robojerk/codeql-action

Merge pull request #1476 from github/update-v2.1.38-70fdddff

Browse source 
Merge main into releases/v2
This commit is contained in:
Henry Mercer 2023-01-12 10:32:43 +00:00 committed by GitHub
commit 515828d974
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
91 changed files with 1092 additions and 818 deletions
Download patch file Download diff file Expand all files Collapse all files

32
.github/setup-swift/action.yml vendored Normal file
View file

@ -0,0 +1,32 @@
name: "Set up Swift"
description: Performs necessary steps to set up appropriate Swift version.
inputs:
codeql-path:
required: true
runs:
using: "composite"
steps:
- name: Get Swift version
id: get_swift_version
# We don't support Swift on Windows or prior versions of CLI.
if: "(runner.os != 'Windows') && (matrix.version == 'cached' || matrix.version == 'latest' || matrix.version == 'nightly-latest')"
shell: bash
env:
CODEQL_PATH: ${{inputs.codeql-path}}
run: |
if [ $RUNNER_OS = "macOS" ]; then
PLATFORM="osx64"
else # We do not run this step on Windows.
PLATFORM="linux64"
fi
SWIFT_EXTRACTOR_DIR="$("$CODEQL_PATH" resolve languages --format json | jq -r '.swift[0]')"
VERSION="$("$SWIFT_EXTRACTOR_DIR/tools/$PLATFORM/extractor" --version | awk '/version/ { print $3 }')"
# Specify 5.7.0, otherwise setup Action will default to latest minor version.
if [ $VERSION = "5.7" ]; then
VERSION="5.7.0"
fi
echo "version=$VERSION" | tee -a $GITHUB_OUTPUT
- uses: swift-actions/setup-swift@194625b58a582570f61cc707c3b558086c26b723
if: "(runner.os != 'Windows') && (matrix.version == 'cached' || matrix.version == 'latest' || matrix.version == 'nightly-latest')"
with:
swift-version: "${{steps.get_swift_version.outputs.version}}"

1
.github/workflows/__analyze-ref-input.yml generated vendored
View file

@ -7,6 +7,7 @@ name: "PR Check - Analyze: 'ref' and 'sha' from inputs"
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
GO111MODULE: auto
CODEQL_EXTRACTOR_JAVA_AGENT_DISABLE_KOTLIN: 'true'
on:
push:
branches:

1
.github/workflows/__autobuild-action.yml generated vendored
View file

@ -7,6 +7,7 @@ name: PR Check - autobuild-action
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
GO111MODULE: auto
CODEQL_EXTRACTOR_JAVA_AGENT_DISABLE_KOTLIN: 'true'
on:
push:
branches:

13
.github/workflows/__export-file-baseline-information.yml generated vendored
View file

@ -7,6 +7,7 @@ name: PR Check - Export file baseline information
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
GO111MODULE: auto
CODEQL_EXTRACTOR_JAVA_AGENT_DISABLE_KOTLIN: 'true'
on:
push:
branches:
@ -42,18 +43,16 @@ jobs:
uses: ./.github/prepare-test
with:
version: ${{ matrix.version }}
- uses: swift-actions/setup-swift@194625b58a582570f61cc707c3b558086c26b723
# Windows doesn't support Swift, and only macOS latest and nightly-latest support Swift 5.7.1.
if: runner.os == 'Linux' || (runner.os == 'macOS' && matrix.version == 'cached')
with:
swift-version: 5.7.0
- uses: ./../action/init
id: init
with:
languages: javascript
tools: ${{ steps.prepare-test.outputs.tools-url }}
env:
CODEQL_FILE_BASELINE_INFORMATION: true
CODEQL_ENABLE_EXPERIMENTAL_FEATURES_SWIFT: true
- uses: ./../action/.github/setup-swift
with:
codeql-path: ${{steps.init.outputs.codeql-path}}
- name: Build code
shell: bash
run: ./build.sh
@ -62,7 +61,6 @@ jobs:
output: ${{ runner.temp }}/results
env:
CODEQL_FILE_BASELINE_INFORMATION: true
CODEQL_ENABLE_EXPERIMENTAL_FEATURES_SWIFT: true
- name: Upload SARIF
uses: actions/upload-artifact@v3
with:
@ -87,4 +85,5 @@ jobs:
fi
done
env:
CODEQL_ENABLE_EXPERIMENTAL_FEATURES_SWIFT: true # Remove when Swift is GA.
CODEQL_ACTION_TEST_MODE: true

1
.github/workflows/__extractor-ram-threads.yml generated vendored
View file

@ -7,6 +7,7 @@ name: PR Check - Extractor ram and threads options test
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
GO111MODULE: auto
CODEQL_EXTRACTOR_JAVA_AGENT_DISABLE_KOTLIN: 'true'
on:
push:
branches:

1
.github/workflows/__go-custom-queries.yml generated vendored
View file

@ -7,6 +7,7 @@ name: 'PR Check - Go: Custom queries'
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
GO111MODULE: auto
CODEQL_EXTRACTOR_JAVA_AGENT_DISABLE_KOTLIN: 'true'
on:
push:
branches:

1
.github/workflows/__go-tracing-autobuilder.yml generated vendored
View file

@ -7,6 +7,7 @@ name: 'PR Check - Go: tracing with autobuilder step'
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
GO111MODULE: auto
CODEQL_EXTRACTOR_JAVA_AGENT_DISABLE_KOTLIN: 'true'
on:
push:
branches:

1
.github/workflows/__go-tracing-custom-build-steps.yml generated vendored
View file

@ -7,6 +7,7 @@ name: 'PR Check - Go: tracing with custom build steps'
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
GO111MODULE: auto
CODEQL_EXTRACTOR_JAVA_AGENT_DISABLE_KOTLIN: 'true'
on:
push:
branches:

1
.github/workflows/__go-tracing-legacy-workflow.yml generated vendored
View file

@ -7,6 +7,7 @@ name: 'PR Check - Go: tracing with legacy workflow'
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
GO111MODULE: auto
CODEQL_EXTRACTOR_JAVA_AGENT_DISABLE_KOTLIN: 'true'
on:
push:
branches:

1
.github/workflows/__init-with-registries.yml generated vendored
View file

@ -7,6 +7,7 @@ name: 'PR Check - Packaging: Download using registries'
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
GO111MODULE: auto
CODEQL_EXTRACTOR_JAVA_AGENT_DISABLE_KOTLIN: 'true'
on:
push:
branches:

1
.github/workflows/__javascript-source-root.yml generated vendored
View file

@ -7,6 +7,7 @@ name: PR Check - Custom source root
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
GO111MODULE: auto
CODEQL_EXTRACTOR_JAVA_AGENT_DISABLE_KOTLIN: 'true'
on:
push:
branches:

1
.github/workflows/__ml-powered-queries.yml generated vendored
View file

@ -7,6 +7,7 @@ name: PR Check - ML-powered queries
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
GO111MODULE: auto
CODEQL_EXTRACTOR_JAVA_AGENT_DISABLE_KOTLIN: 'true'
on:
push:
branches:

20
.github/workflows/__multi-language-autodetect.yml generated vendored
View file

@ -7,6 +7,7 @@ name: PR Check - Multi-language repository
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
GO111MODULE: auto
CODEQL_EXTRACTOR_JAVA_AGENT_DISABLE_KOTLIN: 'true'
on:
push:
branches:
@ -45,6 +46,10 @@ jobs:
version: latest
- os: macos-latest
version: latest
- os: ubuntu-latest
version: nightly-latest
- os: macos-latest
version: nightly-latest
name: Multi-language repository
timeout-minutes: 45
runs-on: ${{ matrix.os }}
@ -61,17 +66,16 @@ jobs:
uses: actions/setup-go@v3
with:
go-version: ^1.13.1
- uses: swift-actions/setup-swift@194625b58a582570f61cc707c3b558086c26b723
# Only macOS latest and nightly-latest support Swift 5.7.1
if: runner.os == 'Linux' || matrix.version == 'cached'
with:
swift-version: 5.7.0
- uses: ./../action/init
id: init
with:
db-location: ${{ runner.temp }}/customDbLocation
tools: ${{ steps.prepare-test.outputs.tools-url }}
- uses: ./../action/.github/setup-swift
with:
codeql-path: ${{steps.init.outputs.codeql-path}}
- name: Build code
shell: bash
run: ./build.sh
@ -125,8 +129,8 @@ jobs:
fi
- name: Check language autodetect for Swift
if: "!startsWith(matrix.os, 'windows') && (matrix.version == 'cached' || matrix.version\
\ == 'latest' || matrix.version == 'nightly-latest')"
if: (matrix.version == 'cached' || matrix.version == 'latest' || matrix.version
== 'nightly-latest')
shell: bash
run: |
SWIFT_DB=${{ fromJson(steps.analysis.outputs.db-locations).swift }}

1
.github/workflows/__packaging-codescanning-config-inputs-js.yml generated vendored
View file

@ -7,6 +7,7 @@ name: 'PR Check - Packaging: Config and input passed to the CLI'
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
GO111MODULE: auto
CODEQL_EXTRACTOR_JAVA_AGENT_DISABLE_KOTLIN: 'true'
on:
push:
branches:

1
.github/workflows/__packaging-config-inputs-js.yml generated vendored
View file

@ -7,6 +7,7 @@ name: 'PR Check - Packaging: Config and input'
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
GO111MODULE: auto
CODEQL_EXTRACTOR_JAVA_AGENT_DISABLE_KOTLIN: 'true'
on:
push:
branches:

1
.github/workflows/__packaging-config-js.yml generated vendored
View file

@ -7,6 +7,7 @@ name: 'PR Check - Packaging: Config file'
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
GO111MODULE: auto
CODEQL_EXTRACTOR_JAVA_AGENT_DISABLE_KOTLIN: 'true'
on:
push:
branches:

1
.github/workflows/__packaging-inputs-js.yml generated vendored
View file

@ -7,6 +7,7 @@ name: 'PR Check - Packaging: Action input'
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
GO111MODULE: auto
CODEQL_EXTRACTOR_JAVA_AGENT_DISABLE_KOTLIN: 'true'
on:
push:
branches:

1
.github/workflows/__remote-config.yml generated vendored
View file

@ -7,6 +7,7 @@ name: PR Check - Remote config file
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
GO111MODULE: auto
CODEQL_EXTRACTOR_JAVA_AGENT_DISABLE_KOTLIN: 'true'
on:
push:
branches:

1
.github/workflows/__rubocop-multi-language.yml generated vendored
View file

@ -7,6 +7,7 @@ name: PR Check - RuboCop multi-language
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
GO111MODULE: auto
CODEQL_EXTRACTOR_JAVA_AGENT_DISABLE_KOTLIN: 'true'
on:
push:
branches:

1
.github/workflows/__ruby.yml generated vendored
View file

@ -7,6 +7,7 @@ name: PR Check - Ruby analysis
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
GO111MODULE: auto
CODEQL_EXTRACTOR_JAVA_AGENT_DISABLE_KOTLIN: 'true'
on:
push:
branches:

1
.github/workflows/__split-workflow.yml generated vendored
View file

@ -7,6 +7,7 @@ name: PR Check - Split workflow
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
GO111MODULE: auto
CODEQL_EXTRACTOR_JAVA_AGENT_DISABLE_KOTLIN: 'true'
on:
push:
branches:

1
.github/workflows/__submit-sarif-failure.yml generated vendored
View file

@ -7,6 +7,7 @@ name: PR Check - Submit SARIF after failure
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
GO111MODULE: auto
CODEQL_EXTRACTOR_JAVA_AGENT_DISABLE_KOTLIN: 'true'
on:
push:
branches:

15
.github/workflows/__swift-autobuild.yml generated vendored
View file

@ -7,6 +7,7 @@ name: PR Check - Swift analysis using autobuild
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
GO111MODULE: auto
CODEQL_EXTRACTOR_JAVA_AGENT_DISABLE_KOTLIN: 'true'
on:
push:
branches:
@ -42,15 +43,17 @@ jobs:
uses: ./.github/prepare-test
with:
version: ${{ matrix.version }}
- uses: swift-actions/setup-swift@194625b58a582570f61cc707c3b558086c26b723
# Only macOS latest and nightly-latest support Swift 5.7.1
if: runner.os == 'Linux' || matrix.version == 'cached'
with:
swift-version: 5.7.0
- uses: ./../action/init
id: init
with:
languages: swift
tools: ${{ steps.prepare-test.outputs.tools-url }}
- uses: ./../action/.github/setup-swift
with:
codeql-path: ${{steps.init.outputs.codeql-path}}
- name: Check working directory
shell: bash
run: pwd
- uses: ./../action/autobuild
- uses: ./../action/analyze
id: analysis
@ -63,5 +66,5 @@ jobs:
exit 1
fi
env:
CODEQL_ENABLE_EXPERIMENTAL_FEATURES_SWIFT: 'true'
CODEQL_ENABLE_EXPERIMENTAL_FEATURES_SWIFT: 'true' # Remove when Swift is GA.
CODEQL_ACTION_TEST_MODE: true

19
.github/workflows/__swift-custom-build.yml generated vendored
View file

@ -7,6 +7,7 @@ name: PR Check - Swift analysis using a custom build command
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
GO111MODULE: auto
CODEQL_EXTRACTOR_JAVA_AGENT_DISABLE_KOTLIN: 'true'
on:
push:
branches:
@ -33,6 +34,10 @@ jobs:
version: cached
- os: macos-latest
version: cached
- os: ubuntu-latest
version: nightly-latest
- os: macos-latest
version: nightly-latest
name: Swift analysis using a custom build command
timeout-minutes: 45
runs-on: ${{ matrix.os }}
@ -44,15 +49,17 @@ jobs:
uses: ./.github/prepare-test
with:
version: ${{ matrix.version }}
- uses: swift-actions/setup-swift@194625b58a582570f61cc707c3b558086c26b723
# Only macOS latest and nightly-latest support Swift 5.7.1
if: runner.os == 'Linux' || matrix.version == 'cached'
with:
swift-version: 5.7.0
- uses: ./../action/init
id: init
with:
languages: swift
tools: ${{ steps.prepare-test.outputs.tools-url }}
- uses: ./../action/.github/setup-swift
with:
codeql-path: ${{steps.init.outputs.codeql-path}}
- name: Check working directory
shell: bash
run: pwd
- name: Build code
shell: bash
run: ./build.sh
@ -67,6 +74,6 @@ jobs:
exit 1
fi
env:
CODEQL_ENABLE_EXPERIMENTAL_FEATURES_SWIFT: 'true'
CODEQL_ENABLE_EXPERIMENTAL_FEATURES_SWIFT: 'true' # Remove when Swift is GA.
DOTNET_GENERATE_ASPNET_CERTIFICATE: 'false'
CODEQL_ACTION_TEST_MODE: true

1
.github/workflows/__test-autobuild-working-dir.yml generated vendored
View file

@ -7,6 +7,7 @@ name: PR Check - Autobuild working directory
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
GO111MODULE: auto
CODEQL_EXTRACTOR_JAVA_AGENT_DISABLE_KOTLIN: 'true'
on:
push:
branches:

1
.github/workflows/__test-local-codeql.yml generated vendored
View file

@ -7,6 +7,7 @@ name: PR Check - Local CodeQL bundle
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
GO111MODULE: auto
CODEQL_EXTRACTOR_JAVA_AGENT_DISABLE_KOTLIN: 'true'
on:
push:
branches:

1
.github/workflows/__test-proxy.yml generated vendored
View file

@ -7,6 +7,7 @@ name: PR Check - Proxy test
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
GO111MODULE: auto
CODEQL_EXTRACTOR_JAVA_AGENT_DISABLE_KOTLIN: 'true'
on:
push:
branches:

6
.github/workflows/__unset-environment.yml generated vendored
View file

@ -7,6 +7,7 @@ name: PR Check - Test unsetting environment variables
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
GO111MODULE: auto
CODEQL_EXTRACTOR_JAVA_AGENT_DISABLE_KOTLIN: 'true'
on:
push:
branches:
@ -59,7 +60,10 @@ jobs:
tools: ${{ steps.prepare-test.outputs.tools-url }}
- name: Build code
shell: bash
run: env -i PATH="$PATH" HOME="$HOME" ./build.sh
# Disable Kotlin analysis while it's incompatible with Kotlin 1.8, until we find a
# workaround for our PR checks.
run: env -i CODEQL_EXTRACTOR_JAVA_AGENT_DISABLE_KOTLIN=true PATH="$PATH" HOME="$HOME"
./build.sh
- uses: ./../action/analyze
id: analysis
- shell: bash

1
.github/workflows/__upload-ref-sha-input.yml generated vendored
View file

@ -7,6 +7,7 @@ name: "PR Check - Upload-sarif: 'ref' and 'sha' from inputs"
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
GO111MODULE: auto
CODEQL_EXTRACTOR_JAVA_AGENT_DISABLE_KOTLIN: 'true'
on:
push:
branches:

1
.github/workflows/__with-checkout-path.yml generated vendored
View file

@ -7,6 +7,7 @@ name: PR Check - Use a custom `checkout_path`
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
GO111MODULE: auto
CODEQL_EXTRACTOR_JAVA_AGENT_DISABLE_KOTLIN: 'true'
on:
push:
branches:

14
.github/workflows/codeql.yml vendored
View file

@ -8,6 +8,9 @@ on:
# Run checks on reopened draft PRs to support triggering PR checks on draft PRs that were opened
# by other workflows.
types: [opened, synchronize, reopened, ready_for_review]
schedule:
# Weekly on Sunday.
- cron: '30 1 * * 0'
env:
CODEQL_ACTION_TESTING_ENVIRONMENT: codeql-action-pr-checks
@ -54,7 +57,7 @@ jobs:
# be the same as `tools: null`. This allows us to make the job for each of the bundles a
# required status check.
#
# If we're running on push, then we can skip running with `tools: latest` when it would be
# If we're running on push or schedule, then we can skip running with `tools: latest` when it would be
# the same as running with `tools: null`.
if [[ "$GITHUB_EVENT_NAME" != "pull_request" && "$CODEQL_VERSION_DEFAULT" == "$CODEQL_VERSION_LATEST" ]]; then
VERSIONS_JSON='[null]'
@ -78,8 +81,10 @@ jobs:
security-events: write
steps:
- uses: actions/checkout@v3
- uses: ./init
- name: Checkout
uses: actions/checkout@v3
- name: Initialize CodeQL
uses: ./init
id: init
with:
languages: javascript
@ -88,4 +93,5 @@ jobs:
# confirm steps.init.outputs.codeql-path points to the codeql binary
- name: Print CodeQL Version
run: ${{steps.init.outputs.codeql-path}} version --format=json
- uses: ./analyze
- name: Perform CodeQL Analysis
uses: ./analyze

