Database over multiple repositories (Javascript)

[Naman-ntc]

Hi,
I have a few repositories (N>1000) and I wanted to analyze code in the repositories. Instead of making a separate database for each repo, so far I have been building a database for all repos together (by calling codeql create one directory above)

However, unlike compiled languages, javascript codeql doesn't take build instruction so I was wondering will the way I build my database affect the code-flow (by capturing some dependencies across repositories!)?

[hvitved]

When all the repositories are treated as one big code base, it means that our analysis may connect different repos when constructing the call graph (which is a key component in data flow analysis). This may be both a benefit (when a cross-repo call graph edge is correct), but it may also result in false positives (when a cross-repo call graph edge is incorrect, for example if the two repos are completely independent). @github/codeql-javascript can probably weigh in with a few more details, and perhaps give recommendations on which approach to take.

[Naman-ntc]

Hi, Thanks for the response. I was indeed afraid of this, my repos are independent (just a subset of github dump!). I chose this route because I felt more scope of parallelization when building and running codeql on thousands of repos - but now it seems it is doing very expensive and useless computation.
Follow up - what if it finds multiple definitions of some imported function across repos - how will it choose a data-flow edge?

[hvitved]

Hi, Thanks for the response. I was indeed afraid of this, my repos are independent (just a subset of github dump!). I chose this route because I felt more scope of parallelization when building and running codeql on thousands of repos - but now it seems it is doing very expensive and useless computation.

In that case it sounds like they should definitely be analyzed independently.

Follow up - what if it finds multiple definitions of some imported function across repos - how will it choose a data-flow edge?

I am not into the details of how this works for JavaScript, but my guess would be that it would add call edges to all possible definitions. But I'll let @github/codeql-javascript confirm.