Support security-experimental as a well-known suite (#1519)

2023-02-06 11:26:03 -08:00 · 2023-02-06 11:26:03 -08:00 · 39c954c513
commit 39c954c513
parent 927de483f0
9 changed files with 64 additions and 11 deletions
--- a/lib/codeql.js
+++ b/lib/codeql.js
@ -23,7 +23,7 @@ var __importStar = (this && this.__importStar) || function (mod) {
    return result;
 };
 Object.defineProperty(exports, "__esModule", { value: true });
-exports.getExtraOptions = exports.getCodeQLForCmd = exports.getCodeQLForTesting = exports.getCachedCodeQL = exports.setCodeQL = exports.getCodeQL = exports.setupCodeQL = exports.CODEQL_VERSION_BETTER_RESOLVE_LANGUAGES = exports.CODEQL_VERSION_ML_POWERED_QUERIES_WINDOWS = exports.CODEQL_VERSION_TRACING_GLIBC_2_34 = exports.CODEQL_VERSION_NEW_TRACING = exports.CODEQL_VERSION_GHES_PACK_DOWNLOAD = exports.CommandInvocationError = void 0;
+exports.getExtraOptions = exports.getCodeQLForCmd = exports.getCodeQLForTesting = exports.getCachedCodeQL = exports.setCodeQL = exports.getCodeQL = exports.setupCodeQL = exports.CODEQL_VERSION_SECURITY_EXPERIMENTAL_SUITE = exports.CODEQL_VERSION_BETTER_RESOLVE_LANGUAGES = exports.CODEQL_VERSION_ML_POWERED_QUERIES_WINDOWS = exports.CODEQL_VERSION_TRACING_GLIBC_2_34 = exports.CODEQL_VERSION_NEW_TRACING = exports.CODEQL_VERSION_GHES_PACK_DOWNLOAD = exports.CommandInvocationError = void 0;
 const fs = __importStar(require("fs"));
 const path = __importStar(require("path"));
 const toolrunner = __importStar(require("@actions/exec/lib/toolrunner"));
@ -94,6 +94,10 @@ exports.CODEQL_VERSION_ML_POWERED_QUERIES_WINDOWS = "2.9.0";
 * --extractor-options-verbosity that we need.
 */
 exports.CODEQL_VERSION_BETTER_RESOLVE_LANGUAGES = "2.10.3";
+/**
+ * Versions 2.11.1+ of the CodeQL Bundle include a `security-experimental` built-in query suite for each language.
+ */
+exports.CODEQL_VERSION_SECURITY_EXPERIMENTAL_SUITE = "2.12.1";
 /**
 * Set up CodeQL CLI access.
 *
--- a/lib/codeql.js.map
+++ b/lib/codeql.js.map
--- a/lib/config-utils.js
+++ b/lib/config-utils.js
@ -131,7 +131,11 @@ async function addDefaultQueries(codeQL, languages, resultMap) {
    await runResolveQueries(codeQL, resultMap, suites, undefined);
 }
 // The set of acceptable values for built-in suites from the codeql bundle
-const builtinSuites = ["security-extended", "security-and-quality"];
+const builtinSuites = [
+    "security-experimental",
+    "security-extended",
+    "security-and-quality",
+];
 /**
 * Determine the set of queries associated with suiteName's suites and add them to resultMap.
 * Throws an error if suiteName is not a valid builtin suite.
@ -143,6 +147,12 @@ async function addBuiltinSuiteQueries(languages, codeQL, resultMap, packs, suite
    if (!found) {
        throw new Error(getQueryUsesInvalid(configFile, suiteName));
    }
+    if (suiteName === "security-experimental" &&
+        !(await (0, util_1.codeQlVersionAbove)(codeQL, codeql_1.CODEQL_VERSION_SECURITY_EXPERIMENTAL_SUITE))) {
+        throw new Error(`The 'security-experimental' suite is not supported on CodeQL CLI versions earlier than 
+      ${codeql_1.CODEQL_VERSION_SECURITY_EXPERIMENTAL_SUITE}. Please upgrade to CodeQL CLI version
+      ${codeql_1.CODEQL_VERSION_SECURITY_EXPERIMENTAL_SUITE} or later.`);
+    }
    // If we're running the JavaScript security-extended analysis (or a superset of it), the repo is
    // opted into the ML-powered queries beta, and a user hasn't already added the ML-powered query
    // pack, then add the ML-powered query pack so that we run ML-powered queries.
@ -151,7 +161,9 @@ async function addBuiltinSuiteQueries(languages, codeQL, resultMap, packs, suite
    (process.platform !== "win32" ||
        (await (0, util_1.codeQlVersionAbove)(codeQL, codeql_1.CODEQL_VERSION_ML_POWERED_QUERIES_WINDOWS))) &&
        languages.includes("javascript") &&
-        (found === "security-extended" || found === "security-and-quality") &&
+        (found === "security-experimental" ||
+            found === "security-extended" ||
+            found === "security-and-quality") &&
        !packs.javascript?.some(isMlPoweredJsQueriesPack) &&
        (await featureEnablement.getValue(feature_flags_1.Feature.MlPoweredQueriesEnabled, codeQL))) {
        if (!packs.javascript) {
--- a/lib/config-utils.js.map
+++ b/lib/config-utils.js.map
--- a/lib/config-utils.test.js
+++ b/lib/config-utils.test.js
@ -1014,7 +1014,7 @@ const mlPoweredQueriesMacro = ava_1.default.macro({
 // Test that the ~0.1.0 version of ML-powered queries is run on v2.8.3 of the CLI.
 (0, ava_1.default)(mlPoweredQueriesMacro, "2.8.3", true, undefined, "security-extended", process.platform === "win32" ? undefined : "~0.1.0");
 // Test that ML-powered queries aren't run when the user hasn't specified that we should run the
-// `security-extended` or `security-and-quality` query suite.
+//  `security-extended`, `security-and-quality`, or `security-experimental` query suite.
 (0, ava_1.default)(mlPoweredQueriesMacro, "2.7.5", true, undefined, undefined, undefined);
 // Test that ML-powered queries are run on non-Windows platforms running `security-extended` on
 // versions of the CodeQL CLI prior to 2.9.0.
@ -1042,6 +1042,9 @@ const mlPoweredQueriesMacro = ava_1.default.macro({
 // Test that ML-powered queries are run on all platforms running `security-and-quality` on CodeQL
 // CLI 2.11.3+.
 (0, ava_1.default)(mlPoweredQueriesMacro, "2.11.3", true, undefined, "security-and-quality", "~0.4.0");
+// Test that ML-powered queries are run on all platforms running `security-experimental` on CodeQL
+// CLI 2.12.1+.
+(0, ava_1.default)(mlPoweredQueriesMacro, "2.12.1", true, undefined, "security-experimental", "~0.4.0");
 const calculateAugmentationMacro = ava_1.default.macro({
    exec: async (t, _title, rawPacksInput, rawQueriesInput, languages, expectedAugmentationProperties) => {
        const actualAugmentationProperties = configUtils.calculateAugmentation(rawPacksInput, rawQueriesInput, languages);
--- a/lib/config-utils.test.js.map
+++ b/lib/config-utils.test.js.map
--- a/src/codeql.ts
+++ b/src/codeql.ts
@ -278,6 +278,11 @@ export const CODEQL_VERSION_ML_POWERED_QUERIES_WINDOWS = "2.9.0";
 */
 export const CODEQL_VERSION_BETTER_RESOLVE_LANGUAGES = "2.10.3";

