) ====
[T 08:32:07 67944] Executing the following tracer actions:
[T 08:32:07 67944] Tracer actions:
[T 08:32:07 67944] pre_invocations(0)
[T 08:32:07 67944] post_invocations(0)
[T 08:32:07 67944] trace_languages(1): [swift]
[T 08:32:07 67945] Initializing tracer.
[T 08:32:07 67945] Initializing tags.
[T 08:32:07 67945] ID set to 0000000000010969_0000000000000001 (parent 0000000000010966_0000000000000002)
[T 08:32:07 67945] ==== Candidate to intercept: /Users/runner/actions-runner/_work/_tool/CodeQL/2.16.3/x64/codeql/tools/osx64/java/bin/java (canonical: /Users/runner/actions-runner/_work/_tool/CodeQL/2.16.3/x64/codeql/tools/osx64/java/bin/java) ====
[T 08:32:07 67945] Executing the following tracer actions:
[T 08:32:07 67945] Tracer actions:
[T 08:32:07 67945] pre_invocations(0)
[T 08:32:07 67945] post_invocations(0)
[T 08:32:07 67945] trace_languages(1): [swift]
[T 08:32:07 67945] Loading extra JVM options from SEMMLE_JAVA_TOOL_OPTIONS instead of in-process variable.
[T 08:32:07 67945] Warning: Ignored JNI_CreateJavaVM because codeql_extra_jvm_options/SEMMLE_JAVA_TOOL_OPTIONS is not set. JVM tracing is disabled for this process.
[T 08:32:07 67946] Initializing tracer.
[T 08:32:07 67946] Initializing tags.
[T 08:32:07 67946] ID set to 000000000001096A_0000000000000001 (parent 0000000000010966_0000000000000002)
[T 08:32:07 67946] ==== Candidate to intercept: /bin/rm (canonical: /bin/rm) ====
[T 08:32:07 67946] Executing the following tracer actions:
[T 08:32:07 67946] Tracer actions:
[T 08:32:07 67946] pre_invocations(0)
[T 08:32:07 67946] post_invocations(0)
[T 08:32:07 67946] trace_languages(1): [swift]
[T 08:32:07 67948] Attempting to switch stdout/stderr to 5...
/Users/runner/actions-runner/_work/_temp/codeql_databases/working/copy-root/000001F6/usr/bin/git.semmle.0001096B.25A91D00.slice.x86_64: replacing existing signature
[T 08:32:07 67947] Initializing tracer.
[T 08:32:07 67947] Initializing tags.
[T 08:32:07 67947] ID set to 000000000001096B_0000000000000001 (parent 0000000000010960_0000000000000001)
[T 08:32:07 67947] ==== Candidate to intercept: /usr/bin/git (canonical: /usr/bin/git) ====
[T 08:32:07 67947] Executing the following tracer actions:
[T 08:32:07 67947] Tracer actions:
[T 08:32:07 67947] pre_invocations(0)
[T 08:32:07 67947] post_invocations(0)
[T 08:32:07 67947] trace_languages(1): [swift]
[T 08:32:07 67951] Attempting to switch stdout/stderr to 3...
/Users/runner/actions-runner/_work/_temp/codeql_databases/working/copy-root/000001F6/Applications/Xcode.app/Contents/Developer/usr/bin/git.semmle.0001096B.29181888.slice.x86_64: replacing existing signature
/Users/runner/actions-runner/_work/_temp/codeql_databases/working/copy-root/000001F6/Applications/Xcode.app/Contents/Developer/usr/bin/git.semmle.0001096B.29181888.slice.arm64: replacing existing signature
[T 08:32:07 67947] Initializing tracer.
[T 08:32:07 67947] Initializing tags.
[T 08:32:07 67947] ID set to 000000000001096B_0000000000000002 (parent 000000000001096B_0000000000000001)
[T 08:32:07 67947] ==== Candidate to intercept: /Applications/Xcode.app/Contents/Developer/usr/bin/git (canonical: /Applications/Xcode.app/Contents/Developer/usr/bin/git) ====
[T 08:32:07 67947] Executing the following tracer actions:
[T 08:32:07 67947] Tracer actions:
[T 08:32:07 67947] pre_invocations(0)
[T 08:32:07 67947] post_invocations(0)
[T 08:32:07 67947] trace_languages(1): [swift]

We are receving such error in the action:

  CodeQL detected code written in Swift but could not process any of it. Review our troubleshooting guide at https://gh.io/troubleshooting-code-scanning/no-source-code-seen-during-build .
  Error: Encountered a fatal error while running "/Users/runner/actions-runner/_work/_tool/CodeQL/2.16.3/x64/codeql/codeql database finalize --finalize-dataset --threads=12 --ram=30515 /Users/runner/actions-runner/_work/_temp/codeql_databases/swift". Exit code was 32 and last log line was: CodeQL detected code written in Swift but could not process any of it. Review our troubleshooting guide at https://gh.io/troubleshooting-code-scanning/no-source-code-seen-during-build . See the logs for more details.

[aibaars]

That log looks really short . I don't see any mention of the xcodebuild command in the tracer log. So either the build command isn't run or somehow it is not even seen by the tracer.

@AlexDenisov What do you think?

[rnychyporuk-rbi]

Hey guys. Do we have any updates o this?

[redsun82]

👋 @rnychyporuk-rbi

As @aibaars points out, it's weird that the log terminates mentioning a git invocation without ever seeming to trace an actual xcode build as was the case previously.

Are you using default setup or the autobuild action? Or did you provide a custom build step? If you did not use default setup, could you provide a snippet of the codeql workflow you used? Could the build step exit early with success based on some git command result?

[jakobholmgrenhiq]

Let me know if I can provide any additional information to help progress this issue.

[ls-valentinas-bakaitis]

Hi @aeisenberg @redsun82 ,

I an having a similar issue where the fastlane will build successfully without CodeQL, but when CodeQL steps are added - the build fails.

[aeisenberg]

@ls-valentinas-bakaitis, can you please create a new issue for this? This issue has gotten a bit convoluted and it's no longer clear what each new report is. In this new issue, please include your logs (especially the tracer logs, redacted is 👍) and your workflow file.

[ls-valentinas-bakaitis]

@aeisenberg I have submitted a new issue here: #2347