Merge pull request #2894 from github/henrymercer/skip-validating-codeql-sarif

Skip validating SARIF produced by CodeQL
2025-05-14 19:55:03 +01:00 · 2025-05-14 19:55:03 +01:00 · 510dfa3460
commit 510dfa3460
parent 83bdf3b7f9 492d783245
19 changed files with 148 additions and 88 deletions
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@ -4,7 +4,8 @@ See the [releases page](https://github.com/github/codeql-action/releases) for th

 ## [UNRELEASED]

- `threads` and `ram` inputs may be set via CODEQL_THREADS and CODEQL_RAM runner environment variables. [#2891](https://github.com/github/codeql-action/pull/2891)
+- Skip validating SARIF produced by CodeQL for improved performance. [#2894](https://github.com/github/codeql-action/pull/2894)
+- The number of threads and amount of RAM used by CodeQL can now be set via the `CODEQL_THREADS` and `CODEQL_RAM` runner environment variables. If set, these environment variables override the `threads` and `ram` inputs respectively. [#2891](https://github.com/github/codeql-action/pull/2891)

 ## 3.28.17 - 02 May 2025

--- a/lib/analyze.js
+++ b/lib/analyze.js
@ -64,7 +64,6 @@ const logging_1 = require("./logging");
 const repository_1 = require("./repository");
 const tools_features_1 = require("./tools-features");
 const tracer_config_1 = require("./tracer-config");
-const upload_lib_1 = require("./upload-lib");
 const util = __importStar(require("./util"));
 const util_1 = require("./util");
 class CodeQLAnalysisError extends Error {
@ -429,7 +428,7 @@ async function runQueries(sarifFolder, memoryFlag, addSnippetsFlag, threadsFlag,
            logger.endGroup();
            logger.info(analysisSummary);
            if (await features.getValue(feature_flags_1.Feature.QaTelemetryEnabled)) {
-                const perQueryAlertCounts = getPerQueryAlertCounts(sarifFile, logger);
+                const perQueryAlertCounts = getPerQueryAlertCounts(sarifFile);
                const perQueryAlertCountEventReport = {
                    event: "codeql database interpret-results",
                    started_at: startTimeInterpretResults.toISOString(),
@ -457,8 +456,7 @@ async function runQueries(sarifFolder, memoryFlag, addSnippetsFlag, threadsFlag,
        return await codeql.databaseInterpretResults(databasePath, queries, sarifFile, addSnippetsFlag, threadsFlag, enableDebugLogging ? "-vv" : "-v", sarifRunPropertyFlag, automationDetailsId, config, features);
    }
    /** Get an object with all queries and their counts parsed from a SARIF file path. */
-    function getPerQueryAlertCounts(sarifPath, log) {
-        (0, upload_lib_1.validateSarifFileSchema)(sarifPath, log);
+    function getPerQueryAlertCounts(sarifPath) {
        const sarifObject = JSON.parse(fs.readFileSync(sarifPath, "utf8"));
        // We do not need to compute fingerprints because we are not sending data based off of locations.
        // Generate the query: alert count object
--- a/lib/analyze.js.map
+++ b/lib/analyze.js.map
--- a/lib/status-report.js
+++ b/lib/status-report.js
@ -149,10 +149,10 @@ async function createStatusReportBase(actionName, status, actionStartedAt, confi
        const runnerOs = (0, util_1.getRequiredEnvParam)("RUNNER_OS");
        const codeQlCliVersion = (0, util_1.getCachedCodeQlVersion)();
