robojerk/codeql-action

Merge pull request #1051 from github/henrymercer/run-atm-on-windows

Browse source 
Run ML-powered queries on Windows with CodeQL CLI 2.9.0+
This commit is contained in:
Henry Mercer 2022-05-11 20:03:26 +01:00 committed by GitHub
commit 1fae5bf71b
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
11 changed files with 118 additions and 50 deletions
Download patch file Download diff file Expand all files Collapse all files

20
.github/workflows/__ml-powered-queries.yml generated vendored
View file

@ -82,10 +82,20 @@ jobs:
retention-days: 7 retention-days: 7
- name: Check results - name: Check results
# Running ML-powered queries on Windows requires CodeQL CLI 2.9.0+. We don't run these checks
# against Windows and `cached` while CodeQL CLI 2.9.0 makes its way into `cached` to avoid the
# test starting to fail when the cached CodeQL Bundle gets updated. Once the CodeQL Bundle
# containing CodeQL CLI 2.9.0 has been fully released, we can drop this line and start running
# these checks on Windows and `cached`.
if: matrix.os != 'windows-latest' || matrix.version != 'cached'
env: env:
IS_WINDOWS: ${{ matrix.os == 'windows-latest' }} # Running on Windows requires CodeQL CLI 2.9.0+, which has so far only made it to 'latest'.
SHOULD_RUN_ML_POWERED_QUERIES: ${{ matrix.os != 'windows-latest' || matrix.version
== 'latest' || matrix.version == 'nightly-latest' }}
shell: bash shell: bash
run: | run: |
echo "Expecting ML-powered queries to be run: ${SHOULD_RUN_ML_POWERED_QUERIES}"
cd "$RUNNER_TEMP/results" cd "$RUNNER_TEMP/results"
# We should run at least the ML-powered queries in `expected_rules`. # We should run at least the ML-powered queries in `expected_rules`.
expected_rules="js/ml-powered/nosql-injection js/ml-powered/path-injection js/ml-powered/sql-injection js/ml-powered/xss" expected_rules="js/ml-powered/nosql-injection js/ml-powered/path-injection js/ml-powered/sql-injection js/ml-powered/xss"
@ -94,10 +104,10 @@ jobs:
found_rule=$(jq --arg rule "${rule}" '[.runs[0].tool.extensions[].rules | select(. != null) | found_rule=$(jq --arg rule "${rule}" '[.runs[0].tool.extensions[].rules | select(. != null) |
flatten | .[].id] | any(. == $rule)' javascript.sarif) flatten | .[].id] | any(. == $rule)' javascript.sarif)
echo "Did find rule '${rule}': ${found_rule}" echo "Did find rule '${rule}': ${found_rule}"
if [[ "${found_rule}" != "true" && "${IS_WINDOWS}" != "true" ]]; then if [[ "${found_rule}" != "true" && "${SHOULD_RUN_ML_POWERED_QUERIES}" == "true" ]]; then
echo "Expected SARIF output to contain rule '${rule}', but found no such rule." echo "Expected SARIF output to contain rule '${rule}', but found no such rule."
exit 1 exit 1
elif [[ "${found_rule}" == "true" && "${IS_WINDOWS}" == "true" ]]; then elif [[ "${found_rule}" == "true" && "${SHOULD_RUN_ML_POWERED_QUERIES}" != "true" ]]; then
echo "Found rule '${rule}' in the SARIF output which shouldn't have been part of the analysis." echo "Found rule '${rule}' in the SARIF output which shouldn't have been part of the analysis."
exit 1 exit 1
fi fi
@ -108,10 +118,10 @@ jobs:
select(.properties.score != null and (.rule.id | startswith("js/ml-powered/")))] | length' \ select(.properties.score != null and (.rule.id | startswith("js/ml-powered/")))] | length' \
javascript.sarif) javascript.sarif)
echo "Found ${num_alerts} alerts from ML-powered queries."; echo "Found ${num_alerts} alerts from ML-powered queries.";
if [[ "${num_alerts}" -eq 0 && "${IS_WINDOWS}" != "true" ]]; then if [[ "${num_alerts}" -eq 0 && "${SHOULD_RUN_ML_POWERED_QUERIES}" == "true" ]]; then
echo "Expected to find at least one alert from an ML-powered query but found ${num_alerts}." echo "Expected to find at least one alert from an ML-powered query but found ${num_alerts}."
exit 1 exit 1
elif [[ "${num_alerts}" -ne 0 && "${IS_WINDOWS}" == "true" ]]; then elif [[ "${num_alerts}" -ne 0 && "${SHOULD_RUN_ML_POWERED_QUERIES}" != "true" ]]; then
echo "Expected not to find any alerts from an ML-powered query but found ${num_alerts}." echo "Expected not to find any alerts from an ML-powered query but found ${num_alerts}."
exit 1 exit 1
fi fi

