From fdd393902064f46700a4a67c697e9373f610afcf Mon Sep 17 00:00:00 2001 From: Igor Menkov Date: Tue, 9 Jun 2026 17:33:15 +0200 Subject: [PATCH 1/5] update Go toolchain version to 1.22.5 for CodeQL compatibility --- azure-pipelines.yml | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/azure-pipelines.yml b/azure-pipelines.yml index bf4ee20..6ee26d6 100644 --- a/azure-pipelines.yml +++ b/azure-pipelines.yml @@ -34,9 +34,13 @@ extends: os: linux vmImage: 'ubuntu-latest' steps: + # Bumped to a Go toolchain supported by the CodeQL Go extractor (>= 1.21). + # The repo's modules still declare `go 1.12` in go.mod, so library + # consumers on older Go are unaffected -- this is a build-time toolchain + # only and no source changes are required. - task: GoTool@0 inputs: - version: '1.13.5' + version: '1.22.5' - task: Go@0 inputs: command: 'get' From 37f8f8be6681b5a27caa8c72ed061eca74554edb Mon Sep 17 00:00:00 2001 From: Igor Menkov Date: Tue, 9 Jun 2026 17:44:38 +0200 Subject: [PATCH 2/5] add CGO_ENABLED variable to disable cgo for pure-Go runtime --- azure-pipelines.yml | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/azure-pipelines.yml b/azure-pipelines.yml index 6ee26d6..86b5f0c 100644 --- a/azure-pipelines.yml +++ b/azure-pipelines.yml @@ -33,6 +33,11 @@ extends: name: 1ES-Shared-Hosted-Pool_Linux-Mariner-2 os: linux vmImage: 'ubuntu-latest' + variables: + # The Mariner-2 hosted agent has no C toolchain / libc headers, so + # cgo-enabled builds fail with "stdlib.h: No such file or directory". + # This repo is pure Go, so disable cgo to use the pure-Go runtime. + CGO_ENABLED: 0 steps: # Bumped to a Go toolchain supported by the CodeQL Go extractor (>= 1.21). # The repo's modules still declare `go 1.12` in go.mod, so library From 4f6b041b2eb0f26d4bad20ca1095adeda2fb5bf7 Mon Sep 17 00:00:00 2001 From: Igor Menkov Date: Tue, 9 Jun 2026 18:08:40 +0200 Subject: [PATCH 3/5] refactor: rename job to codeql and update CodeQL task inputs --- azure-pipelines.yml | 13 ++++++++++--- 1 file changed, 10 insertions(+), 3 deletions(-) diff --git a/azure-pipelines.yml b/azure-pipelines.yml index 86b5f0c..990c7d4 100644 --- a/azure-pipelines.yml +++ b/azure-pipelines.yml @@ -28,7 +28,7 @@ extends: stages: - stage: stage jobs: - - job: job + - job: codeql pool: name: 1ES-Shared-Hosted-Pool_Linux-Mariner-2 os: linux @@ -55,7 +55,14 @@ extends: inputs: command: 'clean' workingDirectory: '$(System.DefaultWorkingDirectory)/azuredevops' - - task: Go@0 + - task: CodeQL3000Init@0 inputs: - command: 'build' + Language: go + BuildMode: autobuild workingDirectory: '$(System.DefaultWorkingDirectory)/azuredevops' + #${{ if eq(variables['Build.SourceBranch'], 'refs/heads/PLACEHOLDER') }}: + Enabled: true + #${{ else }}: + # Enabled: false + - task: CodeQL3000Finalize@0 + condition: always() From d0c0d2ed66f7b53d7289fc668ed63980f2423af0 Mon Sep 17 00:00:00 2001 From: Igor Menkov Date: Tue, 9 Jun 2026 19:47:07 +0200 Subject: [PATCH 4/5] fix: add CodeQL Go wrapper script to address static binary issue with Go 1.21+ --- azure-pipelines.yml | 34 +++++++++++++++++++++++----------- 1 file changed, 23 insertions(+), 11 deletions(-) diff --git a/azure-pipelines.yml b/azure-pipelines.yml index 990c7d4..4ba8ec0 100644 --- a/azure-pipelines.yml +++ b/azure-pipelines.yml @@ -55,14 +55,26 @@ extends: inputs: command: 'clean' workingDirectory: '$(System.DefaultWorkingDirectory)/azuredevops' - - task: CodeQL3000Init@0 - inputs: - Language: go - BuildMode: autobuild - workingDirectory: '$(System.DefaultWorkingDirectory)/azuredevops' - #${{ if eq(variables['Build.SourceBranch'], 'refs/heads/PLACEHOLDER') }}: - Enabled: true - #${{ else }}: - # Enabled: false - - task: CodeQL3000Finalize@0 - condition: always() + # Static-binary workaround for CodeQL + Go >= 1.21 on Linux. + # Go 1.21 made the toolchain statically linked, so the CodeQL Go + # extractor's preload tracer can no longer intercept `go` calls and + # the database ends up empty. The 1ES-documented fix is to put a thin + # wrapper script ahead of the real `go` on PATH and invoke `go build` + # from the SAME script step. See: + # https://eng.ms/docs/coreai/devdiv/one-engineering-system-1es/1es-docs/codeql/troubleshooting/onboarding/language-compiled#go-121-and-higher-on-linux + - bash: | + set -euo pipefail + WORKAROUND_DIR="$AGENT_TEMPDIRECTORY/codeql-go-tracing" + mkdir -p "$WORKAROUND_DIR" + WHICH_GO="$(which go)" + cat > "$WORKAROUND_DIR/go" < Date: Tue, 9 Jun 2026 19:57:42 +0200 Subject: [PATCH 5/5] fix: update CodeQL workaround comments for clarity and accuracy --- azure-pipelines.yml | 8 +++----- 1 file changed, 3 insertions(+), 5 deletions(-) diff --git a/azure-pipelines.yml b/azure-pipelines.yml index 4ba8ec0..2c681d6 100644 --- a/azure-pipelines.yml +++ b/azure-pipelines.yml @@ -57,11 +57,9 @@ extends: workingDirectory: '$(System.DefaultWorkingDirectory)/azuredevops' # Static-binary workaround for CodeQL + Go >= 1.21 on Linux. # Go 1.21 made the toolchain statically linked, so the CodeQL Go - # extractor's preload tracer can no longer intercept `go` calls and - # the database ends up empty. The 1ES-documented fix is to put a thin - # wrapper script ahead of the real `go` on PATH and invoke `go build` - # from the SAME script step. See: - # https://eng.ms/docs/coreai/devdiv/one-engineering-system-1es/1es-docs/codeql/troubleshooting/onboarding/language-compiled#go-121-and-higher-on-linux + # the database ends up empty. The fix is to put a thin extractor's + # preload tracer can no longer intercept `go` calls and wrapper script + # ahead of the real `go` on PATH and invoke `go build` from the SAME script step - bash: | set -euo pipefail WORKAROUND_DIR="$AGENT_TEMPDIRECTORY/codeql-go-tracing"