        const actionRef = process.env["GITHUB_ACTION_REF"] || "";
-        const testingEnvironment = process.env[environment_1.EnvVar.TESTING_ENVIRONMENT] || "";
+        const testingEnvironment = (0, util_1.getTestingEnvironment)();
        // re-export the testing environment variable so that it is available to subsequent steps,
        // even if it was only set for this step
-        if (testingEnvironment !== "") {
+        if (testingEnvironment) {
            core.exportVariable(environment_1.EnvVar.TESTING_ENVIRONMENT, testingEnvironment);
        }
        const isSteadyStateDefaultSetupRun = process.env["CODE_SCANNING_IS_STEADY_STATE_DEFAULT_SETUP"] === "true";
@ -173,7 +173,7 @@ async function createStatusReportBase(actionName, status, actionStartedAt, confi
            started_at: workflowStartedAt,
            status,
            steady_state_default_setup: isSteadyStateDefaultSetupRun,
-            testing_environment: testingEnvironment,
+            testing_environment: testingEnvironment || "",
            workflow_name: workflowName,
            workflow_run_attempt: workflowRunAttempt,
            workflow_run_id: workflowRunID,
--- a/lib/status-report.js.map
+++ b/lib/status-report.js.map
--- a/lib/upload-lib.js
+++ b/lib/upload-lib.js
@ -40,6 +40,7 @@ exports.InvalidSarifUploadError = void 0;
 exports.shouldShowCombineSarifFilesDeprecationWarning = shouldShowCombineSarifFilesDeprecationWarning;
 exports.populateRunAutomationDetails = populateRunAutomationDetails;
 exports.findSarifFilesInDir = findSarifFilesInDir;
+exports.readSarifFile = readSarifFile;
 exports.validateSarifFileSchema = validateSarifFileSchema;
 exports.buildPayload = buildPayload;
 exports.uploadFiles = uploadFiles;
@ -324,17 +325,24 @@ function countResultsInSarif(sarif) {
    }
    return numResults;
 }
-// Validates that the given file path refers to a valid SARIF file.
-// Throws an error if the file is invalid.
-function validateSarifFileSchema(sarifFilePath, logger) {
-    logger.info(`Validating ${sarifFilePath}`);
-    let sarif;
+function readSarifFile(sarifFilePath) {
    try {
-        sarif = JSON.parse(fs.readFileSync(sarifFilePath, "utf8"));
+        return JSON.parse(fs.readFileSync(sarifFilePath, "utf8"));
    }
    catch (e) {
        throw new InvalidSarifUploadError(`Invalid SARIF. JSON syntax error: ${(0, util_1.getErrorMessage)(e)}`);
    }
+}
+// Validates the given SARIF object and throws an error if the SARIF object is invalid.
+// The file path is only used in error messages to improve clarity.
+function validateSarifFileSchema(sarif, sarifFilePath, logger) {
+    if (areAllRunsProducedByCodeQL([sarif]) &&
+        // We want to validate CodeQL SARIF in testing environments.
+        !util.getTestingEnvironment()) {
+        logger.debug(`Skipping SARIF schema validation for ${sarifFilePath} as all runs are produced by CodeQL.`);
+        return;
+    }
+    logger.info(`Validating ${sarifFilePath}`);
    // eslint-disable-next-line @typescript-eslint/no-require-imports
    const schema = require("../src/sarif-schema-2.1.0.json");
    const result = new jsonschema.Validator().validate(sarif, schema);
@ -402,27 +410,28 @@ function buildPayload(commitOid, ref, analysisKey, analysisName, zippedSarif, wo