8
lib/codeql.js generated
View file

@ -22,7 +22,7 @@ var __importDefault = (this && this.__importDefault) || function (mod) {
return (mod && mod.__esModule) ? mod : { "default": mod }; return (mod && mod.__esModule) ? mod : { "default": mod };
}; };
Object.defineProperty(exports, "__esModule", { value: true }); Object.defineProperty(exports, "__esModule", { value: true });
exports.getExtraOptions = exports.getCodeQLForTesting = exports.getCachedCodeQL = exports.setCodeQL = exports.getCodeQL = exports.convertToSemVer = exports.getCodeQLURLVersion = exports.setupCodeQL = exports.getCodeQLActionRepository = exports.CODEQL_VERSION_NEW_TRACING = exports.CODEQL_VERSION_ML_POWERED_QUERIES = exports.CODEQL_VERSION_COUNTS_LINES = exports.CommandInvocationError = void 0; exports.getExtraOptions = exports.getCodeQLForTesting = exports.getCachedCodeQL = exports.setCodeQL = exports.getCodeQL = exports.convertToSemVer = exports.getCodeQLURLVersion = exports.setupCodeQL = exports.getCodeQLActionRepository = exports.CODEQL_VERSION_ML_POWERED_QUERIES_WINDOWS = exports.CODEQL_VERSION_NEW_TRACING = exports.CODEQL_VERSION_ML_POWERED_QUERIES = exports.CODEQL_VERSION_COUNTS_LINES = exports.CommandInvocationError = void 0;
const fs = __importStar(require("fs")); const fs = __importStar(require("fs"));
const path = __importStar(require("path")); const path = __importStar(require("path"));
const toolrunner = __importStar(require("@actions/exec/lib/toolrunner")); const toolrunner = __importStar(require("@actions/exec/lib/toolrunner"));
@ -86,6 +86,12 @@ exports.CODEQL_VERSION_ML_POWERED_QUERIES = "2.7.5";
* versions above that. * versions above that.
*/ */
exports.CODEQL_VERSION_NEW_TRACING = "2.7.0"; exports.CODEQL_VERSION_NEW_TRACING = "2.7.0";
/**
* Versions 2.9.0+ of the CodeQL CLI run machine learning models from a temporary directory, which
* resolves an issue on Windows where TensorFlow models are not correctly loaded due to the path of
* some of their files being greater than MAX_PATH (260 characters).
*/
exports.CODEQL_VERSION_ML_POWERED_QUERIES_WINDOWS = "2.9.0";
function getCodeQLBundleName() { function getCodeQLBundleName() {
let platform; let platform;
if (process.platform === "win32") { if (process.platform === "win32") {