3
.github/workflows/debug-artifacts-failure.yml vendored
View file

@ -2,6 +2,9 @@
# when the analyze step fails.
name: PR Check - Debug artifacts after failure
env:
# Disable Kotlin analysis while it's incompatible with Kotlin 1.8, until we find a
# workaround for our PR checks.
CODEQL_EXTRACTOR_JAVA_AGENT_DISABLE_KOTLIN: true
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
on:
push:

3
.github/workflows/debug-artifacts.yml vendored
View file

@ -1,6 +1,9 @@
# Checks logs, SARIF, and database bundle debug artifacts exist.
name: PR Check - Debug artifact upload
env:
# Disable Kotlin analysis while it's incompatible with Kotlin 1.8, until we find a
# workaround for our PR checks.
CODEQL_EXTRACTOR_JAVA_AGENT_DISABLE_KOTLIN: true
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
on:
push:

21
.github/workflows/python-deps.yml vendored
View file

@ -28,17 +28,7 @@ jobs:
matrix:
os: [ubuntu-20.04, ubuntu-22.04, macos-latest]
python_deps_type: [pipenv, poetry, requirements, setup_py]
python_version: [2, 3]
exclude:
# Python2 and poetry are not supported. See https://github.com/actions/setup-python/issues/374
- python_version: 2
python_deps_type: poetry
# Python2 and pipenv are not supported since pipenv v2021.11.5
- python_version: 2
python_deps_type: pipenv
# Python2 is not available on ubuntu-22.04 by default -- see https://github.com/github/codeql-action/pull/1257
- python_version: 2
os: ubuntu-22.04
python_version: [3]
env:
@ -138,14 +128,7 @@ jobs:
fail-fast: false
matrix:
python_deps_type: [pipenv, poetry, requirements, setup_py]
python_version: [2, 3]
exclude:
# Python2 and poetry are not supported. See https://github.com/actions/setup-python/issues/374
- python_version: 2
python_deps_type: poetry
# Python2 and pipenv are not supported since pipenv v2021.11.5
- python_version: 2
python_deps_type: pipenv
python_version: [3]
env:
CODEQL_ACTION_TEST_MODE: true

4
CHANGELOG.md
View file

@ -1,5 +1,9 @@
# CodeQL Action Changelog
## 2.1.38 - 12 Jan 2023
- Update default CodeQL bundle version to 2.12.0. [#1466](https://github.com/github/codeql-action/pull/1466)
## 2.1.37 - 14 Dec 2022
- Update default CodeQL bundle version to 2.11.6. [#1433](https://github.com/github/codeql-action/pull/1433)

2
lib/analyze-action.js generated
View file

@ -179,7 +179,6 @@ async function run() {
if (runStats && actionsUtil.getRequiredInput("upload") === "true") {
uploadResult = await upload_lib.uploadFromActions(outputDir, actionsUtil.getRequiredInput("checkout_path"), actionsUtil.getOptionalInput("category"), logger);
core.setOutput("sarif-id", uploadResult.sarifID);
core.exportVariable(shared_environment_1.CODEQL_ACTION_ANALYZE_DID_UPLOAD_SARIF, "true");
}
else {
logger.info("Not uploading results");
@ -203,6 +202,7 @@ async function run() {
if (actionsUtil.getOptionalInput("expect-error") === "true") {
core.setFailed(`expect-error input was set to true but no error was thrown.`);
}
core.exportVariable(shared_environment_1.CODEQL_ACTION_ANALYZE_DID_COMPLETE_SUCCESSFULLY, "true");
}
catch (origError) {
const error = origError instanceof Error ? origError : new Error(String(origError));

2
lib/analyze-action.js.map
View file

File diff suppressed because one or more lines are too long

1
lib/analyze.js generated
View file

@ -159,6 +159,7 @@ async function runQueries(sarifFolder, memoryFlag, addSnippetsFlag, threadsFlag,
logger.info(analysisSummary);
}
else {
// config was generated by the action, so must be interpreted by the action.
logger.startGroup(`Running queries for ${language}`);
const querySuitePaths = [];
if (queries["builtin"].length > 0) {

2
lib/analyze.js.map
View file

File diff suppressed because one or more lines are too long

197
lib/codeql.js generated
View file

@ -22,7 +22,7 @@ var __importDefault = (this && this.__importDefault) || function (mod) {
return (mod && mod.__esModule) ? mod : { "default": mod };
};
Object.defineProperty(exports, "__esModule", { value: true });
exports.getExtraOptions = exports.getCodeQLForTesting = exports.getCachedCodeQL = exports.setCodeQL = exports.getCodeQL = exports.convertToSemVer = exports.getCodeQLURLVersion = exports.setupCodeQL = exports.getCodeQLActionRepository = exports.CODEQL_VERSION_BETTER_RESOLVE_LANGUAGES = exports.CODEQL_VERSION_ML_POWERED_QUERIES_WINDOWS = exports.CODEQL_VERSION_TRACING_GLIBC_2_34 = exports.CODEQL_VERSION_NEW_TRACING = exports.CODEQL_VERSION_GHES_PACK_DOWNLOAD = exports.CODEQL_VERSION_CONFIG_FILES = exports.CODEQL_DEFAULT_ACTION_REPOSITORY = exports.CommandInvocationError = void 0;
exports.getExtraOptions = exports.getCodeQLForTesting = exports.getCachedCodeQL = exports.setCodeQL = exports.getCodeQL = exports.convertToSemVer = exports.getCodeQLURLVersion = exports.setupCodeQL = exports.getCodeQLActionRepository = exports.CODEQL_VERSION_BETTER_RESOLVE_LANGUAGES = exports.CODEQL_VERSION_ML_POWERED_QUERIES_WINDOWS = exports.CODEQL_VERSION_TRACING_GLIBC_2_34 = exports.CODEQL_VERSION_NEW_TRACING = exports.CODEQL_VERSION_GHES_PACK_DOWNLOAD = exports.CODEQL_DEFAULT_ACTION_REPOSITORY = exports.CommandInvocationError = void 0;
const fs = __importStar(require("fs"));
const path = __importStar(require("path"));
const toolrunner = __importStar(require("@actions/exec/lib/toolrunner"));
@ -72,7 +72,6 @@ const CODEQL_MINIMUM_VERSION = "2.6.3";
*/
const CODEQL_VERSION_CUSTOM_QUERY_HELP = "2.7.1";
const CODEQL_VERSION_LUA_TRACER_CONFIG = "2.10.0";
exports.CODEQL_VERSION_CONFIG_FILES = "2.10.1";
const CODEQL_VERSION_LUA_TRACING_GO_WINDOWS_FIXED = "2.10.4";
exports.CODEQL_VERSION_GHES_PACK_DOWNLOAD = "2.10.4";
const CODEQL_VERSION_FILE_BASELINE_INFORMATION = "2.11.3";
@ -196,95 +195,125 @@ async function getCodeQLBundleDownloadURL(apiDetails, variant, logger) {
}
return `https://github.com/${exports.CODEQL_DEFAULT_ACTION_REPOSITORY}/releases/download/${CODEQL_BUNDLE_VERSION}/${codeQLBundleName}`;
}
async function getCodeQLSource(toolsInput, bypassToolcache, apiDetails, variant, logger) {
var _a;
if (toolsInput && toolsInput !== "latest" && !toolsInput.startsWith("http")) {
return {
codeqlTarPath: toolsInput,
sourceType: "local",
toolsVersion: "local",
};
}
const forceLatestReason =
// We use the special value of 'latest' to prioritize the version in the
// defaults over any pinned cached version.
toolsInput === "latest"
? '"tools: latest" was requested'
: // If the user hasn't requested a particular CodeQL version, then bypass
// the toolcache when the appropriate feature is enabled. This
// allows us to quickly rollback a broken bundle that has made its way
// into the toolcache.
toolsInput === undefined && bypassToolcache
? "a specific version of CodeQL was not requested and the bypass toolcache feature is enabled"
: undefined;
const forceLatest = forceLatestReason !== undefined;
if (forceLatest) {
logger.debug(`Forcing the latest version of the CodeQL tools since ${forceLatestReason}.`);
}
const codeqlURL = forceLatest ? undefined : toolsInput;
const requestedSemVer = convertToSemVer(getCodeQLURLVersion(codeqlURL || `/${CODEQL_BUNDLE_VERSION}/`), logger);
// If we find the specified version, we always use that.
const codeqlFolder = toolcache.find("CodeQL", requestedSemVer);
if (codeqlFolder) {
return {
codeqlFolder,
sourceType: "toolcache",
toolsVersion: requestedSemVer,
};
}
// If we don't find the requested version, in some cases we may allow a
// different version to save download time if the version hasn't been
// specified explicitly (in which case we always honor it).
if (!codeqlURL && !forceLatest) {
const codeqlVersions = toolcache.findAllVersions("CodeQL");
if (codeqlVersions.length === 1 && (0, util_1.isGoodVersion)(codeqlVersions[0])) {
const tmpCodeqlFolder = toolcache.find("CodeQL", codeqlVersions[0]);
if (fs.existsSync(path.join(tmpCodeqlFolder, "pinned-version"))) {
logger.debug(`CodeQL in cache overriding the default ${CODEQL_BUNDLE_VERSION}`);
return {
codeqlFolder: tmpCodeqlFolder,
sourceType: "toolcache",
toolsVersion: codeqlVersions[0],
};
}
}
}
return {
codeqlURL: codeqlURL ||
(await getCodeQLBundleDownloadURL(apiDetails, variant, logger)),
semanticVersion: requestedSemVer,
sourceType: "download",
toolsVersion: ((_a = semver.prerelease(requestedSemVer)) === null || _a === void 0 ? void 0 : _a.join(".")) || requestedSemVer,
};
}
async function downloadCodeQL(codeqlURL, semanticVersion, apiDetails, tempDir, logger) {
const parsedCodeQLURL = new URL(codeqlURL);
const searchParams = new URLSearchParams(parsedCodeQLURL.search);
const headers = {
accept: "application/octet-stream",
};
// We only want to provide an authorization header if we are downloading
// from the same GitHub instance the Action is running on.
// This avoids leaking Enterprise tokens to dotcom.
// We also don't want to send an authorization header if there's already a token provided in the URL.
if (searchParams.has("token")) {
logger.debug("CodeQL tools URL contains an authorization token.");
}
else if (codeqlURL.startsWith(`${apiDetails.url}/`)) {
logger.debug("Providing an authorization token to download CodeQL tools.");
headers.authorization = `token ${apiDetails.auth}`;
}
else {
logger.debug("Downloading CodeQL tools without an authorization token.");
}
logger.info(`Downloading CodeQL tools from ${codeqlURL}. This may take a while.`);
const dest = path.join(tempDir, (0, uuid_1.v4)());
const finalHeaders = Object.assign({ "User-Agent": "CodeQL Action" }, headers);
const codeqlPath = await toolcache.downloadTool(codeqlURL, dest, undefined, finalHeaders);
logger.debug(`CodeQL bundle download to ${codeqlPath} complete.`);
const codeqlExtracted = await toolcache.extractTar(codeqlPath);
return await toolcache.cacheDir(codeqlExtracted, "CodeQL", semanticVersion);
}
/**
* Set up CodeQL CLI access.
*
* @param codeqlURL
* @param toolsInput
* @param apiDetails
* @param tempDir
* @param variant
* @param features
* @param bypassToolcache
* @param logger
* @param checkVersion Whether to check that CodeQL CLI meets the minimum
* version requirement. Must be set to true outside tests.
* @returns a { CodeQL, toolsVersion } object.
*/
async function setupCodeQL(codeqlURL, apiDetails, tempDir, variant, bypassToolcache, logger, checkVersion) {
async function setupCodeQL(toolsInput, apiDetails, tempDir, variant, bypassToolcache, logger, checkVersion) {
try {
const forceLatestReason =
// We use the special value of 'latest' to prioritize the version in the
// defaults over any pinned cached version.
codeqlURL === "latest"
? '"tools: latest" was requested'
: // If the user hasn't requested a particular CodeQL version, then bypass
// the toolcache when the appropriate feature is enabled. This
// allows us to quickly rollback a broken bundle that has made its way
// into the toolcache.
codeqlURL === undefined && bypassToolcache
? "a specific version of CodeQL was not requested and the bypass toolcache feature is enabled"
: undefined;
const forceLatest = forceLatestReason !== undefined;
if (forceLatest) {
logger.debug(`Forcing the latest version of the CodeQL tools since ${forceLatestReason}.`);
codeqlURL = undefined;
}
const source = await getCodeQLSource(toolsInput, bypassToolcache, apiDetails, variant, logger);
let codeqlFolder;
let codeqlURLVersion;
if (codeqlURL && !codeqlURL.startsWith("http")) {
codeqlFolder = await toolcache.extractTar(codeqlURL);
codeqlURLVersion = "local";
}
else {
codeqlURLVersion = getCodeQLURLVersion(codeqlURL || `/${CODEQL_BUNDLE_VERSION}/`);
const codeqlURLSemVer = convertToSemVer(codeqlURLVersion, logger);
// If we find the specified version, we always use that.
codeqlFolder = toolcache.find("CodeQL", codeqlURLSemVer);
// If we don't find the requested version, in some cases we may allow a
// different version to save download time if the version hasn't been
// specified explicitly (in which case we always honor it).
if (!codeqlFolder && !codeqlURL && !forceLatest) {
const codeqlVersions = toolcache.findAllVersions("CodeQL");
if (codeqlVersions.length === 1 && (0, util_1.isGoodVersion)(codeqlVersions[0])) {
const tmpCodeqlFolder = toolcache.find("CodeQL", codeqlVersions[0]);
if (fs.existsSync(path.join(tmpCodeqlFolder, "pinned-version"))) {
logger.debug(`CodeQL in cache overriding the default ${CODEQL_BUNDLE_VERSION}`);
codeqlFolder = tmpCodeqlFolder;
codeqlURLVersion = codeqlVersions[0];
}
}
}
if (codeqlFolder) {
switch (source.sourceType) {
case "local":
codeqlFolder = await toolcache.extractTar(source.codeqlTarPath);
break;
case "toolcache":
codeqlFolder = source.codeqlFolder;
logger.debug(`CodeQL found in cache ${codeqlFolder}`);
}
else {
if (!codeqlURL) {
codeqlURL = await getCodeQLBundleDownloadURL(apiDetails, variant, logger);
}
const parsedCodeQLURL = new URL(codeqlURL);
const searchParams = new URLSearchParams(parsedCodeQLURL.search);
const headers = {
accept: "application/octet-stream",
};
// We only want to provide an authorization header if we are downloading
// from the same GitHub instance the Action is running on.
// This avoids leaking Enterprise tokens to dotcom.
// We also don't want to send an authorization header if there's already a token provided in the URL.
if (codeqlURL.startsWith(`${apiDetails.url}/`) &&
!searchParams.has("token")) {
logger.debug("Downloading CodeQL bundle with token.");
headers.authorization = `token ${apiDetails.auth}`;
}
else {
logger.debug("Downloading CodeQL bundle without token.");
}
logger.info(`Downloading CodeQL tools from ${codeqlURL}. This may take a while.`);
const dest = path.join(tempDir, (0, uuid_1.v4)());
const finalHeaders = Object.assign({ "User-Agent": "CodeQL Action" }, headers);
const codeqlPath = await toolcache.downloadTool(codeqlURL, dest, undefined, finalHeaders);
logger.debug(`CodeQL bundle download to ${codeqlPath} complete.`);
const codeqlExtracted = await toolcache.extractTar(codeqlPath);
codeqlFolder = await toolcache.cacheDir(codeqlExtracted, "CodeQL", codeqlURLSemVer);
}
break;
case "download":
codeqlFolder = await downloadCodeQL(source.codeqlURL, source.semanticVersion, apiDetails, tempDir, logger);
break;
default:
(0, util_1.assertNever)(source);
}
let codeqlCmd = path.join(codeqlFolder, "codeql", "codeql");
if (process.platform === "win32") {
@ -294,7 +323,7 @@ async function setupCodeQL(codeqlURL, apiDetails, tempDir, variant, bypassToolca
throw new Error(`Unsupported platform: ${process.platform}`);
}
cachedCodeQL = await getCodeQLForCmd(codeqlCmd, checkVersion);
return { codeql: cachedCodeQL, toolsVersion: codeqlURLVersion };
return { codeql: cachedCodeQL, toolsVersion: source.toolsVersion };
}
catch (e) {
logger.error(e instanceof Error ? e : new Error(String(e)));
@ -507,9 +536,16 @@ async function getCodeQLForCmd(cmd, checkVersion) {
extraArgs.push("--no-internal-use-lua-tracing");
}
}
// A config file is only generated if the CliConfigFileEnabled feature flag is enabled.
const configLocation = await generateCodeScanningConfig(codeql, config, featureEnablement);
// Only pass external repository token if a config file is going to be parsed by the CLI.
let externalRepositoryToken;
if (configLocation) {
extraArgs.push(`--codescanning-config=${configLocation}`);
externalRepositoryToken = (0, actions_util_1.getOptionalInput)("external-repository-token");
if (externalRepositoryToken) {
extraArgs.push("--external-repository-token-stdin");
}
}
await runTool(cmd, [
"database",
@ -519,7 +555,7 @@ async function getCodeQLForCmd(cmd, checkVersion) {
`--source-root=${sourceRoot}`,
...extraArgs,
...getExtraOptionsFromEnv(["database", "init"]),
]);
], { stdin: externalRepositoryToken });
},
async runAutobuild(language) {
const cmdName = process.platform === "win32" ? "autobuild.cmd" : "autobuild.sh";
@ -854,7 +890,7 @@ exports.getExtraOptions = getExtraOptions;
* status reports on GitHub.com.
*/
const maxErrorSize = 20000;
async function runTool(cmd, args = []) {
async function runTool(cmd, args = [], opts = {}) {
let output = "";
let error = "";
const exitCode = await new toolrunner.ToolRunner(cmd, args, {
@ -873,6 +909,7 @@ async function runTool(cmd, args = []) {
},
},
ignoreReturnCode: true,
...(opts.stdin ? { input: Buffer.from(opts.stdin || "") } : {}),
}).exec();
if (exitCode !== 0)
throw new CommandInvocationError(cmd, args, exitCode, error, output);