    return payloadObj;
 }
 /**
- * Uploads a single SARIF file or a directory of SARIF files depending on what `sarifPath` refers
+ * Uploads a single SARIF file or a directory of SARIF files depending on what `inputSarifPath` refers
 * to.
 */
-async function uploadFiles(sarifPath, checkoutPath, category, features, logger) {
-    const sarifFiles = getSarifFilePaths(sarifPath);
+async function uploadFiles(inputSarifPath, checkoutPath, category, features, logger) {
+    const sarifPaths = getSarifFilePaths(inputSarifPath);
    logger.startGroup("Uploading results");
-    logger.info(`Processing sarif files: ${JSON.stringify(sarifFiles)}`);
+    logger.info(`Processing sarif files: ${JSON.stringify(sarifPaths)}`);
    const gitHubVersion = await (0, api_client_1.getGitHubVersion)();
-    try {
+    let sarif;
+    if (sarifPaths.length > 1) {
        // Validate that the files we were asked to upload are all valid SARIF files
-        for (const file of sarifFiles) {
-            validateSarifFileSchema(file, logger);
+        for (const sarifPath of sarifPaths) {
+            const parsedSarif = readSarifFile(sarifPath);
+            validateSarifFileSchema(parsedSarif, sarifPath, logger);
        }
+        sarif = await combineSarifFilesUsingCLI(sarifPaths, gitHubVersion, features, logger);
    }
-    catch (e) {
-        if (e instanceof SyntaxError) {
-            throw new InvalidSarifUploadError(e.message);
-        }
-        throw e;
+    else {
+        const sarifPath = sarifPaths[0];
+        sarif = readSarifFile(sarifPath);
+        validateSarifFileSchema(sarif, sarifPath, logger);
    }
-    let sarif = await combineSarifFilesUsingCLI(sarifFiles, gitHubVersion, features, logger);
    sarif = filterAlertsByDiffRange(logger, sarif);
    sarif = await fingerprints.addFingerprints(sarif, checkoutPath, logger);
    const analysisKey = await api.getAnalysisKey();
--- a/lib/upload-lib.js.map
+++ b/lib/upload-lib.js.map
--- a/lib/upload-lib.test.js
+++ b/lib/upload-lib.test.js
@ -49,11 +49,11 @@ ava_1.default.beforeEach(() => {
 });
 (0, ava_1.default)("validateSarifFileSchema - valid", (t) => {
    const inputFile = `${__dirname}/../src/testdata/valid-sarif.sarif`;
-    t.notThrows(() => uploadLib.validateSarifFileSchema(inputFile, (0, logging_1.getRunnerLogger)(true)));
+    t.notThrows(() => uploadLib.validateSarifFileSchema(uploadLib.readSarifFile(inputFile), inputFile, (0, logging_1.getRunnerLogger)(true)));
 });
 (0, ava_1.default)("validateSarifFileSchema - invalid", (t) => {
    const inputFile = `${__dirname}/../src/testdata/invalid-sarif.sarif`;
-    t.throws(() => uploadLib.validateSarifFileSchema(inputFile, (0, logging_1.getRunnerLogger)(true)));
+    t.throws(() => uploadLib.validateSarifFileSchema(uploadLib.readSarifFile(inputFile), inputFile, (0, logging_1.getRunnerLogger)(true)));
 });
 (0, ava_1.default)("validate correct payload used for push, PR merge commit, and PR head", async (t) => {
    process.env["GITHUB_EVENT_NAME"] = "push";
@ -202,7 +202,7 @@ ava_1.default.beforeEach(() => {
        },
    };
    const sarifFile = `${__dirname}/../src/testdata/with-invalid-uri.sarif`;
-    uploadLib.validateSarifFileSchema(sarifFile, mockLogger);