+/**
+ * Versions 2.11.1+ of the CodeQL Bundle include a `security-experimental` built-in query suite for each language.
+ */
+export const CODEQL_VERSION_SECURITY_EXPERIMENTAL_SUITE = "2.12.1";
+
 /**
 * Set up CodeQL CLI access.
 *
--- a/src/config-utils.test.ts
+++ b/src/config-utils.test.ts
@ -1993,7 +1993,7 @@ test(
  process.platform === "win32" ? undefined : "~0.1.0"
 );
 // Test that ML-powered queries aren't run when the user hasn't specified that we should run the
-// `security-extended` or `security-and-quality` query suite.
+//  `security-extended`, `security-and-quality`, or `security-experimental` query suite.
 test(mlPoweredQueriesMacro, "2.7.5", true, undefined, undefined, undefined);
 // Test that ML-powered queries are run on non-Windows platforms running `security-extended` on
 // versions of the CodeQL CLI prior to 2.9.0.
@ -2074,7 +2074,6 @@ test(
  "security-extended",
  "~0.4.0"
 );
-
 // Test that ML-powered queries are run on all platforms running `security-and-quality` on CodeQL
 // CLI 2.11.3+.
 test(
@ -2085,6 +2084,16 @@ test(
  "security-and-quality",
  "~0.4.0"
 );
+// Test that ML-powered queries are run on all platforms running `security-experimental` on CodeQL
+// CLI 2.12.1+.
+test(
+  mlPoweredQueriesMacro,
+  "2.12.1",
+  true,
+  undefined,
+  "security-experimental",
+  "~0.4.0"
+);