2
lib/codeql.js.map
View file

File diff suppressed because one or more lines are too long

143
lib/codeql.test.js generated
View file

@ -46,14 +46,12 @@ const util_1 = require("./util");
const sampleApiDetails = {
auth: "token",
url: "https://github.com",
apiURL: undefined,
registriesAuthTokens: undefined,
apiURL: "https://api.github.com",
};
const sampleGHAEApiDetails = {
auth: "token",
url: "https://example.githubenterprise.com",
apiURL: undefined,
registriesAuthTokens: undefined,
apiURL: "https://example.githubenterprise.com/api/v3",
};
let stubConfig;
ava_1.default.beforeEach(() => {
@ -83,7 +81,13 @@ ava_1.default.beforeEach(() => {
trapCacheDownloadTime: 0,
};
});
async function mockApiAndSetupCodeQL({ apiDetails, bypassToolcache, isPinned, tmpDir, toolsInput, version, }) {
/**
* Mocks the API for downloading the bundle tagged `tagName`.
*
* @returns the download URL for the bundle. This can be passed to the tools parameter of
* `codeql.setupCodeQL`.
*/
async function mockDownloadApi({ apiDetails = sampleApiDetails, isPinned, tagName, }) {
var _a;
const platform = process.platform === "win32"
? "win64"
@ -92,97 +96,94 @@ async function mockApiAndSetupCodeQL({ apiDetails, bypassToolcache, isPinned, tm
: "osx64";
const baseUrl = (_a = apiDetails === null || apiDetails === void 0 ? void 0 : apiDetails.url) !== null && _a !== void 0 ? _a : "https://example.com";
const relativeUrl = apiDetails
? `/github/codeql-action/releases/download/${version}/codeql-bundle-${platform}.tar.gz`
: `/download/codeql-bundle-${version}/codeql-bundle.tar.gz`;
? `/github/codeql-action/releases/download/${tagName}/codeql-bundle-${platform}.tar.gz`
: `/download/${tagName}/codeql-bundle.tar.gz`;
(0, nock_1.default)(baseUrl)
.get(relativeUrl)
.replyWithFile(200, path.join(__dirname, `/../src/testdata/codeql-bundle${isPinned ? "-pinned" : ""}.tar.gz`));
return await codeql.setupCodeQL(toolsInput ? toolsInput.input : `${baseUrl}${relativeUrl}`, apiDetails !== null && apiDetails !== void 0 ? apiDetails : sampleApiDetails, tmpDir, util.GitHubVariant.DOTCOM, !!bypassToolcache, (0, logging_1.getRunnerLogger)(true), false);
return `${baseUrl}${relativeUrl}`;
}
(0, ava_1.default)("download codeql bundle cache", async (t) => {
async function installIntoToolcache({ apiDetails = sampleApiDetails, isPinned, tagName, tmpDir, }) {
const url = await mockDownloadApi({ apiDetails, isPinned, tagName });
await codeql.setupCodeQL(url, apiDetails, tmpDir, util.GitHubVariant.DOTCOM, false, (0, logging_1.getRunnerLogger)(true), false);
}
(0, ava_1.default)("downloads and caches explicitly requested bundles that aren't in the toolcache", async (t) => {
await util.withTmpDir(async (tmpDir) => {
(0, testing_utils_1.setupActionsVars)(tmpDir, tmpDir);
const versions = ["20200601", "20200610"];
for (let i = 0; i < versions.length; i++) {
const version = versions[i];
const codeQLConfig = await mockApiAndSetupCodeQL({ version, tmpDir });
const url = await mockDownloadApi({
tagName: `codeql-bundle-${version}`,
isPinned: false,
});
const result = await codeql.setupCodeQL(url, sampleApiDetails, tmpDir, util.GitHubVariant.DOTCOM, false, (0, logging_1.getRunnerLogger)(true), false);
t.assert(toolcache.find("CodeQL", `0.0.0-${version}`));
t.deepEqual(codeQLConfig.toolsVersion, version);
t.is(result.toolsVersion, version);
}
t.is(toolcache.findAllVersions("CodeQL").length, 2);
});
});
(0, ava_1.default)("download codeql bundle cache explicitly requested with pinned different version cached", async (t) => {
(0, ava_1.default)("downloads an explicitly requested bundle even if a different version is cached", async (t) => {
await util.withTmpDir(async (tmpDir) => {
(0, testing_utils_1.setupActionsVars)(tmpDir, tmpDir);
const pinnedCodeQLConfig = await mockApiAndSetupCodeQL({
version: "20200601",
await installIntoToolcache({
tagName: "codeql-bundle-20200601",
isPinned: true,
tmpDir,
});
t.assert(toolcache.find("CodeQL", "0.0.0-20200601"));
t.deepEqual(pinnedCodeQLConfig.toolsVersion, "20200601");
const unpinnedCodeQLConfig = await mockApiAndSetupCodeQL({
version: "20200610",
tmpDir,
const url = await mockDownloadApi({
tagName: "codeql-bundle-20200610",
});
const result = await codeql.setupCodeQL(url, sampleApiDetails, tmpDir, util.GitHubVariant.DOTCOM, false, (0, logging_1.getRunnerLogger)(true), false);
t.assert(toolcache.find("CodeQL", "0.0.0-20200610"));
t.deepEqual(unpinnedCodeQLConfig.toolsVersion, "20200610");
t.deepEqual(result.toolsVersion, "20200610");
});
});
(0, ava_1.default)("don't download codeql bundle cache with pinned different version cached", async (t) => {
(0, ava_1.default)("uses a cached bundle when no tools input is given", async (t) => {
await util.withTmpDir(async (tmpDir) => {
(0, testing_utils_1.setupActionsVars)(tmpDir, tmpDir);
const pinnedCodeQLConfig = await mockApiAndSetupCodeQL({
version: "20200601",
await installIntoToolcache({
tagName: "codeql-bundle-20200601",
isPinned: true,
tmpDir,
});
t.assert(toolcache.find("CodeQL", "0.0.0-20200601"));
t.deepEqual(pinnedCodeQLConfig.toolsVersion, "20200601");
const codeQLConfig = await codeql.setupCodeQL(undefined, sampleApiDetails, tmpDir, util.GitHubVariant.DOTCOM, false, (0, logging_1.getRunnerLogger)(true), false);
t.deepEqual(codeQLConfig.toolsVersion, "0.0.0-20200601");
const result = await codeql.setupCodeQL(undefined, sampleApiDetails, tmpDir, util.GitHubVariant.DOTCOM, false, (0, logging_1.getRunnerLogger)(true), false);
t.deepEqual(result.toolsVersion, "0.0.0-20200601");
const cachedVersions = toolcache.findAllVersions("CodeQL");
t.is(cachedVersions.length, 1);
});
});
(0, ava_1.default)("download codeql bundle cache with different version cached (not pinned)", async (t) => {
(0, ava_1.default)("downloads bundle if only an unpinned version is cached", async (t) => {
await util.withTmpDir(async (tmpDir) => {
(0, testing_utils_1.setupActionsVars)(tmpDir, tmpDir);
const cachedCodeQLConfig = await mockApiAndSetupCodeQL({
version: "20200601",
await installIntoToolcache({
tagName: "codeql-bundle-20200601",
isPinned: false,
tmpDir,
});
t.assert(toolcache.find("CodeQL", "0.0.0-20200601"));
t.deepEqual(cachedCodeQLConfig.toolsVersion, "20200601");
const codeQLConfig = await mockApiAndSetupCodeQL({
version: defaults.bundleVersion,
tmpDir,
apiDetails: sampleApiDetails,
toolsInput: { input: undefined },
await mockDownloadApi({
tagName: defaults.bundleVersion,
});
t.deepEqual(codeQLConfig.toolsVersion, defaults.bundleVersion.replace("codeql-bundle-", ""));
const result = await codeql.setupCodeQL(undefined, sampleApiDetails, tmpDir, util.GitHubVariant.DOTCOM, false, (0, logging_1.getRunnerLogger)(true), false);
t.deepEqual(result.toolsVersion, defaults.bundleVersion.replace("codeql-bundle-", ""));
const cachedVersions = toolcache.findAllVersions("CodeQL");
t.is(cachedVersions.length, 2);
});
});
(0, ava_1.default)('download codeql bundle cache with pinned different version cached if "latest" tools specified', async (t) => {
(0, ava_1.default)('downloads bundle if "latest" tools specified but not cached', async (t) => {
await util.withTmpDir(async (tmpDir) => {
(0, testing_utils_1.setupActionsVars)(tmpDir, tmpDir);
const pinnedCodeQLConfig = await mockApiAndSetupCodeQL({
version: "20200601",
await installIntoToolcache({
tagName: "codeql-bundle-20200601",
isPinned: true,
tmpDir,
});
t.assert(toolcache.find("CodeQL", "0.0.0-20200601"));
t.deepEqual(pinnedCodeQLConfig.toolsVersion, "20200601");
const latestCodeQLConfig = await mockApiAndSetupCodeQL({
version: defaults.bundleVersion,
apiDetails: sampleApiDetails,
toolsInput: { input: "latest" },
tmpDir,
await mockDownloadApi({
tagName: defaults.bundleVersion,
});
t.deepEqual(latestCodeQLConfig.toolsVersion, defaults.bundleVersion.replace("codeql-bundle-", ""));
const result = await codeql.setupCodeQL("latest", sampleApiDetails, tmpDir, util.GitHubVariant.DOTCOM, false, (0, logging_1.getRunnerLogger)(true), false);
t.deepEqual(result.toolsVersion, defaults.bundleVersion.replace("codeql-bundle-", ""));
const cachedVersions = toolcache.findAllVersions("CodeQL");
t.is(cachedVersions.length, 2);
});
@ -200,20 +201,15 @@ for (const [isFeatureEnabled, toolsInput, shouldToolcacheBeBypassed,] of TOOLCAC
(0, ava_1.default)(`download codeql bundle ${shouldToolcacheBeBypassed ? "bypasses" : "does not bypass"} toolcache when feature ${isFeatureEnabled ? "enabled" : "disabled"} and tools: ${toolsInput} passed`, async (t) => {
await util.withTmpDir(async (tmpDir) => {
(0, testing_utils_1.setupActionsVars)(tmpDir, tmpDir);
await mockApiAndSetupCodeQL({
version: "codeql-bundle-20200601",
apiDetails: sampleApiDetails,
await installIntoToolcache({
tagName: "codeql-bundle-20200601",
isPinned: true,
tmpDir,
});
t.assert(toolcache.find("CodeQL", "0.0.0-20200601"));
await mockApiAndSetupCodeQL({
version: defaults.bundleVersion,
apiDetails: sampleApiDetails,
bypassToolcache: isFeatureEnabled,
toolsInput: { input: toolsInput },
tmpDir,
await mockDownloadApi({
tagName: defaults.bundleVersion,
});
await codeql.setupCodeQL(toolsInput, sampleApiDetails, tmpDir, util.GitHubVariant.DOTCOM, isFeatureEnabled, (0, logging_1.getRunnerLogger)(true), false);
const cachedVersions = toolcache.findAllVersions("CodeQL");
t.is(cachedVersions.length, shouldToolcacheBeBypassed ? 2 : 1);
});
@ -242,6 +238,23 @@ for (const [isFeatureEnabled, toolsInput, shouldToolcacheBeBypassed,] of TOOLCAC
(0, nock_1.default)("https://example.githubenterprise.com")
.get(`/github/codeql-action/releases/download/${defaults.bundleVersion}/${codeQLBundleName}`)
.replyWithFile(200, path.join(__dirname, `/../src/testdata/codeql-bundle-pinned.tar.gz`));
// This is a workaround to mock `api.getApiDetails()` since it doesn't seem to be possible to
// mock this directly. The difficulty is that `getApiDetails()` is called locally in
// `api-client.ts`, but `sinon.stub(api, "getApiDetails")` only affects calls to
// `getApiDetails()` via an imported `api` module.
sinon
.stub(actionsUtil, "getRequiredInput")
.withArgs("token")
.returns(sampleGHAEApiDetails.auth);
const requiredEnvParamStub = sinon.stub(util, "getRequiredEnvParam");
requiredEnvParamStub
.withArgs("GITHUB_SERVER_URL")
.returns(sampleGHAEApiDetails.url);
requiredEnvParamStub
.withArgs("GITHUB_API_URL")
.returns(sampleGHAEApiDetails.apiURL);
sinon.stub(actionsUtil, "isRunningLocalAction").returns(false);
process.env["GITHUB_ACTION_REPOSITORY"] = "github/codeql-action";
await codeql.setupCodeQL(undefined, sampleGHAEApiDetails, tmpDir, util.GitHubVariant.GHAE, false, (0, logging_1.getRunnerLogger)(true), false);
const cachedVersions = toolcache.findAllVersions("CodeQL");
t.is(cachedVersions.length, 1);
@ -354,7 +367,7 @@ const injectedConfigMacro = ava_1.default.macro({
const codeqlObject = await codeql.getCodeQLForTesting();
sinon
.stub(codeqlObject, "getVersion")
.resolves(codeql.CODEQL_VERSION_CONFIG_FILES);
.resolves(feature_flags_1.featureConfig[feature_flags_1.Feature.CliConfigFileEnabled].minimumVersion);
const thisStubConfig = {
...stubConfig,
...configOverride,
@ -384,7 +397,7 @@ const injectedConfigMacro = ava_1.default.macro({
queriesInputCombines: false,
packsInputCombines: false,
}, {}, {
packs: ["codeql/javascript-experimental-atm-queries@~0.3.0"],
packs: ["codeql/javascript-experimental-atm-queries@~0.4.0"],
});
(0, ava_1.default)("injected ML queries with existing packs", injectedConfigMacro, {
injectedMlQueries: true,
@ -398,7 +411,7 @@ const injectedConfigMacro = ava_1.default.macro({
packs: {
javascript: [
"codeql/something-else",
"codeql/javascript-experimental-atm-queries@~0.3.0",
"codeql/javascript-experimental-atm-queries@~0.4.0",
],
},
});
@ -413,7 +426,7 @@ const injectedConfigMacro = ava_1.default.macro({
}, {
packs: {
cpp: ["codeql/something-else"],
javascript: ["codeql/javascript-experimental-atm-queries@~0.3.0"],
javascript: ["codeql/javascript-experimental-atm-queries@~0.4.0"],
},
});
(0, ava_1.default)("injected packs from input", injectedConfigMacro, {
@ -466,7 +479,7 @@ const injectedConfigMacro = ava_1.default.macro({
},
},
}, {
packs: ["xxx", "yyy", "codeql/javascript-experimental-atm-queries@~0.3.0"],
packs: ["xxx", "yyy", "codeql/javascript-experimental-atm-queries@~0.4.0"],
});
// similar, but with queries
(0, ava_1.default)("injected queries from input", injectedConfigMacro, {
@ -560,7 +573,7 @@ const injectedConfigMacro = ava_1.default.macro({
const codeqlObject = await codeql.getCodeQLForTesting();
sinon
.stub(codeqlObject, "getVersion")
.resolves(codeql.CODEQL_VERSION_CONFIG_FILES);
.resolves(feature_flags_1.featureConfig[feature_flags_1.Feature.CliConfigFileEnabled].minimumVersion);
await codeqlObject.databaseInitCluster(stubConfig, "", undefined, (0, testing_utils_1.createFeatures)([]), (0, logging_1.getRunnerLogger)(true));
const args = runnerConstructorStub.firstCall.args[1];
// should have used an config file

2
lib/codeql.test.js.map
View file

File diff suppressed because one or more lines are too long

31
lib/config-utils.js generated
View file

@ -240,8 +240,12 @@ async function parseQueryUses(languages, codeQL, resultMap, packs, queryUses, te
if (queryUses.indexOf("/") === -1 && queryUses.indexOf("@") === -1) {
return await addBuiltinSuiteQueries(languages, codeQL, resultMap, packs, queryUses, featureEnablement, configFile);
}
// Otherwise, must be a reference to another repo
await addRemoteQueries(codeQL, resultMap, queryUses, tempDir, apiDetails, logger, configFile);
// Otherwise, must be a reference to another repo.
// If config parsing is handled in CLI, then this repo will be downloaded
// later by the CLI.
if (!(await (0, util_1.useCodeScanningConfigInCli)(codeQL, featureEnablement))) {
await addRemoteQueries(codeQL, resultMap, queryUses, tempDir, apiDetails, logger, configFile);
}
return false;
}
// Regex validating stars in paths or paths-ignore entries.
@ -925,22 +929,23 @@ async function initConfig(languagesInput, queriesInput, packsInput, registriesIn
else {
config = await loadConfig(languagesInput, queriesInput, packsInput, configFile, dbLocation, trapCachingEnabled, debugMode, debugArtifactName, debugDatabaseName, repository, tempDir, codeQL, workspacePath, gitHubVersion, apiDetails, featureEnablement, logger);
}
// The list of queries should not be empty for any language. If it is then
// it is a user configuration error.
for (const language of config.languages) {
const hasBuiltinQueries = ((_a = config.queries[language]) === null || _a === void 0 ? void 0 : _a.builtin.length) > 0;
const hasCustomQueries = ((_b = config.queries[language]) === null || _b === void 0 ? void 0 : _b.custom.length) > 0;
const hasPacks = (((_c = config.packs[language]) === null || _c === void 0 ? void 0 : _c.length) || 0) > 0;
if (!hasPacks && !hasBuiltinQueries && !hasCustomQueries) {
throw new Error(`Did not detect any queries to run for ${language}. ` +
"Please make sure that the default queries are enabled, or you are specifying queries to run.");
}
}
// When using the codescanning config in the CLI, pack downloads
// happen in the CLI during the `database init` command, so no need
// to download them here.
await (0, util_1.logCodeScanningConfigInCli)(codeQL, featureEnablement, logger);
if (!(await (0, util_1.useCodeScanningConfigInCli)(codeQL, featureEnablement))) {
// The list of queries should not be empty for any language. If it is then
// it is a user configuration error.
// This check occurs in the CLI when it parses the config file.
for (const language of config.languages) {
const hasBuiltinQueries = ((_a = config.queries[language]) === null || _a === void 0 ? void 0 : _a.builtin.length) > 0;
const hasCustomQueries = ((_b = config.queries[language]) === null || _b === void 0 ? void 0 : _b.custom.length) > 0;
const hasPacks = (((_c = config.packs[language]) === null || _c === void 0 ? void 0 : _c.length) || 0) > 0;
if (!hasPacks && !hasBuiltinQueries && !hasCustomQueries) {
throw new Error(`Did not detect any queries to run for ${language}. ` +
"Please make sure that the default queries are enabled, or you are specifying queries to run.");
}
}
const registries = parseRegistries(registriesInput);
await downloadPacks(codeQL, config.languages, config.packs, registries, apiDetails, config.tempDir, logger);
}