2
lib/codeql.js.map
View file

File diff suppressed because one or more lines are too long

5
lib/config-utils.js generated
View file

@ -131,8 +131,9 @@ async function addBuiltinSuiteQueries(languages, codeQL, resultMap, packs, suite
// opted into the ML-powered queries beta, and a user hasn't already added the ML-powered query // opted into the ML-powered queries beta, and a user hasn't already added the ML-powered query
// pack, then add the ML-powered query pack so that we run ML-powered queries. // pack, then add the ML-powered query pack so that we run ML-powered queries.
if ( if (
// Disable ML-powered queries on Windows // Only run ML-powered queries on Windows if we have a CLI that supports it.
process.platform !== "win32" && (process.platform !== "win32" ||
(await (0, util_1.codeQlVersionAbove)(codeQL, codeql_1.CODEQL_VERSION_ML_POWERED_QUERIES_WINDOWS))) &&
languages.includes("javascript") && languages.includes("javascript") &&
(found === "security-extended" || found === "security-and-quality") && (found === "security-extended" || found === "security-and-quality") &&
!((_a = packs.javascript) === null || _a === void 0 ? void 0 : _a.some(isMlPoweredJsQueriesPack)) && !((_a = packs.javascript) === null || _a === void 0 ? void 0 : _a.some(isMlPoweredJsQueriesPack)) &&

2
lib/config-utils.js.map
View file

File diff suppressed because one or more lines are too long

22
lib/config-utils.test.js generated
View file

@ -906,15 +906,23 @@ const mlPoweredQueriesMacro = ava_1.default.macro({
(0, ava_1.default)(mlPoweredQueriesMacro, "2.7.4", true, undefined, "security-extended", undefined); (0, ava_1.default)(mlPoweredQueriesMacro, "2.7.4", true, undefined, "security-extended", undefined);
// Test that ML-powered queries aren't run when the feature flag is off. // Test that ML-powered queries aren't run when the feature flag is off.
(0, ava_1.default)(mlPoweredQueriesMacro, "2.7.5", false, undefined, "security-extended", undefined); (0, ava_1.default)(mlPoweredQueriesMacro, "2.7.5", false, undefined, "security-extended", undefined);
// Test that the ~0.1.0 version of ML-powered queries is run on v2.8.3 of the CLI.
(0, ava_1.default)(mlPoweredQueriesMacro, "2.8.3", true, undefined, "security-extended", process.platform === "win32" ? undefined : "~0.1.0");
// Test that ML-powered queries aren't run when the user hasn't specified that we should run the // Test that ML-powered queries aren't run when the user hasn't specified that we should run the
// `security-extended` or `security-and-quality` query suite. // `security-extended` or `security-and-quality` query suite.
(0, ava_1.default)(mlPoweredQueriesMacro, "2.7.5", true, undefined, undefined, undefined); (0, ava_1.default)(mlPoweredQueriesMacro, "2.7.5", true, undefined, undefined, undefined);
// Test that ML-powered queries are run on non-Windows platforms running `security-extended`. // Test that ML-powered queries are run on non-Windows platforms running `security-extended` on
(0, ava_1.default)(mlPoweredQueriesMacro, "2.7.5", true, undefined, "security-extended", process.platform === "win32" ? undefined : "~0.1.0"); // versions of the CodeQL CLI prior to 2.9.0.
// Test that ML-powered queries are run on non-Windows platforms running `security-and-quality`. (0, ava_1.default)(mlPoweredQueriesMacro, "2.8.5", true, undefined, "security-extended", process.platform === "win32" ? undefined : "~0.2.0");
(0, ava_1.default)(mlPoweredQueriesMacro, "2.7.5", true, undefined, "security-and-quality", process.platform === "win32" ? undefined : "~0.1.0"); // Test that ML-powered queries are run on non-Windows platforms running `security-and-quality` on
// versions of the CodeQL CLI prior to 2.9.0.
(0, ava_1.default)(mlPoweredQueriesMacro, "2.8.5", true, undefined, "security-and-quality", process.platform === "win32" ? undefined : "~0.2.0");
// Test that ML-powered queries are run on all platforms running `security-extended` on CodeQL CLI
// 2.9.0+.
(0, ava_1.default)(mlPoweredQueriesMacro, "2.9.0", true, undefined, "security-extended", "~0.2.0");
// Test that ML-powered queries are run on all platforms running `security-and-quality` on CodeQL
// CLI 2.9.0+.
(0, ava_1.default)(mlPoweredQueriesMacro, "2.9.0", true, undefined, "security-and-quality", "~0.2.0");
// Test that we don't inject an ML-powered query pack if the user has already specified one. // Test that we don't inject an ML-powered query pack if the user has already specified one.
(0, ava_1.default)(mlPoweredQueriesMacro, "2.7.5", true, "codeql/javascript-experimental-atm-queries@0.0.1", "security-and-quality", process.platform === "win32" ? undefined : "0.0.1"); (0, ava_1.default)(mlPoweredQueriesMacro, "2.9.0", true, "codeql/javascript-experimental-atm-queries@0.0.1", "security-and-quality", "0.0.1");
// Test that the ~0.2.0 version of ML-powered queries is run on v2.8.4 of the CLI.
(0, ava_1.default)(mlPoweredQueriesMacro, "2.8.4", true, undefined, "security-extended", process.platform === "win32" ? undefined : "~0.2.0");
//# sourceMappingURL=config-utils.test.js.map //# sourceMappingURL=config-utils.test.js.map