+    uploadLib.validateSarifFileSchema(uploadLib.readSarifFile(sarifFile), sarifFile, mockLogger);
    t.deepEqual(loggedMessages.length, 3);
    t.deepEqual(loggedMessages[1], "Warning: 'not a valid URI' is not a valid URI in 'instance.runs[0].tool.driver.rules[0].helpUri'.", "Warning: 'not a valid URI' is not a valid URI in 'instance.runs[0].results[0].locations[0].physicalLocation.artifactLocation.uri'.");
 });
--- a/lib/upload-lib.test.js.map
+++ b/lib/upload-lib.test.js.map
--- a/lib/util.js
+++ b/lib/util.js
@ -62,6 +62,7 @@ exports.bundleDb = bundleDb;
 exports.delay = delay;
 exports.isGoodVersion = isGoodVersion;
 exports.isInTestMode = isInTestMode;
+exports.getTestingEnvironment = getTestingEnvironment;
 exports.doesDirectoryExist = doesDirectoryExist;
 exports.listFolder = listFolder;
 exports.tryGetFolderBytes = tryGetFolderBytes;
@ -577,15 +578,27 @@ async function delay(milliseconds, opts) {
 function isGoodVersion(versionSpec) {
    return !BROKEN_VERSIONS.includes(versionSpec);
 }
-/*
- * Returns whether we are in test mode.
+/**
+ * Returns whether we are in test mode. This is used by CodeQL Action PR checks.
 *
 * In test mode, we don't upload SARIF results or status reports to the GitHub API.
 */
 function isInTestMode() {
    return process.env[environment_1.EnvVar.TEST_MODE] === "true";
 }
-/*
+/**
+ * Get the testing environment.
+ *
+ * This is set if the CodeQL Action is running in a non-production environment.
+ */
+function getTestingEnvironment() {
+    const testingEnvironment = process.env[environment_1.EnvVar.TESTING_ENVIRONMENT] || "";
+    if (testingEnvironment === "") {
+        return undefined;
+    }
+    return testingEnvironment;
+}
+/**
 * Returns whether the path in the argument represents an existing directory.
 */
 function doesDirectoryExist(dirPath) {
--- a/lib/util.js.map
+++ b/lib/util.js.map
--- a/lib/workflow.js
+++ b/lib/workflow.js
@ -51,7 +51,6 @@ const zlib_1 = __importDefault(require("zlib"));
 const core = __importStar(require("@actions/core"));
 const yaml = __importStar(require("js-yaml"));
 const api = __importStar(require("./api-client"));
-const environment_1 = require("./environment");
 const util_1 = require("./util");
 function toCodedErrors(errors) {
    return Object.entries(errors).reduce((acc, [code, message]) => {
@ -274,8 +273,7 @@ function getInputOrThrow(workflow, jobName, actionName, inputName, matrixVars) {
 * This allows us to test workflow parsing functionality as a CodeQL Action PR check.
 */
 function getAnalyzeActionName() {
-    if ((0, util_1.isInTestMode)() ||
-        process.env[environment_1.EnvVar.TESTING_ENVIRONMENT] === "codeql-action-pr-checks") {
+    if ((0, util_1.isInTestMode)() || (0, util_1.getTestingEnvironment)() === "codeql-action-pr-checks") {
        return "./analyze";
    }
    else {
--- a/lib/workflow.js.map
+++ b/lib/workflow.js.map
--- a/src/analyze.ts
+++ b/src/analyze.ts
@ -26,7 +26,6 @@ import { getRepositoryNwoFromEnv } from "./repository";
 import { DatabaseCreationTimings, EventReport } from "./status-report";
 import { ToolsFeature } from "./tools-features";
 import { endTracingForCluster } from "./tracer-config";
-import { validateSarifFileSchema } from "./upload-lib";
 import * as util from "./util";
 import { BuildMode } from "./util";