2
lib/config-utils.js.map
View file

File diff suppressed because one or more lines are too long

42
lib/database-upload.js generated
View file

@ -44,24 +44,32 @@ async function uploadDatabases(repositoryNwo, config, apiDetails, logger) {
const client = (0, api_client_1.getApiClient)();
const codeql = await (0, codeql_1.getCodeQL)(config.codeQLCmd);
for (const language of config.languages) {
// Upload the database bundle.
// Although we are uploading arbitrary file contents to the API, it's worth
// noting that it's the API's job to validate that the contents is acceptable.
// This API method is available to anyone with write access to the repo.
const payload = fs.readFileSync(await (0, util_1.bundleDb)(config, language, codeql, language));
try {
await client.request(`POST https://uploads.github.com/repos/:owner/:repo/code-scanning/codeql/databases/:language?name=:name`, {
owner: repositoryNwo.owner,
repo: repositoryNwo.repo,
language,
name: `${language}-database`,
data: payload,
headers: {
authorization: `token ${apiDetails.auth}`,
"Content-Type": "application/zip",
},
});
logger.debug(`Successfully uploaded database for ${language}`);
// Upload the database bundle.
// Although we are uploading arbitrary file contents to the API, it's worth
// noting that it's the API's job to validate that the contents is acceptable.
// This API method is available to anyone with write access to the repo.
const bundledDb = await (0, util_1.bundleDb)(config, language, codeql, language);
const bundledDbSize = fs.statSync(bundledDb).size;
const bundledDbReadStream = fs.createReadStream(bundledDb);
try {
await client.request(`POST https://uploads.github.com/repos/:owner/:repo/code-scanning/codeql/databases/:language?name=:name`, {
owner: repositoryNwo.owner,
repo: repositoryNwo.repo,
language,
name: `${language}-database`,
data: bundledDbReadStream,
headers: {
authorization: `token ${apiDetails.auth}`,
"Content-Type": "application/zip",
"Content-Length": bundledDbSize,
},
});
logger.debug(`Successfully uploaded database for ${language}`);
}
finally {
bundledDbReadStream.close();
}
}
catch (e) {
console.log(e);

2
lib/database-upload.js.map
View file

@ -1 +1 @@
{"version":3,"file":"database-upload.js","sourceRoot":"","sources":["../src/database-upload.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;;;;;;;;AAAA,uCAAyB;AAEzB,4DAA8C;AAC9C,6CAA8D;AAC9D,qCAAqC;AAIrC,6CAA+B;AAC/B,iCAAkC;AAE3B,KAAK,UAAU,eAAe,CACnC,aAA4B,EAC5B,MAAc,EACd,UAA4B,EAC5B,MAAc;IAEd,IAAI,WAAW,CAAC,gBAAgB,CAAC,iBAAiB,CAAC,KAAK,MAAM,EAAE;QAC9D,MAAM,CAAC,KAAK,CAAC,wDAAwD,CAAC,CAAC;QACvE,OAAO;KACR;IAED,iDAAiD;IACjD,IAAI,MAAM,CAAC,aAAa,CAAC,IAAI,KAAK,IAAI,CAAC,aAAa,CAAC,MAAM,EAAE;QAC3D,MAAM,CAAC,KAAK,CAAC,kDAAkD,CAAC,CAAC;QACjE,OAAO;KACR;IAED,IAAI,CAAC,CAAC,MAAM,WAAW,CAAC,wBAAwB,EAAE,CAAC,EAAE;QACnD,4EAA4E;QAC5E,MAAM,CAAC,KAAK,CAAC,gDAAgD,CAAC,CAAC;QAC/D,OAAO;KACR;IAED,MAAM,MAAM,GAAG,IAAA,yBAAY,GAAE,CAAC;IAC9B,MAAM,MAAM,GAAG,MAAM,IAAA,kBAAS,EAAC,MAAM,CAAC,SAAS,CAAC,CAAC;IAEjD,KAAK,MAAM,QAAQ,IAAI,MAAM,CAAC,SAAS,EAAE;QACvC,8BAA8B;QAC9B,2EAA2E;QAC3E,8EAA8E;QAC9E,wEAAwE;QACxE,MAAM,OAAO,GAAG,EAAE,CAAC,YAAY,CAC7B,MAAM,IAAA,eAAQ,EAAC,MAAM,EAAE,QAAQ,EAAE,MAAM,EAAE,QAAQ,CAAC,CACnD,CAAC;QACF,IAAI;YACF,MAAM,MAAM,CAAC,OAAO,CAClB,wGAAwG,EACxG;gBACE,KAAK,EAAE,aAAa,CAAC,KAAK;gBAC1B,IAAI,EAAE,aAAa,CAAC,IAAI;gBACxB,QAAQ;gBACR,IAAI,EAAE,GAAG,QAAQ,WAAW;gBAC5B,IAAI,EAAE,OAAO;gBACb,OAAO,EAAE;oBACP,aAAa,EAAE,SAAS,UAAU,CAAC,IAAI,EAAE;oBACzC,cAAc,EAAE,iBAAiB;iBAClC;aACF,CACF,CAAC;YACF,MAAM,CAAC,KAAK,CAAC,sCAAsC,QAAQ,EAAE,CAAC,CAAC;SAChE;QAAC,OAAO,CAAC,EAAE;YACV,OAAO,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC;YACf,4CAA4C;YAC5C,MAAM,CAAC,OAAO,CAAC,iCAAiC,QAAQ,KAAK,CAAC,EAAE,CAAC,CAAC;SACnE;KACF;AACH,CAAC;AAxDD,0CAwDC"}
{"version":3,"file":"database-upload.js","sourceRoot":"","sources":["../src/database-upload.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;;;;;;;;AAAA,uCAAyB;AAEzB,4DAA8C;AAC9C,6CAA8D;AAC9D,qCAAqC;AAIrC,6CAA+B;AAC/B,iCAAkC;AAE3B,KAAK,UAAU,eAAe,CACnC,aAA4B,EAC5B,MAAc,EACd,UAA4B,EAC5B,MAAc;IAEd,IAAI,WAAW,CAAC,gBAAgB,CAAC,iBAAiB,CAAC,KAAK,MAAM,EAAE;QAC9D,MAAM,CAAC,KAAK,CAAC,wDAAwD,CAAC,CAAC;QACvE,OAAO;KACR;IAED,iDAAiD;IACjD,IAAI,MAAM,CAAC,aAAa,CAAC,IAAI,KAAK,IAAI,CAAC,aAAa,CAAC,MAAM,EAAE;QAC3D,MAAM,CAAC,KAAK,CAAC,kDAAkD,CAAC,CAAC;QACjE,OAAO;KACR;IAED,IAAI,CAAC,CAAC,MAAM,WAAW,CAAC,wBAAwB,EAAE,CAAC,EAAE;QACnD,4EAA4E;QAC5E,MAAM,CAAC,KAAK,CAAC,gDAAgD,CAAC,CAAC;QAC/D,OAAO;KACR;IAED,MAAM,MAAM,GAAG,IAAA,yBAAY,GAAE,CAAC;IAC9B,MAAM,MAAM,GAAG,MAAM,IAAA,kBAAS,EAAC,MAAM,CAAC,SAAS,CAAC,CAAC;IAEjD,KAAK,MAAM,QAAQ,IAAI,MAAM,CAAC,SAAS,EAAE;QACvC,IAAI;YACF,8BAA8B;YAC9B,2EAA2E;YAC3E,8EAA8E;YAC9E,wEAAwE;YACxE,MAAM,SAAS,GAAG,MAAM,IAAA,eAAQ,EAAC,MAAM,EAAE,QAAQ,EAAE,MAAM,EAAE,QAAQ,CAAC,CAAC;YACrE,MAAM,aAAa,GAAG,EAAE,CAAC,QAAQ,CAAC,SAAS,CAAC,CAAC,IAAI,CAAC;YAClD,MAAM,mBAAmB,GAAG,EAAE,CAAC,gBAAgB,CAAC,SAAS,CAAC,CAAC;YAC3D,IAAI;gBACF,MAAM,MAAM,CAAC,OAAO,CAClB,wGAAwG,EACxG;oBACE,KAAK,EAAE,aAAa,CAAC,KAAK;oBAC1B,IAAI,EAAE,aAAa,CAAC,IAAI;oBACxB,QAAQ;oBACR,IAAI,EAAE,GAAG,QAAQ,WAAW;oBAC5B,IAAI,EAAE,mBAAmB;oBACzB,OAAO,EAAE;wBACP,aAAa,EAAE,SAAS,UAAU,CAAC,IAAI,EAAE;wBACzC,cAAc,EAAE,iBAAiB;wBACjC,gBAAgB,EAAE,aAAa;qBAChC;iBACF,CACF,CAAC;gBACF,MAAM,CAAC,KAAK,CAAC,sCAAsC,QAAQ,EAAE,CAAC,CAAC;aAChE;oBAAS;gBACR,mBAAmB,CAAC,KAAK,EAAE,CAAC;aAC7B;SACF;QAAC,OAAO,CAAC,EAAE;YACV,OAAO,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC;YACf,4CAA4C;YAC5C,MAAM,CAAC,OAAO,CAAC,iCAAiC,QAAQ,KAAK,CAAC,EAAE,CAAC,CAAC;SACnE;KACF;AACH,CAAC;AA7DD,0CA6DC"}

5
lib/defaults.json
View file

@ -1,3 +1,6 @@
{
"bundleVersion": "codeql-bundle-20221211"
"bundleVersion": "codeql-bundle-20230105",
"cliVersion": "2.12.0",
"priorBundleVersion": "codeql-bundle-20221211",
"priorCliVersion": "2.11.6"
}

2
lib/feature-flags.js generated
View file

@ -53,7 +53,7 @@ exports.featureConfig = {
},
[Feature.CliConfigFileEnabled]: {
envVar: "CODEQL_PASS_CONFIG_TO_CLI",
minimumVersion: "2.11.1",
minimumVersion: "2.11.6",
},
[Feature.MlPoweredQueriesEnabled]: {
envVar: "CODEQL_ML_POWERED_QUERIES",

46
lib/init-action-post-helper.js generated
View file

@ -19,7 +19,7 @@ var __importStar = (this && this.__importStar) || function (mod) {
return result;
};
Object.defineProperty(exports, "__esModule", { value: true });
exports.run = exports.uploadSarifIfRunFailed = exports.uploadFailedSarif = void 0;
exports.run = exports.tryUploadSarifIfRunFailed = void 0;
const core = __importStar(require("@actions/core"));
const actionsUtil = __importStar(require("./actions-util"));
const codeql_1 = require("./codeql");
@ -35,15 +35,17 @@ function createFailedUploadFailedSarifResult(error) {
upload_failed_run_stack_trace: error instanceof Error ? error.stack : undefined,
};
}
async function uploadFailedSarif(config, repositoryNwo, featureEnablement, logger) {
/**
* Upload a failed SARIF file if we can verify that SARIF upload is enabled and determine the SARIF
* category for the workflow.
*/
async function maybeUploadFailedSarif(config, repositoryNwo, featureEnablement, logger) {
var _a;
if (!config.codeQLCmd) {
logger.warning("CodeQL command not found. Unable to upload failed SARIF file.");
return { upload_failed_run_skipped_because: "CodeQL command not found" };
}
const codeql = await (0, codeql_1.getCodeQL)(config.codeQLCmd);
if (!(await featureEnablement.getValue(feature_flags_1.Feature.UploadFailedSarifEnabled, codeql))) {
logger.debug("Uploading failed SARIF is disabled.");
return { upload_failed_run_skipped_because: "Feature disabled" };
}
const workflow = await (0, workflow_1.getWorkflow)();
@ -51,7 +53,6 @@ async function uploadFailedSarif(config, repositoryNwo, featureEnablement, logge
const matrix = (0, util_1.parseMatrixInput)(actionsUtil.getRequiredInput("matrix"));
if ((0, workflow_1.getUploadInputOrThrow)(workflow, jobName, matrix) !== "true" ||
(0, util_1.isInTestMode)()) {
logger.debug("Won't upload a failed SARIF file since SARIF upload is disabled.");
return { upload_failed_run_skipped_because: "SARIF upload is disabled" };
}
const category = (0, workflow_1.getCategoryInputOrThrow)(workflow, jobName, matrix);
@ -63,40 +64,41 @@ async function uploadFailedSarif(config, repositoryNwo, featureEnablement, logge
await uploadLib.waitForProcessing(repositoryNwo, uploadResult.sarifID, logger, { isUnsuccessfulExecution: true });
return (_a = uploadResult === null || uploadResult === void 0 ? void 0 : uploadResult.statusReport) !== null && _a !== void 0 ? _a : {};
}
exports.uploadFailedSarif = uploadFailedSarif;
async function uploadSarifIfRunFailed(config, repositoryNwo, featureEnablement, logger) {
// Environment variable used to integration test uploading a SARIF file for failed runs
const expectFailedSarifUpload = process.env["CODEQL_ACTION_EXPECT_UPLOAD_FAILED_SARIF"] === "true";
if (process.env[shared_environment_1.CODEQL_ACTION_ANALYZE_DID_UPLOAD_SARIF] !== "true") {
async function tryUploadSarifIfRunFailed(config, repositoryNwo, featureEnablement, logger) {
if (process.env[shared_environment_1.CODEQL_ACTION_ANALYZE_DID_COMPLETE_SUCCESSFULLY] !== "true") {
try {
return await uploadFailedSarif(config, repositoryNwo, featureEnablement, logger);
return await maybeUploadFailedSarif(config, repositoryNwo, featureEnablement, logger);
}
catch (e) {
if (expectFailedSarifUpload) {
throw new Error("Expected to upload a SARIF file for the failed run, but encountered " +
`the following error: ${e}`);
}
logger.info(`Failed to upload a SARIF file for the failed run. Error: ${e}`);
logger.debug(`Failed to upload a SARIF file for this failed CodeQL code scanning run. ${e}`);
return createFailedUploadFailedSarifResult(e);
}
}
else if (expectFailedSarifUpload) {
throw new Error("Expected to upload a SARIF file for the failed run, but didn't.");
}
else {
return {
upload_failed_run_skipped_because: "SARIF file already uploaded",
upload_failed_run_skipped_because: "Analyze Action completed successfully",
};
}
}
exports.uploadSarifIfRunFailed = uploadSarifIfRunFailed;
exports.tryUploadSarifIfRunFailed = tryUploadSarifIfRunFailed;
async function run(uploadDatabaseBundleDebugArtifact, uploadLogsDebugArtifact, printDebugLogs, repositoryNwo, featureEnablement, logger) {
const config = await (0, config_utils_1.getConfig)(actionsUtil.getTemporaryDirectory(), logger);
if (config === undefined) {
logger.warning("Debugging artifacts are unavailable since the 'init' Action failed before it could produce any.");
return;
}
const uploadFailedSarifResult = await uploadSarifIfRunFailed(config, repositoryNwo, featureEnablement, logger);
const uploadFailedSarifResult = await tryUploadSarifIfRunFailed(config, repositoryNwo, featureEnablement, logger);
if (uploadFailedSarifResult.upload_failed_run_skipped_because) {
logger.debug("Won't upload a failed SARIF file for this CodeQL code scanning run because: " +
`${uploadFailedSarifResult.upload_failed_run_skipped_because}.`);
}
// Throw an error if in integration tests, we expected to upload a SARIF file for a failed run
// but we didn't upload anything.
if (process.env["CODEQL_ACTION_EXPECT_UPLOAD_FAILED_SARIF"] === "true" &&
!uploadFailedSarifResult.raw_upload_size_bytes) {
throw new Error("Expected to upload a failed SARIF file for this CodeQL code scanning run, " +
`but the result was instead ${uploadFailedSarifResult}.`);
}
// Upload appropriate Actions artifacts for debugging
if (config.debugMode) {
core.info("Debug mode is on. Uploading available database bundles and logs as Actions debugging artifacts...");