2
lib/config-utils.test.js.map
View file

File diff suppressed because one or more lines are too long

19
pr-checks/checks/ml-powered-queries.yml
View file

@ -32,10 +32,19 @@ steps:
retention-days: 7 retention-days: 7
- name: Check results - name: Check results
# Running ML-powered queries on Windows requires CodeQL CLI 2.9.0+. We don't run these checks
# against Windows and `cached` while CodeQL CLI 2.9.0 makes its way into `cached` to avoid the
# test starting to fail when the cached CodeQL Bundle gets updated. Once the CodeQL Bundle
# containing CodeQL CLI 2.9.0 has been fully released, we can drop this line and start running
# these checks on Windows and `cached`.
if: matrix.os != 'windows-latest' || matrix.version != 'cached'
env: env:
IS_WINDOWS: ${{ matrix.os == 'windows-latest' }} # Running on Windows requires CodeQL CLI 2.9.0+, which has so far only made it to 'latest'.
SHOULD_RUN_ML_POWERED_QUERIES: ${{ matrix.os != 'windows-latest' || matrix.version == 'latest' || matrix.version == 'nightly-latest' }}
shell: bash shell: bash
run: | run: |
echo "Expecting ML-powered queries to be run: ${SHOULD_RUN_ML_POWERED_QUERIES}"
cd "$RUNNER_TEMP/results" cd "$RUNNER_TEMP/results"
# We should run at least the ML-powered queries in `expected_rules`. # We should run at least the ML-powered queries in `expected_rules`.
expected_rules="js/ml-powered/nosql-injection js/ml-powered/path-injection js/ml-powered/sql-injection js/ml-powered/xss" expected_rules="js/ml-powered/nosql-injection js/ml-powered/path-injection js/ml-powered/sql-injection js/ml-powered/xss"
@ -44,10 +53,10 @@ steps:
found_rule=$(jq --arg rule "${rule}" '[.runs[0].tool.extensions[].rules | select(. != null) | found_rule=$(jq --arg rule "${rule}" '[.runs[0].tool.extensions[].rules | select(. != null) |
flatten | .[].id] | any(. == $rule)' javascript.sarif) flatten | .[].id] | any(. == $rule)' javascript.sarif)
echo "Did find rule '${rule}': ${found_rule}" echo "Did find rule '${rule}': ${found_rule}"
if [[ "${found_rule}" != "true" && "${IS_WINDOWS}" != "true" ]]; then if [[ "${found_rule}" != "true" && "${SHOULD_RUN_ML_POWERED_QUERIES}" == "true" ]]; then
echo "Expected SARIF output to contain rule '${rule}', but found no such rule." echo "Expected SARIF output to contain rule '${rule}', but found no such rule."
exit 1 exit 1
elif [[ "${found_rule}" == "true" && "${IS_WINDOWS}" == "true" ]]; then elif [[ "${found_rule}" == "true" && "${SHOULD_RUN_ML_POWERED_QUERIES}" != "true" ]]; then
echo "Found rule '${rule}' in the SARIF output which shouldn't have been part of the analysis." echo "Found rule '${rule}' in the SARIF output which shouldn't have been part of the analysis."
exit 1 exit 1
fi fi
@ -58,10 +67,10 @@ steps:
select(.properties.score != null and (.rule.id | startswith("js/ml-powered/")))] | length' \ select(.properties.score != null and (.rule.id | startswith("js/ml-powered/")))] | length' \
javascript.sarif) javascript.sarif)
echo "Found ${num_alerts} alerts from ML-powered queries."; echo "Found ${num_alerts} alerts from ML-powered queries.";
if [[ "${num_alerts}" -eq 0 && "${IS_WINDOWS}" != "true" ]]; then if [[ "${num_alerts}" -eq 0 && "${SHOULD_RUN_ML_POWERED_QUERIES}" == "true" ]]; then
echo "Expected to find at least one alert from an ML-powered query but found ${num_alerts}." echo "Expected to find at least one alert from an ML-powered query but found ${num_alerts}."
exit 1 exit 1
elif [[ "${num_alerts}" -ne 0 && "${IS_WINDOWS}" == "true" ]]; then elif [[ "${num_alerts}" -ne 0 && "${SHOULD_RUN_ML_POWERED_QUERIES}" != "true" ]]; then
echo "Expected not to find any alerts from an ML-powered query but found ${num_alerts}." echo "Expected not to find any alerts from an ML-powered query but found ${num_alerts}."
exit 1 exit 1
fi fi

