CodeQL picks-up incorrect private NPM registry credentials

[nshift-diva]

Hi,

We are testing CodeQL on GHE for some projects and we have NPM private registries configured at organization level using username and password.

When the default CodeQL action runs this is picking-up the registry as having token auth.

Using registries_credentials input.
Credentials loaded for the following registries:
 Type: npm_registry; Host: undefined; Url: https://my-company.jfrog.io/artifactory/api/npm/my-npm-feed/ Username: undefined; Password: false; Token: true
Type: nuget_feed; Host: undefined; Url: https://my-company.jfrog.io/artifactory/api/nuget/v3/my-nuget-feed/index.json Username: my-service-account; Password: true; Token: false
Warning: Failed to retrieve information about the linked release: Not Found - https://docs.github.com/rest/releases/releases#get-a-release-by-tag-name
Did not find 'update-job-proxy-linux64.tar.gz' in the linked release, falling back to hard-coded version.
/usr/bin/tar xz --warning=no-unknown-keyword --overwrite -C /home/runner/work/_temp/708eeb9f-ac43-412c-94ff-dbf679ecc2c5 -f /home/runner/work/_temp/e62bf087-66e1-47b0-9aed-ce0e4ad3a548
Proxy started on 127.0.0.1:49152
Error: Connection test to https://my-company.jfrog.io/artifactory/api/npm/my-npm-feed/ failed. (401)
Successfully tested connection to https://my-company.jfrog.io/artifactory/api/nuget/v3/my-nuget-feed/index.json (200)

Is there something I am missing? Did I skip some configuration step?

[mbg]

Hi @nshift-diva 👋🏻

Thanks for your question about this!

Note that the private registry configurations are shared by Dependabot and CodeQL. On the CodeQL end, only Java (maven_repository), C# (nuget_feed), and Go (git_source, goproxy_server) support private registries. Therefore, the NPM registry you have configured would only be used by Dependabot and has no effect on CodeQL analyses.

If Dependabot is working fine for you and is able to access packages from your private NPM registry, then there's nothing to worry about in the log output here.

If it's not working for Dependabot, then we'd need to check with them why the NPM registry configuration ends up with a token instead of the username and password you have configured.

[nshift-diva]

Hi @mbg

Thanks for getting back so quickly. I saw NPM was supported but since it did show-up in the proxy setup I was hoping the docs were out of sync with the supported features.

[mbg]

Not all languages supported by CodeQL also require/benefit from access to private dependencies for a high quality analysis. The three we support private registries for are the ones which benefit most from having access to all dependencies. We'd consider adding support for other languages / types of registries if this led to better results / there was demand for it.