2
lib/init-action-post-helper.js.map
View file

@ -1 +1 @@
{"version":3,"file":"init-action-post-helper.js","sourceRoot":"","sources":["../src/init-action-post-helper.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;;;;;;;;AAAA,oDAAsC;AAEtC,4DAA8C;AAC9C,qCAAqC;AACrC,iDAAmD;AACnD,mDAA6D;AAG7D,6DAA8E;AAC9E,wDAA0C;AAC1C,iCAA6E;AAC7E,yCAKoB;AAWpB,SAAS,mCAAmC,CAC1C,KAAc;IAEd,OAAO;QACL,uBAAuB,EACrB,KAAK,YAAY,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC;QACxD,6BAA6B,EAC3B,KAAK,YAAY,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,KAAK,CAAC,CAAC,CAAC,SAAS;KACnD,CAAC;AACJ,CAAC;AAEM,KAAK,UAAU,iBAAiB,CACrC,MAAc,EACd,aAA4B,EAC5B,iBAAoC,EACpC,MAAc;;IAEd,IAAI,CAAC,MAAM,CAAC,SAAS,EAAE;QACrB,MAAM,CAAC,OAAO,CACZ,+DAA+D,CAChE,CAAC;QACF,OAAO,EAAE,iCAAiC,EAAE,0BAA0B,EAAE,CAAC;KAC1E;IACD,MAAM,MAAM,GAAG,MAAM,IAAA,kBAAS,EAAC,MAAM,CAAC,SAAS,CAAC,CAAC;IACjD,IACE,CAAC,CAAC,MAAM,iBAAiB,CAAC,QAAQ,CAChC,uBAAO,CAAC,wBAAwB,EAChC,MAAM,CACP,CAAC,EACF;QACA,MAAM,CAAC,KAAK,CAAC,qCAAqC,CAAC,CAAC;QACpD,OAAO,EAAE,iCAAiC,EAAE,kBAAkB,EAAE,CAAC;KAClE;IACD,MAAM,QAAQ,GAAG,MAAM,IAAA,sBAAW,GAAE,CAAC;IACrC,MAAM,OAAO,GAAG,IAAA,0BAAmB,EAAC,YAAY,CAAC,CAAC;IAClD,MAAM,MAAM,GAAG,IAAA,uBAAgB,EAAC,WAAW,CAAC,gBAAgB,CAAC,QAAQ,CAAC,CAAC,CAAC;IACxE,IACE,IAAA,gCAAqB,EAAC,QAAQ,EAAE,OAAO,EAAE,MAAM,CAAC,KAAK,MAAM;QAC3D,IAAA,mBAAY,GAAE,EACd;QACA,MAAM,CAAC,KAAK,CACV,kEAAkE,CACnE,CAAC;QACF,OAAO,EAAE,iCAAiC,EAAE,0BAA0B,EAAE,CAAC;KAC1E;IACD,MAAM,QAAQ,GAAG,IAAA,kCAAuB,EAAC,QAAQ,EAAE,OAAO,EAAE,MAAM,CAAC,CAAC;IACpE,MAAM,YAAY,GAAG,IAAA,sCAA2B,EAAC,QAAQ,EAAE,OAAO,EAAE,MAAM,CAAC,CAAC;IAE5E,MAAM,SAAS,GAAG,4BAA4B,CAAC;IAC/C,MAAM,MAAM,CAAC,iBAAiB,CAAC,SAAS,EAAE,QAAQ,CAAC,CAAC;IAEpD,IAAI,CAAC,IAAI,CAAC,+BAA+B,SAAS,EAAE,CAAC,CAAC;IACtD,MAAM,YAAY,GAAG,MAAM,SAAS,CAAC,iBAAiB,CACpD,SAAS,EACT,YAAY,EACZ,QAAQ,EACR,MAAM,CACP,CAAC;IACF,MAAM,SAAS,CAAC,iBAAiB,CAC/B,aAAa,EACb,YAAY,CAAC,OAAO,EACpB,MAAM,EACN,EAAE,uBAAuB,EAAE,IAAI,EAAE,CAClC,CAAC;IACF,OAAO,MAAA,YAAY,aAAZ,YAAY,uBAAZ,YAAY,CAAE,YAAY,mCAAI,EAAE,CAAC;AAC1C,CAAC;AAtDD,8CAsDC;AAEM,KAAK,UAAU,sBAAsB,CAC1C,MAAc,EACd,aAA4B,EAC5B,iBAAoC,EACpC,MAAc;IAEd,uFAAuF;IACvF,MAAM,uBAAuB,GAC3B,OAAO,CAAC,GAAG,CAAC,0CAA0C,CAAC,KAAK,MAAM,CAAC;IAErE,IAAI,OAAO,CAAC,GAAG,CAAC,2DAAsC,CAAC,KAAK,MAAM,EAAE;QAClE,IAAI;YACF,OAAO,MAAM,iBAAiB,CAC5B,MAAM,EACN,aAAa,EACb,iBAAiB,EACjB,MAAM,CACP,CAAC;SACH;QAAC,OAAO,CAAC,EAAE;YACV,IAAI,uBAAuB,EAAE;gBAC3B,MAAM,IAAI,KAAK,CACb,sEAAsE;oBACpE,wBAAwB,CAAC,EAAE,CAC9B,CAAC;aACH;YACD,MAAM,CAAC,IAAI,CACT,4DAA4D,CAAC,EAAE,CAChE,CAAC;YACF,OAAO,mCAAmC,CAAC,CAAC,CAAC,CAAC;SAC/C;KACF;SAAM,IAAI,uBAAuB,EAAE;QAClC,MAAM,IAAI,KAAK,CACb,iEAAiE,CAClE,CAAC;KACH;SAAM;QACL,OAAO;YACL,iCAAiC,EAAE,6BAA6B;SACjE,CAAC;KACH;AACH,CAAC;AAvCD,wDAuCC;AAEM,KAAK,UAAU,GAAG,CACvB,iCAA2C,EAC3C,uBAAiC,EACjC,cAAwB,EACxB,aAA4B,EAC5B,iBAAoC,EACpC,MAAc;IAEd,MAAM,MAAM,GAAG,MAAM,IAAA,wBAAS,EAAC,WAAW,CAAC,qBAAqB,EAAE,EAAE,MAAM,CAAC,CAAC;IAC5E,IAAI,MAAM,KAAK,SAAS,EAAE;QACxB,MAAM,CAAC,OAAO,CACZ,iGAAiG,CAClG,CAAC;QACF,OAAO;KACR;IAED,MAAM,uBAAuB,GAAG,MAAM,sBAAsB,CAC1D,MAAM,EACN,aAAa,EACb,iBAAiB,EACjB,MAAM,CACP,CAAC;IAEF,qDAAqD;IACrD,IAAI,MAAM,CAAC,SAAS,EAAE;QACpB,IAAI,CAAC,IAAI,CACP,mGAAmG,CACpG,CAAC;QACF,MAAM,iCAAiC,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;QACxD,MAAM,uBAAuB,CAAC,MAAM,CAAC,CAAC;QAEtC,MAAM,cAAc,CAAC,MAAM,CAAC,CAAC;KAC9B;IAED,OAAO,uBAAuB,CAAC;AACjC,CAAC;AAnCD,kBAmCC"}
{"version":3,"file":"init-action-post-helper.js","sourceRoot":"","sources":["../src/init-action-post-helper.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;;;;;;;;AAAA,oDAAsC;AAEtC,4DAA8C;AAC9C,qCAAqC;AACrC,iDAAmD;AACnD,mDAA6D;AAG7D,6DAAuF;AACvF,wDAA0C;AAC1C,iCAA6E;AAC7E,yCAKoB;AAWpB,SAAS,mCAAmC,CAC1C,KAAc;IAEd,OAAO;QACL,uBAAuB,EACrB,KAAK,YAAY,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC;QACxD,6BAA6B,EAC3B,KAAK,YAAY,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,KAAK,CAAC,CAAC,CAAC,SAAS;KACnD,CAAC;AACJ,CAAC;AAED;;;GAGG;AACH,KAAK,UAAU,sBAAsB,CACnC,MAAc,EACd,aAA4B,EAC5B,iBAAoC,EACpC,MAAc;;IAEd,IAAI,CAAC,MAAM,CAAC,SAAS,EAAE;QACrB,OAAO,EAAE,iCAAiC,EAAE,0BAA0B,EAAE,CAAC;KAC1E;IACD,MAAM,MAAM,GAAG,MAAM,IAAA,kBAAS,EAAC,MAAM,CAAC,SAAS,CAAC,CAAC;IACjD,IACE,CAAC,CAAC,MAAM,iBAAiB,CAAC,QAAQ,CAChC,uBAAO,CAAC,wBAAwB,EAChC,MAAM,CACP,CAAC,EACF;QACA,OAAO,EAAE,iCAAiC,EAAE,kBAAkB,EAAE,CAAC;KAClE;IACD,MAAM,QAAQ,GAAG,MAAM,IAAA,sBAAW,GAAE,CAAC;IACrC,MAAM,OAAO,GAAG,IAAA,0BAAmB,EAAC,YAAY,CAAC,CAAC;IAClD,MAAM,MAAM,GAAG,IAAA,uBAAgB,EAAC,WAAW,CAAC,gBAAgB,CAAC,QAAQ,CAAC,CAAC,CAAC;IACxE,IACE,IAAA,gCAAqB,EAAC,QAAQ,EAAE,OAAO,EAAE,MAAM,CAAC,KAAK,MAAM;QAC3D,IAAA,mBAAY,GAAE,EACd;QACA,OAAO,EAAE,iCAAiC,EAAE,0BAA0B,EAAE,CAAC;KAC1E;IACD,MAAM,QAAQ,GAAG,IAAA,kCAAuB,EAAC,QAAQ,EAAE,OAAO,EAAE,MAAM,CAAC,CAAC;IACpE,MAAM,YAAY,GAAG,IAAA,sCAA2B,EAAC,QAAQ,EAAE,OAAO,EAAE,MAAM,CAAC,CAAC;IAE5E,MAAM,SAAS,GAAG,4BAA4B,CAAC;IAC/C,MAAM,MAAM,CAAC,iBAAiB,CAAC,SAAS,EAAE,QAAQ,CAAC,CAAC;IAEpD,IAAI,CAAC,IAAI,CAAC,+BAA+B,SAAS,EAAE,CAAC,CAAC;IACtD,MAAM,YAAY,GAAG,MAAM,SAAS,CAAC,iBAAiB,CACpD,SAAS,EACT,YAAY,EACZ,QAAQ,EACR,MAAM,CACP,CAAC;IACF,MAAM,SAAS,CAAC,iBAAiB,CAC/B,aAAa,EACb,YAAY,CAAC,OAAO,EACpB,MAAM,EACN,EAAE,uBAAuB,EAAE,IAAI,EAAE,CAClC,CAAC;IACF,OAAO,MAAA,YAAY,aAAZ,YAAY,uBAAZ,YAAY,CAAE,YAAY,mCAAI,EAAE,CAAC;AAC1C,CAAC;AAEM,KAAK,UAAU,yBAAyB,CAC7C,MAAc,EACd,aAA4B,EAC5B,iBAAoC,EACpC,MAAc;IAEd,IAAI,OAAO,CAAC,GAAG,CAAC,oEAA+C,CAAC,KAAK,MAAM,EAAE;QAC3E,IAAI;YACF,OAAO,MAAM,sBAAsB,CACjC,MAAM,EACN,aAAa,EACb,iBAAiB,EACjB,MAAM,CACP,CAAC;SACH;QAAC,OAAO,CAAC,EAAE;YACV,MAAM,CAAC,KAAK,CACV,2EAA2E,CAAC,EAAE,CAC/E,CAAC;YACF,OAAO,mCAAmC,CAAC,CAAC,CAAC,CAAC;SAC/C;KACF;SAAM;QACL,OAAO;YACL,iCAAiC,EAC/B,uCAAuC;SAC1C,CAAC;KACH;AACH,CAAC;AA1BD,8DA0BC;AAEM,KAAK,UAAU,GAAG,CACvB,iCAA2C,EAC3C,uBAAiC,EACjC,cAAwB,EACxB,aAA4B,EAC5B,iBAAoC,EACpC,MAAc;IAEd,MAAM,MAAM,GAAG,MAAM,IAAA,wBAAS,EAAC,WAAW,CAAC,qBAAqB,EAAE,EAAE,MAAM,CAAC,CAAC;IAC5E,IAAI,MAAM,KAAK,SAAS,EAAE;QACxB,MAAM,CAAC,OAAO,CACZ,iGAAiG,CAClG,CAAC;QACF,OAAO;KACR;IAED,MAAM,uBAAuB,GAAG,MAAM,yBAAyB,CAC7D,MAAM,EACN,aAAa,EACb,iBAAiB,EACjB,MAAM,CACP,CAAC;IACF,IAAI,uBAAuB,CAAC,iCAAiC,EAAE;QAC7D,MAAM,CAAC,KAAK,CACV,8EAA8E;YAC5E,GAAG,uBAAuB,CAAC,iCAAiC,GAAG,CAClE,CAAC;KACH;IACD,8FAA8F;IAC9F,iCAAiC;IACjC,IACE,OAAO,CAAC,GAAG,CAAC,0CAA0C,CAAC,KAAK,MAAM;QAClE,CAAC,uBAAuB,CAAC,qBAAqB,EAC9C;QACA,MAAM,IAAI,KAAK,CACb,4EAA4E;YAC1E,8BAA8B,uBAAuB,GAAG,CAC3D,CAAC;KACH;IAED,qDAAqD;IACrD,IAAI,MAAM,CAAC,SAAS,EAAE;QACpB,IAAI,CAAC,IAAI,CACP,mGAAmG,CACpG,CAAC;QACF,MAAM,iCAAiC,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;QACxD,MAAM,uBAAuB,CAAC,MAAM,CAAC,CAAC;QAEtC,MAAM,cAAc,CAAC,MAAM,CAAC,CAAC;KAC9B;IAED,OAAO,uBAAuB,CAAC;AACjC,CAAC;AApDD,kBAoDC"}

92
lib/init-action-post-helper.test.js generated
View file

@ -125,15 +125,63 @@ const workflow = __importStar(require("./workflow"));
},
},
]);
await testFailedSarifUpload(t, actionsWorkflow, {
expectedLogs: [
{
message: "Won't upload a failed SARIF file since SARIF upload is disabled.",
type: "debug",
},
],
const result = await testFailedSarifUpload(t, actionsWorkflow, {
expectUpload: false,
});
t.is(result.upload_failed_run_skipped_because, "SARIF upload is disabled");
});
(0, ava_1.default)("uploading failed SARIF run succeeds when workflow uses an input with a matrix var", async (t) => {
const actionsWorkflow = createTestWorkflow([
{
name: "Checkout repository",
uses: "actions/checkout@v3",
},
{
name: "Initialize CodeQL",
uses: "github/codeql-action/init@v2",
with: {
languages: "javascript",
},
},
{
name: "Perform CodeQL Analysis",
uses: "github/codeql-action/analyze@v2",
with: {
category: "/language:${{ matrix.language }}",
},
},
]);
await testFailedSarifUpload(t, actionsWorkflow, {
category: "/language:csharp",
matrix: { language: "csharp" },
});
});
(0, ava_1.default)("uploading failed SARIF run fails when workflow uses a complex upload input", async (t) => {
const actionsWorkflow = createTestWorkflow([
{
name: "Checkout repository",
uses: "actions/checkout@v3",
},
{
name: "Initialize CodeQL",
uses: "github/codeql-action/init@v2",
with: {
languages: "javascript",
},
},
{
name: "Perform CodeQL Analysis",
uses: "github/codeql-action/analyze@v2",
with: {
upload: "${{ matrix.language != 'csharp' }}",
},
},
]);
const result = await testFailedSarifUpload(t, actionsWorkflow, {
expectUpload: false,
});
t.is(result.upload_failed_run_error, "Could not get upload input to github/codeql-action/analyze since it contained an " +
"unrecognized dynamic value.");
});
(0, ava_1.default)("uploading failed SARIF run fails when workflow does not reference github/codeql-action", async (t) => {
const actionsWorkflow = createTestWorkflow([
@ -142,7 +190,12 @@ const workflow = __importStar(require("./workflow"));
uses: "actions/checkout@v3",
},
]);
await t.throwsAsync(async () => await testFailedSarifUpload(t, actionsWorkflow));
const result = await testFailedSarifUpload(t, actionsWorkflow, {
expectUpload: false,
});
t.is(result.upload_failed_run_error, "Could not get upload input to github/codeql-action/analyze since the analyze job does not " +
"call github/codeql-action/analyze.");
t.truthy(result.upload_failed_run_stack_trace);
});
function createTestWorkflow(steps) {
return {
@ -164,28 +217,38 @@ function createTestWorkflow(steps) {
},
};
}
async function testFailedSarifUpload(t, actionsWorkflow, { category, expectedLogs = [], expectUpload = true, } = {}) {
async function testFailedSarifUpload(t, actionsWorkflow, { category, expectUpload = true, matrix = {}, } = {}) {
const config = {
codeQLCmd: "codeql",
debugMode: true,
languages: [],
packs: [],
};
const messages = [];
process.env["GITHUB_JOB"] = "analyze";
process.env["GITHUB_REPOSITORY"] = "github/codeql-action-fake-repository";
process.env["GITHUB_WORKSPACE"] =
"/home/runner/work/codeql-action/codeql-action";
sinon.stub(actionsUtil, "getRequiredInput").withArgs("matrix").returns("{}");
sinon
.stub(actionsUtil, "getRequiredInput")
.withArgs("matrix")
.returns(JSON.stringify(matrix));
const codeqlObject = await codeql.getCodeQLForTesting();
sinon.stub(codeql, "getCodeQL").resolves(codeqlObject);
const diagnosticsExportStub = sinon.stub(codeqlObject, "diagnosticsExport");
sinon.stub(workflow, "getWorkflow").resolves(actionsWorkflow);
const uploadFromActions = sinon.stub(uploadLib, "uploadFromActions");
uploadFromActions.resolves({ sarifID: "42" });
uploadFromActions.resolves({
sarifID: "42",
statusReport: { raw_upload_size_bytes: 20, zipped_upload_size_bytes: 10 },
});
const waitForProcessing = sinon.stub(uploadLib, "waitForProcessing");
await initActionPostHelper.uploadFailedSarif(config, (0, repository_1.parseRepositoryNwo)("github/codeql-action"), (0, testing_utils_1.createFeatures)([feature_flags_1.Feature.UploadFailedSarifEnabled]), (0, testing_utils_1.getRecordingLogger)(messages));
t.deepEqual(messages, expectedLogs);
const result = await initActionPostHelper.tryUploadSarifIfRunFailed(config, (0, repository_1.parseRepositoryNwo)("github/codeql-action"), (0, testing_utils_1.createFeatures)([feature_flags_1.Feature.UploadFailedSarifEnabled]), (0, logging_1.getRunnerLogger)(true));
if (expectUpload) {
t.deepEqual(result, {
raw_upload_size_bytes: 20,
zipped_upload_size_bytes: 10,
});
}
if (expectUpload) {
t.true(diagnosticsExportStub.calledOnceWith(sinon.match.string, category), `Actual args were: ${diagnosticsExportStub.args}`);
t.true(uploadFromActions.calledOnceWith(sinon.match.string, sinon.match.string, category, sinon.match.any), `Actual args were: ${uploadFromActions.args}`);
@ -198,5 +261,6 @@ async function testFailedSarifUpload(t, actionsWorkflow, { category, expectedLog
t.true(uploadFromActions.notCalled);
t.true(waitForProcessing.notCalled);
}
return result;
}
//# sourceMappingURL=init-action-post-helper.test.js.map

2
lib/init-action-post-helper.test.js.map
View file

File diff suppressed because one or more lines are too long

4
lib/init.js generated
View file

@ -30,9 +30,9 @@ const configUtils = __importStar(require("./config-utils"));
const tracer_config_1 = require("./tracer-config");
const util = __importStar(require("./util"));
const util_1 = require("./util");
async function initCodeQL(codeqlURL, apiDetails, tempDir, variant, bypassToolcache, logger) {
async function initCodeQL(toolsInput, apiDetails, tempDir, variant, bypassToolcache, logger) {
logger.startGroup("Setup CodeQL tools");
const { codeql, toolsVersion } = await (0, codeql_1.setupCodeQL)(codeqlURL, apiDetails, tempDir, variant, bypassToolcache, logger, true);
const { codeql, toolsVersion } = await (0, codeql_1.setupCodeQL)(toolsInput, apiDetails, tempDir, variant, bypassToolcache, logger, true);
await codeql.printVersion();
logger.endGroup();
return { codeql, toolsVersion };

