Metadata for CodeQL queries¶
Metadata tells users important information about CodeQL queries. You must include the correct query metadata in a query to be able to view query results in source code.
About query metadata¶
Any query that is run as part of an analysis includes a number of properties, known as query metadata. Metadata is included at the top of each query file as the content of a QLDoc comment. This metadata tells the CodeQL extension for VS Code and the Code scanning feature in GitHub how to handle the query and display its results correctly. It also gives other users information about what the query results mean. For more information on query metadata, see the query metadata style guide in our open source repository on GitHub.
Note
The exact metadata requirement depends on how you are going to run your query. For more information, see the section on query metadata in “About CodeQL queries.”
Metadata properties¶
The following properties are supported by all query files:
Property |
Value |
Description |
---|---|---|
|
|
A sentence or short paragraph to describe the purpose of the query and why the result is useful or important. The description is written in plain text, and uses single quotes ( |
|
|
A sequence of words composed of lowercase letters or digits, delimited by |
|
problem path-problem |
Identifies the query is an alert ( |
|
|
A statement that defines the label of the query. The name is written in plain text, and uses single quotes ( |
|
correctness maintainability readability security |
These tags group queries together in broad categories to make it easier to search for them and identify them. In addition to the common tags listed here, there are also a number of more specific categories. For more information, see the Query metadata style guide. |
|
low medium high very-high |
Indicates the percentage of query results that are true positives (as opposed to false positive results). This, along with the |
|
error warning recommendation |
Defines the level of severity of any alerts generated by a non-security query. This, along with the |
|
|
Defines the level of severity, between 0.0 and 10.0, for queries with |
Example¶
Here is the metadata for one of the standard Java queries:
For more examples of query metadata, see the standard CodeQL queries in our GitHub repository.