7
src/codeql.ts
View file

@ -232,6 +232,13 @@ export const CODEQL_VERSION_ML_POWERED_QUERIES = "2.7.5";
*/ */
export const CODEQL_VERSION_NEW_TRACING = "2.7.0"; export const CODEQL_VERSION_NEW_TRACING = "2.7.0";
/**
* Versions 2.9.0+ of the CodeQL CLI run machine learning models from a temporary directory, which
* resolves an issue on Windows where TensorFlow models are not correctly loaded due to the path of
* some of their files being greater than MAX_PATH (260 characters).
*/
export const CODEQL_VERSION_ML_POWERED_QUERIES_WINDOWS = "2.9.0";
function getCodeQLBundleName(): string { function getCodeQLBundleName(): string {
let platform: string; let platform: string;
if (process.platform === "win32") { if (process.platform === "win32") {

72
src/config-utils.test.ts
View file

@ -1804,42 +1804,64 @@ test(
"security-extended", "security-extended",
undefined undefined
); );
// Test that ML-powered queries aren't run when the user hasn't specified that we should run the // Test that the ~0.1.0 version of ML-powered queries is run on v2.8.3 of the CLI.
// `security-extended` or `security-and-quality` query suite.
test(mlPoweredQueriesMacro, "2.7.5", true, undefined, undefined, undefined);
// Test that ML-powered queries are run on non-Windows platforms running `security-extended`.
test( test(
mlPoweredQueriesMacro, mlPoweredQueriesMacro,
"2.7.5", "2.8.3",
true, true,
undefined, undefined,
"security-extended", "security-extended",
process.platform === "win32" ? undefined : "~0.1.0" process.platform === "win32" ? undefined : "~0.1.0"
); );
// Test that ML-powered queries are run on non-Windows platforms running `security-and-quality`. // Test that ML-powered queries aren't run when the user hasn't specified that we should run the
// `security-extended` or `security-and-quality` query suite.
test(mlPoweredQueriesMacro, "2.7.5", true, undefined, undefined, undefined);
// Test that ML-powered queries are run on non-Windows platforms running `security-extended` on
// versions of the CodeQL CLI prior to 2.9.0.
test( test(
mlPoweredQueriesMacro, mlPoweredQueriesMacro,
"2.7.5", "2.8.5",
true,
undefined,
"security-and-quality",
process.platform === "win32" ? undefined : "~0.1.0"
);
// Test that we don't inject an ML-powered query pack if the user has already specified one.
test(
mlPoweredQueriesMacro,
"2.7.5",
true,
"codeql/javascript-experimental-atm-queries@0.0.1",
"security-and-quality",
process.platform === "win32" ? undefined : "0.0.1"
);
// Test that the ~0.2.0 version of ML-powered queries is run on v2.8.4 of the CLI.