2
lib/init.js.map
View file

@ -1 +1 @@
{"version":3,"file":"init.js","sourceRoot":"","sources":["../src/init.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;;;;;;;;AAAA,uCAAyB;AACzB,2CAA6B;AAE7B,yEAA2D;AAC3D,kEAAoD;AAEpD,gEAAkD;AAElD,qCAA2E;AAC3E,4DAA8C;AAI9C,mDAAwE;AACxE,6CAA+B;AAC/B,iCAA4C;AAErC,KAAK,UAAU,UAAU,CAC9B,SAA6B,EAC7B,UAA4B,EAC5B,OAAe,EACf,OAA2B,EAC3B,eAAwB,EACxB,MAAc;IAEd,MAAM,CAAC,UAAU,CAAC,oBAAoB,CAAC,CAAC;IACxC,MAAM,EAAE,MAAM,EAAE,YAAY,EAAE,GAAG,MAAM,IAAA,oBAAW,EAChD,SAAS,EACT,UAAU,EACV,OAAO,EACP,OAAO,EACP,eAAe,EACf,MAAM,EACN,IAAI,CACL,CAAC;IACF,MAAM,MAAM,CAAC,YAAY,EAAE,CAAC;IAC5B,MAAM,CAAC,QAAQ,EAAE,CAAC;IAClB,OAAO,EAAE,MAAM,EAAE,YAAY,EAAE,CAAC;AAClC,CAAC;AArBD,gCAqBC;AAEM,KAAK,UAAU,UAAU,CAC9B,cAAkC,EAClC,YAAgC,EAChC,UAA8B,EAC9B,eAAmC,EACnC,UAA8B,EAC9B,UAA8B,EAC9B,kBAA2B,EAC3B,SAAkB,EAClB,iBAAyB,EACzB,iBAAyB,EACzB,UAAyB,EACzB,OAAe,EACf,MAAc,EACd,aAAqB,EACrB,aAAiC,EACjC,UAAoC,EACpC,iBAAoC,EACpC,MAAc;IAEd,MAAM,CAAC,UAAU,CAAC,6BAA6B,CAAC,CAAC;IACjD,MAAM,MAAM,GAAG,MAAM,WAAW,CAAC,UAAU,CACzC,cAAc,EACd,YAAY,EACZ,UAAU,EACV,eAAe,EACf,UAAU,EACV,UAAU,EACV,kBAAkB,EAClB,SAAS,EACT,iBAAiB,EACjB,iBAAiB,EACjB,UAAU,EACV,OAAO,EACP,MAAM,EACN,aAAa,EACb,aAAa,EACb,UAAU,EACV,iBAAiB,EACjB,MAAM,CACP,CAAC;IACF,aAAa,CAAC,uBAAuB,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;IACtD,MAAM,CAAC,QAAQ,EAAE,CAAC;IAClB,OAAO,MAAM,CAAC;AAChB,CAAC;AA5CD,gCA4CC;AAEM,KAAK,UAAU,OAAO,CAC3B,MAAc,EACd,MAA0B,EAC1B,UAAkB,EAClB,WAA+B,EAC/B,iBAAoC,EACpC,MAAc;IAEd,EAAE,CAAC,SAAS,CAAC,MAAM,CAAC,UAAU,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC,CAAC;IAErD,IAAI;QACF,IAAI,MAAM,IAAA,yBAAkB,EAAC,MAAM,EAAE,mCAA0B,CAAC,EAAE;YAChE,0BAA0B;YAC1B,MAAM,MAAM,CAAC,mBAAmB,CAC9B,MAAM,EACN,UAAU,EACV,WAAW,EACX,iBAAiB,EACjB,MAAM,CACP,CAAC;SACH;aAAM;YACL,KAAK,MAAM,QAAQ,IAAI,MAAM,CAAC,SAAS,EAAE;gBACvC,yBAAyB;gBACzB,MAAM,MAAM,CAAC,YAAY,CACvB,IAAI,CAAC,qBAAqB,CAAC,MAAM,EAAE,QAAQ,CAAC,EAC5C,QAAQ,EACR,UAAU,CACX,CAAC;aACH;SACF;KACF;IAAC,OAAO,CAAC,EAAE;QACV,MAAM,YAAY,CAAC,CAAC,CAAC,CAAC;KACvB;IACD,OAAO,MAAM,IAAA,uCAAuB,EAAC,MAAM,EAAE,MAAM,CAAC,CAAC;AACvD,CAAC;AAlCD,0BAkCC;AAED;;;;;;;;GAQG;AACH,SAAS,YAAY,CAAC,CAAM;;IAC1B,IAAI,CAAC,CAAC,CAAC,YAAY,KAAK,CAAC,EAAE;QACzB,OAAO,CAAC,CAAC;KACV;IAED;IACE,2BAA2B;IAC3B,CAAA,MAAA,CAAC,CAAC,OAAO,0CAAE,QAAQ,CAAC,8BAA8B,CAAC;SACnD,MAAA,CAAC,CAAC,OAAO,0CAAE,QAAQ,CAAC,uCAAuC,CAAC,CAAA,EAC5D;QACA,OAAO,IAAI,IAAI,CAAC,SAAS,CACvB,sDAAsD,CAAC,CAAC,OAAO,EAAE,CAClE,CAAC;KACH;IAED;IACE,+EAA+E;IAC/E,CAAA,MAAA,CAAC,CAAC,OAAO,0CAAE,QAAQ,CAAC,wCAAwC,CAAC;;QAC7D,gEAAgE;QAChE,MAAA,CAAC,CAAC,OAAO,0CAAE,QAAQ,CAAC,qBAAqB,CAAC,CAAA,EAC1C;QACA,OAAO,IAAI,IAAI,CAAC,SAAS,CAAC,CAAC,CAAC,OAAO,CAAC,CAAC;KACtC;IAED,OAAO,CAAC,CAAC;AACX,CAAC;AAED,sEAAsE;AACtE,4EAA4E;AAC5E,4EAA4E;AAC5E,6EAA6E;AAC7E,+CAA+C;AACxC,KAAK,UAAU,mBAAmB,CACvC,WAA+B,EAC/B,YAAgC,EAChC,MAA0B,EAC1B,MAAc,EACd,YAA0B;IAE1B,IAAI,MAAc,CAAC;IACnB,IAAI,WAAW,KAAK,SAAS,EAAE;QAC7B,MAAM,GAAG;;;;;;;;;;;;uCAY0B,WAAW;;8BAEpB,WAAW;;;;;;;;gDAQO,CAAC;KAC9C;SAAM;QACL,oEAAoE;QACpE,mFAAmF;QACnF,+EAA+E;QAC/E,kFAAkF;QAClF,6EAA6E;QAC7E,oFAAoF;QACpF,6CAA6C;QAC7C,YAAY,GAAG,YAAY,IAAI,CAAC,CAAC;QACjC,MAAM,GAAG;;;;;;;;4BAQe,YAAY;;;;;;;;;;;;;;;;;;;;;gDAqBQ,CAAC;KAC9C;IAED,MAAM,gBAAgB,GAAG,IAAI,CAAC,IAAI,CAAC,MAAM,CAAC,OAAO,EAAE,mBAAmB,CAAC,CAAC;IACxE,EAAE,CAAC,aAAa,CAAC,gBAAgB,EAAE,MAAM,CAAC,CAAC;IAE3C,MAAM,IAAI,UAAU,CAAC,UAAU,CAC7B,MAAM,SAAS,CAAC,SAAS,CAAC,YAAY,CAAC,EACvC;QACE,kBAAkB;QAClB,QAAQ;QACR,OAAO;QACP,gBAAgB;QAChB,IAAI,CAAC,OAAO,CACV,IAAI,CAAC,OAAO,CAAC,MAAM,CAAC,OAAO,EAAE,CAAC,EAC9B,OAAO,EACP,OAAO,EACP,YAAY,CACb;KACF,EACD,EAAE,GAAG,EAAE,EAAE,0BAA0B,EAAE,YAAY,CAAC,IAAI,EAAE,EAAE,CAC3D,CAAC,IAAI,EAAE,CAAC;AACX,CAAC;AA5FD,kDA4FC;AAEM,KAAK,UAAU,iBAAiB,CAAC,MAAc,EAAE,MAAc;IACpE,MAAM,CAAC,UAAU,CAAC,2BAA2B,CAAC,CAAC;IAE/C,MAAM,aAAa,GAAG,IAAI,CAAC,OAAO,CAAC,SAAS,EAAE,iBAAiB,CAAC,CAAC;IAEjE,IAAI;QACF,IAAI,OAAO,CAAC,QAAQ,KAAK,OAAO,EAAE;YAChC,MAAM,IAAI,UAAU,CAAC,UAAU,CAAC,MAAM,SAAS,CAAC,SAAS,CAAC,YAAY,CAAC,EAAE;gBACvE,IAAI,CAAC,IAAI,CAAC,aAAa,EAAE,mBAAmB,CAAC;aAC9C,CAAC,CAAC,IAAI,EAAE,CAAC;SACX;aAAM;YACL,MAAM,IAAI,UAAU,CAAC,UAAU,CAC7B,IAAI,CAAC,IAAI,CAAC,aAAa,EAAE,kBAAkB,CAAC,CAC7C,CAAC,IAAI,EAAE,CAAC;SACV;QACD,MAAM,MAAM,GAAG,0BAA0B,CAAC;QAC1C,IAAI,OAAO,CAAC,QAAQ,KAAK,OAAO,EAAE;YAChC,MAAM,IAAI,UAAU,CAAC,UAAU,CAAC,MAAM,SAAS,CAAC,SAAS,CAAC,IAAI,CAAC,EAAE;gBAC/D,IAAI;gBACJ,IAAI;gBACJ,IAAI,CAAC,IAAI,CAAC,aAAa,EAAE,MAAM,CAAC;gBAChC,IAAI,CAAC,OAAO,CAAC,MAAM,CAAC,OAAO,EAAE,CAAC;aAC/B,CAAC,CAAC,IAAI,EAAE,CAAC;SACX;aAAM;YACL,MAAM,IAAI,UAAU,CAAC,UAAU,CAAC,MAAM,SAAS,CAAC,SAAS,CAAC,SAAS,CAAC,EAAE;gBACpE,IAAI;gBACJ,IAAI,CAAC,IAAI,CAAC,aAAa,EAAE,MAAM,CAAC;gBAChC,IAAI,CAAC,OAAO,CAAC,MAAM,CAAC,OAAO,EAAE,CAAC;aAC/B,CAAC,CAAC,IAAI,EAAE,CAAC;SACX;KACF;IAAC,OAAO,CAAC,EAAE;QACV,MAAM,CAAC,QAAQ,EAAE,CAAC;QAClB,MAAM,CAAC,OAAO,CACZ,gFAAgF,CAAC,IAAI;YACnF,qGAAqG;YACrG,oGAAoG;YACpG,iDAAiD,CACpD,CAAC;QACF,OAAO;KACR;IACD,MAAM,CAAC,QAAQ,EAAE,CAAC;AACpB,CAAC;AAzCD,8CAyCC"}
{"version":3,"file":"init.js","sourceRoot":"","sources":["../src/init.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;;;;;;;;AAAA,uCAAyB;AACzB,2CAA6B;AAE7B,yEAA2D;AAC3D,kEAAoD;AAEpD,gEAAkD;AAElD,qCAA2E;AAC3E,4DAA8C;AAI9C,mDAAwE;AACxE,6CAA+B;AAC/B,iCAA4C;AAErC,KAAK,UAAU,UAAU,CAC9B,UAA8B,EAC9B,UAA4B,EAC5B,OAAe,EACf,OAA2B,EAC3B,eAAwB,EACxB,MAAc;IAEd,MAAM,CAAC,UAAU,CAAC,oBAAoB,CAAC,CAAC;IACxC,MAAM,EAAE,MAAM,EAAE,YAAY,EAAE,GAAG,MAAM,IAAA,oBAAW,EAChD,UAAU,EACV,UAAU,EACV,OAAO,EACP,OAAO,EACP,eAAe,EACf,MAAM,EACN,IAAI,CACL,CAAC;IACF,MAAM,MAAM,CAAC,YAAY,EAAE,CAAC;IAC5B,MAAM,CAAC,QAAQ,EAAE,CAAC;IAClB,OAAO,EAAE,MAAM,EAAE,YAAY,EAAE,CAAC;AAClC,CAAC;AArBD,gCAqBC;AAEM,KAAK,UAAU,UAAU,CAC9B,cAAkC,EAClC,YAAgC,EAChC,UAA8B,EAC9B,eAAmC,EACnC,UAA8B,EAC9B,UAA8B,EAC9B,kBAA2B,EAC3B,SAAkB,EAClB,iBAAyB,EACzB,iBAAyB,EACzB,UAAyB,EACzB,OAAe,EACf,MAAc,EACd,aAAqB,EACrB,aAAiC,EACjC,UAAoC,EACpC,iBAAoC,EACpC,MAAc;IAEd,MAAM,CAAC,UAAU,CAAC,6BAA6B,CAAC,CAAC;IACjD,MAAM,MAAM,GAAG,MAAM,WAAW,CAAC,UAAU,CACzC,cAAc,EACd,YAAY,EACZ,UAAU,EACV,eAAe,EACf,UAAU,EACV,UAAU,EACV,kBAAkB,EAClB,SAAS,EACT,iBAAiB,EACjB,iBAAiB,EACjB,UAAU,EACV,OAAO,EACP,MAAM,EACN,aAAa,EACb,aAAa,EACb,UAAU,EACV,iBAAiB,EACjB,MAAM,CACP,CAAC;IACF,aAAa,CAAC,uBAAuB,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;IACtD,MAAM,CAAC,QAAQ,EAAE,CAAC;IAClB,OAAO,MAAM,CAAC;AAChB,CAAC;AA5CD,gCA4CC;AAEM,KAAK,UAAU,OAAO,CAC3B,MAAc,EACd,MAA0B,EAC1B,UAAkB,EAClB,WAA+B,EAC/B,iBAAoC,EACpC,MAAc;IAEd,EAAE,CAAC,SAAS,CAAC,MAAM,CAAC,UAAU,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC,CAAC;IAErD,IAAI;QACF,IAAI,MAAM,IAAA,yBAAkB,EAAC,MAAM,EAAE,mCAA0B,CAAC,EAAE;YAChE,0BAA0B;YAC1B,MAAM,MAAM,CAAC,mBAAmB,CAC9B,MAAM,EACN,UAAU,EACV,WAAW,EACX,iBAAiB,EACjB,MAAM,CACP,CAAC;SACH;aAAM;YACL,KAAK,MAAM,QAAQ,IAAI,MAAM,CAAC,SAAS,EAAE;gBACvC,yBAAyB;gBACzB,MAAM,MAAM,CAAC,YAAY,CACvB,IAAI,CAAC,qBAAqB,CAAC,MAAM,EAAE,QAAQ,CAAC,EAC5C,QAAQ,EACR,UAAU,CACX,CAAC;aACH;SACF;KACF;IAAC,OAAO,CAAC,EAAE;QACV,MAAM,YAAY,CAAC,CAAC,CAAC,CAAC;KACvB;IACD,OAAO,MAAM,IAAA,uCAAuB,EAAC,MAAM,EAAE,MAAM,CAAC,CAAC;AACvD,CAAC;AAlCD,0BAkCC;AAED;;;;;;;;GAQG;AACH,SAAS,YAAY,CAAC,CAAM;;IAC1B,IAAI,CAAC,CAAC,CAAC,YAAY,KAAK,CAAC,EAAE;QACzB,OAAO,CAAC,CAAC;KACV;IAED;IACE,2BAA2B;IAC3B,CAAA,MAAA,CAAC,CAAC,OAAO,0CAAE,QAAQ,CAAC,8BAA8B,CAAC;SACnD,MAAA,CAAC,CAAC,OAAO,0CAAE,QAAQ,CAAC,uCAAuC,CAAC,CAAA,EAC5D;QACA,OAAO,IAAI,IAAI,CAAC,SAAS,CACvB,sDAAsD,CAAC,CAAC,OAAO,EAAE,CAClE,CAAC;KACH;IAED;IACE,+EAA+E;IAC/E,CAAA,MAAA,CAAC,CAAC,OAAO,0CAAE,QAAQ,CAAC,wCAAwC,CAAC;;QAC7D,gEAAgE;QAChE,MAAA,CAAC,CAAC,OAAO,0CAAE,QAAQ,CAAC,qBAAqB,CAAC,CAAA,EAC1C;QACA,OAAO,IAAI,IAAI,CAAC,SAAS,CAAC,CAAC,CAAC,OAAO,CAAC,CAAC;KACtC;IAED,OAAO,CAAC,CAAC;AACX,CAAC;AAED,sEAAsE;AACtE,4EAA4E;AAC5E,4EAA4E;AAC5E,6EAA6E;AAC7E,+CAA+C;AACxC,KAAK,UAAU,mBAAmB,CACvC,WAA+B,EAC/B,YAAgC,EAChC,MAA0B,EAC1B,MAAc,EACd,YAA0B;IAE1B,IAAI,MAAc,CAAC;IACnB,IAAI,WAAW,KAAK,SAAS,EAAE;QAC7B,MAAM,GAAG;;;;;;;;;;;;uCAY0B,WAAW;;8BAEpB,WAAW;;;;;;;;gDAQO,CAAC;KAC9C;SAAM;QACL,oEAAoE;QACpE,mFAAmF;QACnF,+EAA+E;QAC/E,kFAAkF;QAClF,6EAA6E;QAC7E,oFAAoF;QACpF,6CAA6C;QAC7C,YAAY,GAAG,YAAY,IAAI,CAAC,CAAC;QACjC,MAAM,GAAG;;;;;;;;4BAQe,YAAY;;;;;;;;;;;;;;;;;;;;;gDAqBQ,CAAC;KAC9C;IAED,MAAM,gBAAgB,GAAG,IAAI,CAAC,IAAI,CAAC,MAAM,CAAC,OAAO,EAAE,mBAAmB,CAAC,CAAC;IACxE,EAAE,CAAC,aAAa,CAAC,gBAAgB,EAAE,MAAM,CAAC,CAAC;IAE3C,MAAM,IAAI,UAAU,CAAC,UAAU,CAC7B,MAAM,SAAS,CAAC,SAAS,CAAC,YAAY,CAAC,EACvC;QACE,kBAAkB;QAClB,QAAQ;QACR,OAAO;QACP,gBAAgB;QAChB,IAAI,CAAC,OAAO,CACV,IAAI,CAAC,OAAO,CAAC,MAAM,CAAC,OAAO,EAAE,CAAC,EAC9B,OAAO,EACP,OAAO,EACP,YAAY,CACb;KACF,EACD,EAAE,GAAG,EAAE,EAAE,0BAA0B,EAAE,YAAY,CAAC,IAAI,EAAE,EAAE,CAC3D,CAAC,IAAI,EAAE,CAAC;AACX,CAAC;AA5FD,kDA4FC;AAEM,KAAK,UAAU,iBAAiB,CAAC,MAAc,EAAE,MAAc;IACpE,MAAM,CAAC,UAAU,CAAC,2BAA2B,CAAC,CAAC;IAE/C,MAAM,aAAa,GAAG,IAAI,CAAC,OAAO,CAAC,SAAS,EAAE,iBAAiB,CAAC,CAAC;IAEjE,IAAI;QACF,IAAI,OAAO,CAAC,QAAQ,KAAK,OAAO,EAAE;YAChC,MAAM,IAAI,UAAU,CAAC,UAAU,CAAC,MAAM,SAAS,CAAC,SAAS,CAAC,YAAY,CAAC,EAAE;gBACvE,IAAI,CAAC,IAAI,CAAC,aAAa,EAAE,mBAAmB,CAAC;aAC9C,CAAC,CAAC,IAAI,EAAE,CAAC;SACX;aAAM;YACL,MAAM,IAAI,UAAU,CAAC,UAAU,CAC7B,IAAI,CAAC,IAAI,CAAC,aAAa,EAAE,kBAAkB,CAAC,CAC7C,CAAC,IAAI,EAAE,CAAC;SACV;QACD,MAAM,MAAM,GAAG,0BAA0B,CAAC;QAC1C,IAAI,OAAO,CAAC,QAAQ,KAAK,OAAO,EAAE;YAChC,MAAM,IAAI,UAAU,CAAC,UAAU,CAAC,MAAM,SAAS,CAAC,SAAS,CAAC,IAAI,CAAC,EAAE;gBAC/D,IAAI;gBACJ,IAAI;gBACJ,IAAI,CAAC,IAAI,CAAC,aAAa,EAAE,MAAM,CAAC;gBAChC,IAAI,CAAC,OAAO,CAAC,MAAM,CAAC,OAAO,EAAE,CAAC;aAC/B,CAAC,CAAC,IAAI,EAAE,CAAC;SACX;aAAM;YACL,MAAM,IAAI,UAAU,CAAC,UAAU,CAAC,MAAM,SAAS,CAAC,SAAS,CAAC,SAAS,CAAC,EAAE;gBACpE,IAAI;gBACJ,IAAI,CAAC,IAAI,CAAC,aAAa,EAAE,MAAM,CAAC;gBAChC,IAAI,CAAC,OAAO,CAAC,MAAM,CAAC,OAAO,EAAE,CAAC;aAC/B,CAAC,CAAC,IAAI,EAAE,CAAC;SACX;KACF;IAAC,OAAO,CAAC,EAAE;QACV,MAAM,CAAC,QAAQ,EAAE,CAAC;QAClB,MAAM,CAAC,OAAO,CACZ,gFAAgF,CAAC,IAAI;YACnF,qGAAqG;YACrG,oGAAoG;YACpG,iDAAiD,CACpD,CAAC;QACF,OAAO;KACR;IACD,MAAM,CAAC,QAAQ,EAAE,CAAC;AACpB,CAAC;AAzCD,8CAyCC"}