@ -630,7 +629,7 @@ export async function runQueries(
      logger.info(analysisSummary);

      if (await features.getValue(Feature.QaTelemetryEnabled)) {
-        const perQueryAlertCounts = getPerQueryAlertCounts(sarifFile, logger);
+        const perQueryAlertCounts = getPerQueryAlertCounts(sarifFile);

        const perQueryAlertCountEventReport: EventReport = {
          event: "codeql database interpret-results",
@ -682,11 +681,7 @@ export async function runQueries(
  }

  /** Get an object with all queries and their counts parsed from a SARIF file path. */
-  function getPerQueryAlertCounts(
-    sarifPath: string,
-    log: Logger,
-  ): Record<string, number> {
-    validateSarifFileSchema(sarifPath, log);
+  function getPerQueryAlertCounts(sarifPath: string): Record<string, number> {
    const sarifObject = JSON.parse(
      fs.readFileSync(sarifPath, "utf8"),
    ) as util.SarifFile;
--- a/src/status-report.ts
+++ b/src/status-report.ts
@ -29,6 +29,7 @@ import {
  assertNever,
  BuildMode,
  getErrorMessage,
+  getTestingEnvironment,
 } from "./util";

 export enum ActionName {
@ -277,10 +278,10 @@ export async function createStatusReportBase(
    const runnerOs = getRequiredEnvParam("RUNNER_OS");
    const codeQlCliVersion = getCachedCodeQlVersion();
    const actionRef = process.env["GITHUB_ACTION_REF"] || "";
-    const testingEnvironment = process.env[EnvVar.TESTING_ENVIRONMENT] || "";
+    const testingEnvironment = getTestingEnvironment();
    // re-export the testing environment variable so that it is available to subsequent steps,
    // even if it was only set for this step
-    if (testingEnvironment !== "") {
+    if (testingEnvironment) {
      core.exportVariable(EnvVar.TESTING_ENVIRONMENT, testingEnvironment);
    }
    const isSteadyStateDefaultSetupRun =
@ -303,7 +304,7 @@ export async function createStatusReportBase(
      started_at: workflowStartedAt,
      status,
      steady_state_default_setup: isSteadyStateDefaultSetupRun,
-      testing_environment: testingEnvironment,
+      testing_environment: testingEnvironment || "",
      workflow_name: workflowName,
      workflow_run_attempt: workflowRunAttempt,
      workflow_run_id: workflowRunID,
--- a/src/upload-lib.test.ts
+++ b/src/upload-lib.test.ts
@ -17,14 +17,22 @@ test.beforeEach(() => {
 test("validateSarifFileSchema - valid", (t) => {
  const inputFile = `${__dirname}/../src/testdata/valid-sarif.sarif`;
  t.notThrows(() =>
-    uploadLib.validateSarifFileSchema(inputFile, getRunnerLogger(true)),
+    uploadLib.validateSarifFileSchema(
+      uploadLib.readSarifFile(inputFile),
+      inputFile,
+      getRunnerLogger(true),
+    ),
  );
 });

 test("validateSarifFileSchema - invalid", (t) => {
  const inputFile = `${__dirname}/../src/testdata/invalid-sarif.sarif`;
  t.throws(() =>
-    uploadLib.validateSarifFileSchema(inputFile, getRunnerLogger(true)),
+    uploadLib.validateSarifFileSchema(
+      uploadLib.readSarifFile(inputFile),
+      inputFile,
+      getRunnerLogger(true),
+    ),
  );
 });

@ -314,7 +322,11 @@ test("accept results with invalid artifactLocation.uri value", (t) => {
  } as Logger;

  const sarifFile = `${__dirname}/../src/testdata/with-invalid-uri.sarif`;
-  uploadLib.validateSarifFileSchema(sarifFile, mockLogger);
+  uploadLib.validateSarifFileSchema(
+    uploadLib.readSarifFile(sarifFile),
+    sarifFile,
+    mockLogger,
+  );

  t.deepEqual(loggedMessages.length, 3);
  t.deepEqual(
--- a/src/upload-lib.ts
+++ b/src/upload-lib.ts
@ -434,18 +434,35 @@ function countResultsInSarif(sarif: string): number {
  return numResults;
 }

-// Validates that the given file path refers to a valid SARIF file.
-// Throws an error if the file is invalid.
-export function validateSarifFileSchema(sarifFilePath: string, logger: Logger) {
-  logger.info(`Validating ${sarifFilePath}`);
-  let sarif;
+export function readSarifFile(sarifFilePath: string): SarifFile {
  try {
-    sarif = JSON.parse(fs.readFileSync(sarifFilePath, "utf8")) as SarifFile;
+    return JSON.parse(fs.readFileSync(sarifFilePath, "utf8")) as SarifFile;
  } catch (e) {
    throw new InvalidSarifUploadError(
      `Invalid SARIF. JSON syntax error: ${getErrorMessage(e)}`,
    );
  }
+}
+
+// Validates the given SARIF object and throws an error if the SARIF object is invalid.
+// The file path is only used in error messages to improve clarity.
+export function validateSarifFileSchema(
+  sarif: SarifFile,
+  sarifFilePath: string,
+  logger: Logger,
+) {
+  if (
+    areAllRunsProducedByCodeQL([sarif]) &&
+    // We want to validate CodeQL SARIF in testing environments.
+    !util.getTestingEnvironment()
+  ) {
+    logger.debug(
+      `Skipping SARIF schema validation for ${sarifFilePath} as all runs are produced by CodeQL.`,
+    );
+    return;
+  }
+
+  logger.info(`Validating ${sarifFilePath}`);
  // eslint-disable-next-line @typescript-eslint/no-require-imports
  const schema = require("../src/sarif-schema-2.1.0.json") as jsonschema.Schema;