test(
mlPoweredQueriesMacro,
"2.8.4",
true, true,
undefined, undefined,
"security-extended", "security-extended",
process.platform === "win32" ? undefined : "~0.2.0" process.platform === "win32" ? undefined : "~0.2.0"
); );
// Test that ML-powered queries are run on non-Windows platforms running `security-and-quality` on
// versions of the CodeQL CLI prior to 2.9.0.
test(
mlPoweredQueriesMacro,
"2.8.5",
true,
undefined,
"security-and-quality",
process.platform === "win32" ? undefined : "~0.2.0"
);
// Test that ML-powered queries are run on all platforms running `security-extended` on CodeQL CLI
// 2.9.0+.
test(
mlPoweredQueriesMacro,
"2.9.0",
true,
undefined,
"security-extended",
"~0.2.0"
);
// Test that ML-powered queries are run on all platforms running `security-and-quality` on CodeQL
// CLI 2.9.0+.
test(
mlPoweredQueriesMacro,
"2.9.0",
true,
undefined,
"security-and-quality",
"~0.2.0"
);
// Test that we don't inject an ML-powered query pack if the user has already specified one.
test(
mlPoweredQueriesMacro,
"2.9.0",
true,
"codeql/javascript-experimental-atm-queries@0.0.1",
"security-and-quality",
"0.0.1"
);

9
src/config-utils.ts
View file

@ -8,6 +8,7 @@ import * as api from "./api-client";
import { import {
CodeQL, CodeQL,
CODEQL_VERSION_ML_POWERED_QUERIES, CODEQL_VERSION_ML_POWERED_QUERIES,
CODEQL_VERSION_ML_POWERED_QUERIES_WINDOWS,
ResolveQueriesOutput, ResolveQueriesOutput,
} from "./codeql"; } from "./codeql";
import * as externalQueries from "./external-queries"; import * as externalQueries from "./external-queries";
@ -293,8 +294,12 @@ async function addBuiltinSuiteQueries(
// opted into the ML-powered queries beta, and a user hasn't already added the ML-powered query // opted into the ML-powered queries beta, and a user hasn't already added the ML-powered query
// pack, then add the ML-powered query pack so that we run ML-powered queries. // pack, then add the ML-powered query pack so that we run ML-powered queries.
if ( if (
// Disable ML-powered queries on Windows // Only run ML-powered queries on Windows if we have a CLI that supports it.
process.platform !== "win32" && (process.platform !== "win32" ||
(await codeQlVersionAbove(
codeQL,
CODEQL_VERSION_ML_POWERED_QUERIES_WINDOWS
))) &&
languages.includes("javascript") && languages.includes("javascript") &&
(found === "security-extended" || found === "security-and-quality") && (found === "security-extended" || found === "security-and-quality") &&
!packs.javascript?.some(isMlPoweredJsQueriesPack) && !packs.javascript?.some(isMlPoweredJsQueriesPack) &&