7
lib/shared-environment.js generated
View file

@ -1,12 +1,11 @@
"use strict";
Object.defineProperty(exports, "__esModule", { value: true });
exports.ODASA_TRACER_CONFIGURATION = exports.CODEQL_WORKFLOW_STARTED_AT = exports.CODEQL_ACTION_TEST_MODE = exports.CODEQL_ACTION_TESTING_ENVIRONMENT = exports.CODEQL_ACTION_ANALYZE_DID_UPLOAD_SARIF = void 0;
exports.ODASA_TRACER_CONFIGURATION = exports.CODEQL_WORKFLOW_STARTED_AT = exports.CODEQL_ACTION_TEST_MODE = exports.CODEQL_ACTION_TESTING_ENVIRONMENT = exports.CODEQL_ACTION_ANALYZE_DID_COMPLETE_SUCCESSFULLY = void 0;
/**
* This environment variable is set to true when the `analyze` Action
* successfully uploads a SARIF file. It does NOT indicate whether the
* SARIF file was processed successfully.
* completes successfully.
*/
exports.CODEQL_ACTION_ANALYZE_DID_UPLOAD_SARIF = "CODEQL_ACTION_ANALYZE_DID_UPLOAD_SARIF";
exports.CODEQL_ACTION_ANALYZE_DID_COMPLETE_SUCCESSFULLY = "CODEQL_ACTION_ANALYZE_DID_COMPLETE_SUCCESSFULLY";
exports.CODEQL_ACTION_TESTING_ENVIRONMENT = "CODEQL_ACTION_TESTING_ENVIRONMENT";
/** Used to disable uploading SARIF results or status reports to the GitHub API */
exports.CODEQL_ACTION_TEST_MODE = "CODEQL_ACTION_TEST_MODE";

2
lib/shared-environment.js.map
View file

@ -1 +1 @@
{"version":3,"file":"shared-environment.js","sourceRoot":"","sources":["../src/shared-environment.ts"],"names":[],"mappings":";;;AAAA;;;;GAIG;AACU,QAAA,sCAAsC,GACjD,wCAAwC,CAAC;AAE9B,QAAA,iCAAiC,GAC5C,mCAAmC,CAAC;AAEtC,kFAAkF;AACrE,QAAA,uBAAuB,GAAG,yBAAyB,CAAC;AAEjE;;;;;;GAMG;AACU,QAAA,0BAA0B,GAAG,4BAA4B,CAAC;AAE1D,QAAA,0BAA0B,GAAG,4BAA4B,CAAC"}
{"version":3,"file":"shared-environment.js","sourceRoot":"","sources":["../src/shared-environment.ts"],"names":[],"mappings":";;;AAAA;;;GAGG;AACU,QAAA,+CAA+C,GAC1D,iDAAiD,CAAC;AAEvC,QAAA,iCAAiC,GAC5C,mCAAmC,CAAC;AAEtC,kFAAkF;AACrE,QAAA,uBAAuB,GAAG,yBAAyB,CAAC;AAEjE;;;;;;GAMG;AACU,QAAA,0BAA0B,GAAG,4BAA4B,CAAC;AAE1D,QAAA,0BAA0B,GAAG,4BAA4B,CAAC"}

3
lib/testing-utils.js generated
View file

@ -21,6 +21,7 @@ var __importStar = (this && this.__importStar) || function (mod) {
Object.defineProperty(exports, "__esModule", { value: true });
exports.createFeatures = exports.mockCodeQLVersion = exports.mockLanguagesInRepo = exports.mockFeatureFlagApiEndpoint = exports.getRecordingLogger = exports.setupActionsVars = exports.setupTests = void 0;
const github = __importStar(require("@actions/github"));
const nock = __importStar(require("nock"));
const sinon = __importStar(require("sinon"));
const apiClient = __importStar(require("./api-client"));
const CodeQL = __importStar(require("./codeql"));
@ -85,6 +86,8 @@ function setupTests(test) {
if (!t.passed) {
process.stdout.write(t.context.testOutput);
}
// Undo any modifications made by nock
nock.cleanAll();
// Undo any modifications made by sinon
sinon.restore();
// Undo any modifications to the env

2
lib/testing-utils.js.map
View file

@ -1 +1 @@
{"version":3,"file":"testing-utils.js","sourceRoot":"","sources":["../src/testing-utils.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;;;;;;;;AAAA,wDAA0C;AAE1C,6CAA+B;AAE/B,wDAA0C;AAC1C,iDAAmC;AAGnC,iCAAmC;AASnC,SAAS,UAAU,CAAC,OAAoB;IACtC,8CAA8C;IAC9C,gCAAgC;IAChC,2EAA2E;IAC3E,2FAA2F;IAC3F,OAAO,CACL,KAA0B,EAC1B,QAAiB,EACjB,EAA0B,EACjB,EAAE;QACX,2CAA2C;QAC3C,IAAI,EAAE,KAAK,SAAS,IAAI,OAAO,QAAQ,KAAK,UAAU,EAAE;YACtD,EAAE,GAAG,QAAQ,CAAC;YACd,QAAQ,GAAG,SAAS,CAAC;SACtB;QAED,oBAAoB;QACpB,IAAI,OAAO,KAAK,KAAK,QAAQ,EAAE;YAC7B,OAAO,CAAC,UAAU,IAAI,KAAK,CAAC;SAC7B;aAAM;YACL,OAAO,CAAC,UAAU,IAAI,IAAI,WAAW,CAAC,QAAQ,IAAI,OAAO,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC;SAC1E;QAED,iDAAiD;QACjD,IAAI,EAAE,KAAK,SAAS,IAAI,OAAO,EAAE,KAAK,UAAU,EAAE;YAChD,EAAE,EAAE,CAAC;SACN;QAED,OAAO,IAAI,CAAC;IACd,CAAC,CAAC;AACJ,CAAC;AAED,SAAgB,UAAU,CAAC,IAAiB;IAC1C,MAAM,SAAS,GAAG,IAA2B,CAAC;IAE9C,SAAS,CAAC,UAAU,CAAC,CAAC,CAAC,EAAE,EAAE;QACzB,gEAAgE;QAChE,0CAA0C;QAC1C,MAAM,CAAC,SAAS,CAAC,EAAE,CAAC,CAAC;QAErB,iEAAiE;QACjE,CAAC,CAAC,OAAO,CAAC,UAAU,GAAG,EAAE,CAAC;QAC1B,MAAM,kBAAkB,GAAG,OAAO,CAAC,MAAM,CAAC,KAAK,CAAC,IAAI,CAAC,OAAO,CAAC,MAAM,CAAC,CAAC;QACrE,CAAC,CAAC,OAAO,CAAC,WAAW,GAAG,kBAAkB,CAAC;QAC3C,OAAO,CAAC,MAAM,CAAC,KAAK,GAAG,UAAU,CAAC,CAAC,CAAC,OAAO,CAAQ,CAAC;QACpD,MAAM,kBAAkB,GAAG,OAAO,CAAC,MAAM,CAAC,KAAK,CAAC,IAAI,CAAC,OAAO,CAAC,MAAM,CAAC,CAAC;QACrE,CAAC,CAAC,OAAO,CAAC,WAAW,GAAG,kBAAkB,CAAC;QAC3C,OAAO,CAAC,MAAM,CAAC,KAAK,GAAG,UAAU,CAAC,CAAC,CAAC,OAAO,CAAQ,CAAC;QAEpD,2EAA2E;QAC3E,2EAA2E;QAC3E,yCAAyC;QACzC,MAAM,QAAQ,GAAG,MAAM,CAAC,IAAI,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC,MAAM,CAC9C,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,WAAW,EAAE,KAAK,MAAM,CAClC,CAAC;QACF,IAAI,QAAQ,CAAC,MAAM,GAAG,CAAC,EAAE;YACvB,OAAO,CAAC,GAAG,CAAC,IAAI,GAAG,OAAO,CAAC,GAAG,CAAC,QAAQ,CAAC,CAAC,CAAC,CAAC,CAAC;SAC7C;QAED,mEAAmE;QACnE,wEAAwE;QACxE,kEAAkE;QAClE,CAAC,CAAC,OAAO,CAAC,GAAG,GAAG,EAAE,CAAC;QACnB,MAAM,CAAC,MAAM,CAAC,CAAC,CAAC,OAAO,CAAC,GAAG,EAAE,OAAO,CAAC,GAAG,CAAC,CAAC;IAC5C,CAAC,CAAC,CAAC;IAEH,SAAS,CAAC,SAAS,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE;QAC/B,4BAA4B;QAC5B,0DAA0D;QAC1D,OAAO,CAAC,MAAM,CAAC,KAAK,GAAG,CAAC,CAAC,OAAO,CAAC,WAAW,CAAC;QAC7C,OAAO,CAAC,MAAM,CAAC,KAAK,GAAG,CAAC,CAAC,OAAO,CAAC,WAAW,CAAC;QAC7C,IAAI,CAAC,CAAC,CAAC,MAAM,EAAE;YACb,OAAO,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC,CAAC,OAAO,CAAC,UAAU,CAAC,CAAC;SAC5C;QAED,uCAAuC;QACvC,KAAK,CAAC,OAAO,EAAE,CAAC;QAEhB,oCAAoC;QACpC,OAAO,CAAC,GAAG,GAAG,CAAC,CAAC,OAAO,CAAC,GAAG,CAAC;IAC9B,CAAC,CAAC,CAAC;AACL,CAAC;AAjDD,gCAiDC;AAED,yEAAyE;AACzE,sDAAsD;AACtD,SAAgB,gBAAgB,CAAC,OAAe,EAAE,QAAgB;IAChE,OAAO,CAAC,GAAG,CAAC,aAAa,CAAC,GAAG,OAAO,CAAC;IACrC,OAAO,CAAC,GAAG,CAAC,mBAAmB,CAAC,GAAG,QAAQ,CAAC;IAC5C,OAAO,CAAC,GAAG,CAAC,kBAAkB,CAAC,GAAG,OAAO,CAAC;AAC5C,CAAC;AAJD,4CAIC;AAOD,SAAgB,kBAAkB,CAAC,QAAyB;IAC1D,OAAO;QACL,KAAK,EAAE,CAAC,OAAe,EAAE,EAAE;YACzB,QAAQ,CAAC,IAAI,CAAC,EAAE,IAAI,EAAE,OAAO,EAAE,OAAO,EAAE,CAAC,CAAC;YAC1C,OAAO,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC;QACzB,CAAC;QACD,IAAI,EAAE,CAAC,OAAe,EAAE,EAAE;YACxB,QAAQ,CAAC,IAAI,CAAC,EAAE,IAAI,EAAE,MAAM,EAAE,OAAO,EAAE,CAAC,CAAC;YACzC,OAAO,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;QACxB,CAAC;QACD,OAAO,EAAE,CAAC,OAAuB,EAAE,EAAE;YACnC,QAAQ,CAAC,IAAI,CAAC,EAAE,IAAI,EAAE,SAAS,EAAE,OAAO,EAAE,CAAC,CAAC;YAC5C,OAAO,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;QACxB,CAAC;QACD,KAAK,EAAE,CAAC,OAAuB,EAAE,EAAE;YACjC,QAAQ,CAAC,IAAI,CAAC,EAAE,IAAI,EAAE,OAAO,EAAE,OAAO,EAAE,CAAC,CAAC;YAC1C,OAAO,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC;QACzB,CAAC;QACD,OAAO,EAAE,GAAG,EAAE,CAAC,IAAI;QACnB,UAAU,EAAE,GAAG,EAAE,CAAC,SAAS;QAC3B,QAAQ,EAAE,GAAG,EAAE,CAAC,SAAS;KAC1B,CAAC;AACJ,CAAC;AAtBD,gDAsBC;AAED,0EAA0E;AAC1E,SAAgB,0BAA0B,CACxC,kBAA0B,EAC1B,QAAyC;IAEzC,kEAAkE;IAClE,MAAM,MAAM,GAAG,MAAM,CAAC,UAAU,CAAC,KAAK,CAAC,CAAC;IAExC,MAAM,UAAU,GAAG,KAAK,CAAC,IAAI,CAAC,MAAM,EAAE,SAAS,CAAC,CAAC;IAEjD,MAAM,QAAQ,GAAG,UAAU,CAAC,QAAQ,CAClC,8DAA8D,CAC/D,CAAC;IACF,IAAI,kBAAkB,GAAG,GAAG,EAAE;QAC5B,QAAQ,CAAC,QAAQ,CAAC;YAChB,MAAM,EAAE,kBAAkB;YAC1B,IAAI,EAAE,QAAQ;YACd,OAAO,EAAE,EAAE;YACX,GAAG,EAAE,8DAA8D;SACpE,CAAC,CAAC;KACJ;SAAM;QACL,QAAQ,CAAC,MAAM,CAAC,IAAI,gBAAS,CAAC,oBAAoB,EAAE,kBAAkB,CAAC,CAAC,CAAC;KAC1E;IAED,KAAK,CAAC,IAAI,CAAC,SAAS,EAAE,cAAc,CAAC,CAAC,KAAK,CAAC,GAAG,EAAE,CAAC,MAAM,CAAC,CAAC;AAC5D,CAAC;AAxBD,gEAwBC;AAED,SAAgB,mBAAmB,CAAC,SAAmB;IACrD,MAAM,UAAU,GAAG,KAAK,CAAC,IAAI,CAAC,SAAS,EAAE,cAAc,CAAC,CAAC;IACzD,MAAM,aAAa,GAAG,KAAK,CAAC,IAAI,EAAE,CAAC,QAAQ,CAAC;QAC1C,MAAM,EAAE,GAAG;QACX,IAAI,EAAE,SAAS,CAAC,MAAM,CAAC,CAAC,GAAG,EAAE,IAAI,EAAE,EAAE;YACnC,GAAG,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;YACd,OAAO,GAAG,CAAC;QACb,CAAC,EAAE,EAAE,CAAC;QACN,OAAO,EAAE,EAAE;QACX,GAAG,EAAE,mCAAmC;KACzC,CAAC,CAAC;IAEH,UAAU,CAAC,OAAO,CAAC;QACjB,KAAK,EAAE;YACL,aAAa;SACd;KACK,CAAC,CAAC;IACV,OAAO,aAAa,CAAC;AACvB,CAAC;AAlBD,kDAkBC;AAED,SAAgB,iBAAiB,CAAC,OAAO;IACvC,OAAO;QACL,KAAK,CAAC,UAAU;YACd,OAAO,OAAO,CAAC;QACjB,CAAC;KACe,CAAC;AACrB,CAAC;AAND,8CAMC;AAED;;;;GAIG;AACH,SAAgB,cAAc,CAAC,eAA0B;IACvD,OAAO;QACL,QAAQ,EAAE,KAAK,EAAE,OAAO,EAAE,EAAE;YAC1B,OAAO,eAAe,CAAC,QAAQ,CAAC,OAAO,CAAC,CAAC;QAC3C,CAAC;KACF,CAAC;AACJ,CAAC;AAND,wCAMC"}
{"version":3,"file":"testing-utils.js","sourceRoot":"","sources":["../src/testing-utils.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;;;;;;;;AAAA,wDAA0C;AAE1C,2CAA6B;AAC7B,6CAA+B;AAE/B,wDAA0C;AAC1C,iDAAmC;AAGnC,iCAAmC;AASnC,SAAS,UAAU,CAAC,OAAoB;IACtC,8CAA8C;IAC9C,gCAAgC;IAChC,2EAA2E;IAC3E,2FAA2F;IAC3F,OAAO,CACL,KAA0B,EAC1B,QAAiB,EACjB,EAA0B,EACjB,EAAE;QACX,2CAA2C;QAC3C,IAAI,EAAE,KAAK,SAAS,IAAI,OAAO,QAAQ,KAAK,UAAU,EAAE;YACtD,EAAE,GAAG,QAAQ,CAAC;YACd,QAAQ,GAAG,SAAS,CAAC;SACtB;QAED,oBAAoB;QACpB,IAAI,OAAO,KAAK,KAAK,QAAQ,EAAE;YAC7B,OAAO,CAAC,UAAU,IAAI,KAAK,CAAC;SAC7B;aAAM;YACL,OAAO,CAAC,UAAU,IAAI,IAAI,WAAW,CAAC,QAAQ,IAAI,OAAO,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC;SAC1E;QAED,iDAAiD;QACjD,IAAI,EAAE,KAAK,SAAS,IAAI,OAAO,EAAE,KAAK,UAAU,EAAE;YAChD,EAAE,EAAE,CAAC;SACN;QAED,OAAO,IAAI,CAAC;IACd,CAAC,CAAC;AACJ,CAAC;AAED,SAAgB,UAAU,CAAC,IAAiB;IAC1C,MAAM,SAAS,GAAG,IAA2B,CAAC;IAE9C,SAAS,CAAC,UAAU,CAAC,CAAC,CAAC,EAAE,EAAE;QACzB,gEAAgE;QAChE,0CAA0C;QAC1C,MAAM,CAAC,SAAS,CAAC,EAAE,CAAC,CAAC;QAErB,iEAAiE;QACjE,CAAC,CAAC,OAAO,CAAC,UAAU,GAAG,EAAE,CAAC;QAC1B,MAAM,kBAAkB,GAAG,OAAO,CAAC,MAAM,CAAC,KAAK,CAAC,IAAI,CAAC,OAAO,CAAC,MAAM,CAAC,CAAC;QACrE,CAAC,CAAC,OAAO,CAAC,WAAW,GAAG,kBAAkB,CAAC;QAC3C,OAAO,CAAC,MAAM,CAAC,KAAK,GAAG,UAAU,CAAC,CAAC,CAAC,OAAO,CAAQ,CAAC;QACpD,MAAM,kBAAkB,GAAG,OAAO,CAAC,MAAM,CAAC,KAAK,CAAC,IAAI,CAAC,OAAO,CAAC,MAAM,CAAC,CAAC;QACrE,CAAC,CAAC,OAAO,CAAC,WAAW,GAAG,kBAAkB,CAAC;QAC3C,OAAO,CAAC,MAAM,CAAC,KAAK,GAAG,UAAU,CAAC,CAAC,CAAC,OAAO,CAAQ,CAAC;QAEpD,2EAA2E;QAC3E,2EAA2E;QAC3E,yCAAyC;QACzC,MAAM,QAAQ,GAAG,MAAM,CAAC,IAAI,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC,MAAM,CAC9C,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,WAAW,EAAE,KAAK,MAAM,CAClC,CAAC;QACF,IAAI,QAAQ,CAAC,MAAM,GAAG,CAAC,EAAE;YACvB,OAAO,CAAC,GAAG,CAAC,IAAI,GAAG,OAAO,CAAC,GAAG,CAAC,QAAQ,CAAC,CAAC,CAAC,CAAC,CAAC;SAC7C;QAED,mEAAmE;QACnE,wEAAwE;QACxE,kEAAkE;QAClE,CAAC,CAAC,OAAO,CAAC,GAAG,GAAG,EAAE,CAAC;QACnB,MAAM,CAAC,MAAM,CAAC,CAAC,CAAC,OAAO,CAAC,GAAG,EAAE,OAAO,CAAC,GAAG,CAAC,CAAC;IAC5C,CAAC,CAAC,CAAC;IAEH,SAAS,CAAC,SAAS,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE;QAC/B,4BAA4B;QAC5B,0DAA0D;QAC1D,OAAO,CAAC,MAAM,CAAC,KAAK,GAAG,CAAC,CAAC,OAAO,CAAC,WAAW,CAAC;QAC7C,OAAO,CAAC,MAAM,CAAC,KAAK,GAAG,CAAC,CAAC,OAAO,CAAC,WAAW,CAAC;QAC7C,IAAI,CAAC,CAAC,CAAC,MAAM,EAAE;YACb,OAAO,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC,CAAC,OAAO,CAAC,UAAU,CAAC,CAAC;SAC5C;QAED,sCAAsC;QACtC,IAAI,CAAC,QAAQ,EAAE,CAAC;QAEhB,uCAAuC;QACvC,KAAK,CAAC,OAAO,EAAE,CAAC;QAEhB,oCAAoC;QACpC,OAAO,CAAC,GAAG,GAAG,CAAC,CAAC,OAAO,CAAC,GAAG,CAAC;IAC9B,CAAC,CAAC,CAAC;AACL,CAAC;AApDD,gCAoDC;AAED,yEAAyE;AACzE,sDAAsD;AACtD,SAAgB,gBAAgB,CAAC,OAAe,EAAE,QAAgB;IAChE,OAAO,CAAC,GAAG,CAAC,aAAa,CAAC,GAAG,OAAO,CAAC;IACrC,OAAO,CAAC,GAAG,CAAC,mBAAmB,CAAC,GAAG,QAAQ,CAAC;IAC5C,OAAO,CAAC,GAAG,CAAC,kBAAkB,CAAC,GAAG,OAAO,CAAC;AAC5C,CAAC;AAJD,4CAIC;AAOD,SAAgB,kBAAkB,CAAC,QAAyB;IAC1D,OAAO;QACL,KAAK,EAAE,CAAC,OAAe,EAAE,EAAE;YACzB,QAAQ,CAAC,IAAI,CAAC,EAAE,IAAI,EAAE,OAAO,EAAE,OAAO,EAAE,CAAC,CAAC;YAC1C,OAAO,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC;QACzB,CAAC;QACD,IAAI,EAAE,CAAC,OAAe,EAAE,EAAE;YACxB,QAAQ,CAAC,IAAI,CAAC,EAAE,IAAI,EAAE,MAAM,EAAE,OAAO,EAAE,CAAC,CAAC;YACzC,OAAO,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;QACxB,CAAC;QACD,OAAO,EAAE,CAAC,OAAuB,EAAE,EAAE;YACnC,QAAQ,CAAC,IAAI,CAAC,EAAE,IAAI,EAAE,SAAS,EAAE,OAAO,EAAE,CAAC,CAAC;YAC5C,OAAO,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;QACxB,CAAC;QACD,KAAK,EAAE,CAAC,OAAuB,EAAE,EAAE;YACjC,QAAQ,CAAC,IAAI,CAAC,EAAE,IAAI,EAAE,OAAO,EAAE,OAAO,EAAE,CAAC,CAAC;YAC1C,OAAO,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC;QACzB,CAAC;QACD,OAAO,EAAE,GAAG,EAAE,CAAC,IAAI;QACnB,UAAU,EAAE,GAAG,EAAE,CAAC,SAAS;QAC3B,QAAQ,EAAE,GAAG,EAAE,CAAC,SAAS;KAC1B,CAAC;AACJ,CAAC;AAtBD,gDAsBC;AAED,0EAA0E;AAC1E,SAAgB,0BAA0B,CACxC,kBAA0B,EAC1B,QAAyC;IAEzC,kEAAkE;IAClE,MAAM,MAAM,GAAG,MAAM,CAAC,UAAU,CAAC,KAAK,CAAC,CAAC;IAExC,MAAM,UAAU,GAAG,KAAK,CAAC,IAAI,CAAC,MAAM,EAAE,SAAS,CAAC,CAAC;IAEjD,MAAM,QAAQ,GAAG,UAAU,CAAC,QAAQ,CAClC,8DAA8D,CAC/D,CAAC;IACF,IAAI,kBAAkB,GAAG,GAAG,EAAE;QAC5B,QAAQ,CAAC,QAAQ,CAAC;YAChB,MAAM,EAAE,kBAAkB;YAC1B,IAAI,EAAE,QAAQ;YACd,OAAO,EAAE,EAAE;YACX,GAAG,EAAE,8DAA8D;SACpE,CAAC,CAAC;KACJ;SAAM;QACL,QAAQ,CAAC,MAAM,CAAC,IAAI,gBAAS,CAAC,oBAAoB,EAAE,kBAAkB,CAAC,CAAC,CAAC;KAC1E;IAED,KAAK,CAAC,IAAI,CAAC,SAAS,EAAE,cAAc,CAAC,CAAC,KAAK,CAAC,GAAG,EAAE,CAAC,MAAM,CAAC,CAAC;AAC5D,CAAC;AAxBD,gEAwBC;AAED,SAAgB,mBAAmB,CAAC,SAAmB;IACrD,MAAM,UAAU,GAAG,KAAK,CAAC,IAAI,CAAC,SAAS,EAAE,cAAc,CAAC,CAAC;IACzD,MAAM,aAAa,GAAG,KAAK,CAAC,IAAI,EAAE,CAAC,QAAQ,CAAC;QAC1C,MAAM,EAAE,GAAG;QACX,IAAI,EAAE,SAAS,CAAC,MAAM,CAAC,CAAC,GAAG,EAAE,IAAI,EAAE,EAAE;YACnC,GAAG,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;YACd,OAAO,GAAG,CAAC;QACb,CAAC,EAAE,EAAE,CAAC;QACN,OAAO,EAAE,EAAE;QACX,GAAG,EAAE,mCAAmC;KACzC,CAAC,CAAC;IAEH,UAAU,CAAC,OAAO,CAAC;QACjB,KAAK,EAAE;YACL,aAAa;SACd;KACK,CAAC,CAAC;IACV,OAAO,aAAa,CAAC;AACvB,CAAC;AAlBD,kDAkBC;AAED,SAAgB,iBAAiB,CAAC,OAAO;IACvC,OAAO;QACL,KAAK,CAAC,UAAU;YACd,OAAO,OAAO,CAAC;QACjB,CAAC;KACe,CAAC;AACrB,CAAC;AAND,8CAMC;AAED;;;;GAIG;AACH,SAAgB,cAAc,CAAC,eAA0B;IACvD,OAAO;QACL,QAAQ,EAAE,KAAK,EAAE,OAAO,EAAE,EAAE;YAC1B,OAAO,eAAe,CAAC,QAAQ,CAAC,OAAO,CAAC,CAAC;QAC3C,CAAC;KACF,CAAC;AACJ,CAAC;AAND,wCAMC"}