 const calculateAugmentationMacro = test.macro({
  exec: async (
--- a/src/config-utils.ts
+++ b/src/config-utils.ts
@ -10,6 +10,7 @@ import {
  CodeQL,
  CODEQL_VERSION_GHES_PACK_DOWNLOAD,
  CODEQL_VERSION_ML_POWERED_QUERIES_WINDOWS,
+  CODEQL_VERSION_SECURITY_EXPERIMENTAL_SUITE,
  ResolveQueriesOutput,
 } from "./codeql";
 import * as externalQueries from "./external-queries";
@ -380,7 +381,11 @@ async function addDefaultQueries(
 }

 // The set of acceptable values for built-in suites from the codeql bundle
-const builtinSuites = ["security-extended", "security-and-quality"] as const;
+const builtinSuites = [
+  "security-experimental",
+  "security-extended",
+  "security-and-quality",
+] as const;

 /**
 * Determine the set of queries associated with suiteName's suites and add them to resultMap.
@ -401,6 +406,19 @@ async function addBuiltinSuiteQueries(
  if (!found) {
    throw new Error(getQueryUsesInvalid(configFile, suiteName));
  }
+  if (
+    suiteName === "security-experimental" &&
+    !(await codeQlVersionAbove(
+      codeQL,
+      CODEQL_VERSION_SECURITY_EXPERIMENTAL_SUITE
+    ))
+  ) {
+    throw new Error(
+      `The 'security-experimental' suite is not supported on CodeQL CLI versions earlier than 
+      ${CODEQL_VERSION_SECURITY_EXPERIMENTAL_SUITE}. Please upgrade to CodeQL CLI version
+      ${CODEQL_VERSION_SECURITY_EXPERIMENTAL_SUITE} or later.`
+    );
+  }

  // If we're running the JavaScript security-extended analysis (or a superset of it), the repo is
  // opted into the ML-powered queries beta, and a user hasn't already added the ML-powered query
@ -413,7 +431,9 @@ async function addBuiltinSuiteQueries(
        CODEQL_VERSION_ML_POWERED_QUERIES_WINDOWS
      ))) &&
    languages.includes("javascript") &&
-    (found === "security-extended" || found === "security-and-quality") &&
+    (found === "security-experimental" ||
+      found === "security-extended" ||
+      found === "security-and-quality") &&
    !packs.javascript?.some(isMlPoweredJsQueriesPack) &&
    (await featureEnablement.getValue(Feature.MlPoweredQueriesEnabled, codeQL))
  ) {