@ -551,41 +568,44 @@ export function buildPayload(
 }

 /**
- * Uploads a single SARIF file or a directory of SARIF files depending on what `sarifPath` refers
+ * Uploads a single SARIF file or a directory of SARIF files depending on what `inputSarifPath` refers
 * to.
 */
 export async function uploadFiles(
-  sarifPath: string,
+  inputSarifPath: string,
  checkoutPath: string,
  category: string | undefined,
  features: FeatureEnablement,
  logger: Logger,
 ): Promise<UploadResult> {
-  const sarifFiles = getSarifFilePaths(sarifPath);
+  const sarifPaths = getSarifFilePaths(inputSarifPath);

  logger.startGroup("Uploading results");
-  logger.info(`Processing sarif files: ${JSON.stringify(sarifFiles)}`);
+  logger.info(`Processing sarif files: ${JSON.stringify(sarifPaths)}`);

  const gitHubVersion = await getGitHubVersion();

-  try {
+  let sarif: SarifFile;
+
+  if (sarifPaths.length > 1) {
    // Validate that the files we were asked to upload are all valid SARIF files
-    for (const file of sarifFiles) {
-      validateSarifFileSchema(file, logger);
+    for (const sarifPath of sarifPaths) {
+      const parsedSarif = readSarifFile(sarifPath);
+      validateSarifFileSchema(parsedSarif, sarifPath, logger);
    }
-  } catch (e) {
-    if (e instanceof SyntaxError) {
-      throw new InvalidSarifUploadError(e.message);
-    }
-    throw e;
+
+    sarif = await combineSarifFilesUsingCLI(
+      sarifPaths,
+      gitHubVersion,
+      features,
+      logger,
+    );
+  } else {
+    const sarifPath = sarifPaths[0];
+    sarif = readSarifFile(sarifPath);
+    validateSarifFileSchema(sarif, sarifPath, logger);
  }

-  let sarif = await combineSarifFilesUsingCLI(
-    sarifFiles,
-    gitHubVersion,
-    features,
-    logger,
-  );
  sarif = filterAlertsByDiffRange(logger, sarif);
  sarif = await fingerprints.addFingerprints(sarif, checkoutPath, logger);

--- a/src/util.ts
+++ b/src/util.ts
@ -750,8 +750,8 @@ export function isGoodVersion(versionSpec: string) {
  return !BROKEN_VERSIONS.includes(versionSpec);
 }

-/*
- * Returns whether we are in test mode.
+/**
+ * Returns whether we are in test mode. This is used by CodeQL Action PR checks.
 *
 * In test mode, we don't upload SARIF results or status reports to the GitHub API.
 */
@ -759,7 +759,20 @@ export function isInTestMode(): boolean {
  return process.env[EnvVar.TEST_MODE] === "true";
 }

-/*
+/**
+ * Get the testing environment.
+ *
+ * This is set if the CodeQL Action is running in a non-production environment.
+ */
+export function getTestingEnvironment(): string | undefined {
+  const testingEnvironment = process.env[EnvVar.TESTING_ENVIRONMENT] || "";
+  if (testingEnvironment === "") {
+    return undefined;
+  }
+  return testingEnvironment;
+}
+
+/**
 * Returns whether the path in the argument represents an existing directory.
 */
 export function doesDirectoryExist(dirPath: string): boolean {
--- a/src/workflow.ts
+++ b/src/workflow.ts
@ -7,9 +7,12 @@ import * as yaml from "js-yaml";

 import * as api from "./api-client";
 import { CodeQL } from "./codeql";
-import { EnvVar } from "./environment";
 import { Logger } from "./logging";
-import { getRequiredEnvParam, isInTestMode } from "./util";
+import {
+  getRequiredEnvParam,
+  getTestingEnvironment,
+  isInTestMode,
+} from "./util";

 export interface WorkflowJobStep {
  name?: string;
@ -358,10 +361,7 @@ function getInputOrThrow(
 * This allows us to test workflow parsing functionality as a CodeQL Action PR check.
 */
 function getAnalyzeActionName() {
-  if (
-    isInTestMode() ||
-    process.env[EnvVar.TESTING_ENVIRONMENT] === "codeql-action-pr-checks"
-  ) {
+  if (isInTestMode() || getTestingEnvironment() === "codeql-action-pr-checks") {
    return "./analyze";
  } else {
    return "github/codeql-action/analyze";