14
lib/workflow.js generated
View file

@ -213,7 +213,16 @@ exports.formatWorkflowCause = formatWorkflowCause;
async function getWorkflow() {
const relativePath = await getWorkflowPath();
const absolutePath = path.join((0, util_1.getRequiredEnvParam)("GITHUB_WORKSPACE"), relativePath);
return yaml.load(fs.readFileSync(absolutePath, "utf-8"));
try {
return yaml.load(fs.readFileSync(absolutePath, "utf-8"));
}
catch (e) {
if (e instanceof Error && e["code"] === "ENOENT") {
throw new Error(`Unable to load code scanning workflow from ${absolutePath}. This can happen if the currently ` +
"running workflow checks out a branch that doesn't contain the corresponding workflow file.");
}
throw e;
}
}
exports.getWorkflow = getWorkflow;
/**
@ -247,6 +256,9 @@ function getWorkflowRunID() {
}
exports.getWorkflowRunID = getWorkflowRunID;
function getStepsCallingAction(job, actionName) {
if (job.uses) {
throw new Error(`Could not get steps calling ${actionName} since the job calls a reusable workflow.`);
}
const steps = job.steps;
if (!Array.isArray(steps)) {
throw new Error(`Could not get steps calling ${actionName} since job.steps was not an array.`);

2
lib/workflow.js.map
View file

File diff suppressed because one or more lines are too long

2
node_modules/.package-lock.json generated vendored
View file

@ -1,6 +1,6 @@
{
"name": "codeql",
"version": "2.1.37",
"version": "2.1.38",
"lockfileVersion": 3,
"requires": true,
"packages": {

4
package-lock.json generated
View file

@ -1,12 +1,12 @@
{
"name": "codeql",
"version": "2.1.37",
"version": "2.1.38",
"lockfileVersion": 3,
"requires": true,
"packages": {
"": {
"name": "codeql",
"version": "2.1.37",
"version": "2.1.38",
"license": "MIT",
"dependencies": {
"@actions/artifact": "^1.1.0",

2
package.json
View file

@ -1,6 +1,6 @@
{
"name": "codeql",
"version": "2.1.37",
"version": "2.1.38",
"private": true,
"description": "CodeQL action",
"scripts": {

13
pr-checks/checks/export-file-baseline-information.yml
View file

@ -1,19 +1,19 @@
name: "Export file baseline information"
description: "Tests that file baseline information is exported when the feature is enabled"
versions: ["nightly-latest"]
env:
CODEQL_ENABLE_EXPERIMENTAL_FEATURES_SWIFT: true # Remove when Swift is GA.
steps:
- uses: swift-actions/setup-swift@194625b58a582570f61cc707c3b558086c26b723
# Windows doesn't support Swift, and only macOS latest and nightly-latest support Swift 5.7.1.
if: runner.os == 'Linux' || (runner.os == 'macOS' && matrix.version == 'cached')
with:
swift-version: "5.7.0"
- uses: ./../action/init
id: init
with:
languages: javascript
tools: ${{ steps.prepare-test.outputs.tools-url }}
env:
CODEQL_FILE_BASELINE_INFORMATION: true
CODEQL_ENABLE_EXPERIMENTAL_FEATURES_SWIFT: true
- uses: ./../action/.github/setup-swift
with:
codeql-path: ${{steps.init.outputs.codeql-path}}
- name: Build code
shell: bash
run: ./build.sh
@ -22,7 +22,6 @@ steps:
output: "${{ runner.temp }}/results"
env:
CODEQL_FILE_BASELINE_INFORMATION: true
CODEQL_ENABLE_EXPERIMENTAL_FEATURES_SWIFT: true
- name: Upload SARIF
uses: actions/upload-artifact@v3
with:

15
pr-checks/checks/multi-language-autodetect.yml
View file

@ -1,21 +1,18 @@
name: "Multi-language repository"
description: "An end-to-end integration test of a multi-language repository using automatic language detection"
# Temporarily exclude nightly-latest to unblock release
versions: ["stable-20211005", "stable-20220120", "stable-20220401", "cached", "latest"]
operatingSystems: ["ubuntu", "macos"]
env:
CODEQL_ENABLE_EXPERIMENTAL_FEATURES_SWIFT: "true" # Remove when Swift is GA.
steps:
- uses: swift-actions/setup-swift@194625b58a582570f61cc707c3b558086c26b723
# Only macOS latest and nightly-latest support Swift 5.7.1
if: runner.os == 'Linux' || matrix.version == 'cached'
with:
swift-version: "5.7.0"
- uses: ./../action/init
id: init
with:
db-location: "${{ runner.temp }}/customDbLocation"
tools: ${{ steps.prepare-test.outputs.tools-url }}
- uses: ./../action/.github/setup-swift
with:
codeql-path: ${{steps.init.outputs.codeql-path}}
- name: Build code
shell: bash
@ -69,7 +66,7 @@ steps:
fi
- name: Check language autodetect for Swift
if: "!startsWith(matrix.os, 'windows') && (matrix.version == 'cached' || matrix.version == 'latest' || matrix.version == 'nightly-latest')"
if: "(matrix.version == 'cached' || matrix.version == 'latest' || matrix.version == 'nightly-latest')"
shell: bash
run: |
SWIFT_DB=${{ fromJson(steps.analysis.outputs.db-locations).swift }}

14
pr-checks/checks/swift-autobuild.yml
View file

@ -4,17 +4,19 @@ versions: ["latest", "cached", "nightly-latest"]
# Swift autobuilder is only supported on MacOS for private beta
operatingSystems: ["macos"]
env:
CODEQL_ENABLE_EXPERIMENTAL_FEATURES_SWIFT: "true"
CODEQL_ENABLE_EXPERIMENTAL_FEATURES_SWIFT: "true" # Remove when Swift is GA.
steps:
- uses: swift-actions/setup-swift@194625b58a582570f61cc707c3b558086c26b723
# Only macOS latest and nightly-latest support Swift 5.7.1
if: runner.os == 'Linux' || matrix.version == 'cached'
with:
swift-version: "5.7.0"
- uses: ./../action/init
id: init
with:
languages: swift
tools: ${{ steps.prepare-test.outputs.tools-url }}
- uses: ./../action/.github/setup-swift
with:
codeql-path: ${{steps.init.outputs.codeql-path}}
- name: Check working directory
shell: bash
run: pwd
- uses: ./../action/autobuild
- uses: ./../action/analyze
id: analysis

17
pr-checks/checks/swift-custom-build.yml
View file

@ -1,21 +1,22 @@
name: "Swift analysis using a custom build command"
description: "Tests creation of a Swift database using custom build"
# Temporarily exclude nightly-latest to unblock release
versions: ["latest", "cached"]
versions: ["latest", "cached", "nightly-latest"]
operatingSystems: ["ubuntu", "macos"]
env:
CODEQL_ENABLE_EXPERIMENTAL_FEATURES_SWIFT: "true"
CODEQL_ENABLE_EXPERIMENTAL_FEATURES_SWIFT: "true" # Remove when Swift is GA.
DOTNET_GENERATE_ASPNET_CERTIFICATE: "false"
steps:
- uses: swift-actions/setup-swift@194625b58a582570f61cc707c3b558086c26b723
# Only macOS latest and nightly-latest support Swift 5.7.1
if: runner.os == 'Linux' || matrix.version == 'cached'
with:
swift-version: "5.7.0"
- uses: ./../action/init
id: init
with:
languages: swift
tools: ${{ steps.prepare-test.outputs.tools-url }}
- uses: ./../action/.github/setup-swift
with:
codeql-path: ${{steps.init.outputs.codeql-path}}
- name: Check working directory
shell: bash
run: pwd
- name: Build code
shell: bash
run: ./build.sh

4
pr-checks/checks/unset-environment.yml
View file

@ -8,7 +8,9 @@ steps:
tools: ${{ steps.prepare-test.outputs.tools-url }}
- name: Build code
shell: bash
run: env -i PATH="$PATH" HOME="$HOME" ./build.sh
# Disable Kotlin analysis while it's incompatible with Kotlin 1.8, until we find a
# workaround for our PR checks.
run: env -i CODEQL_EXTRACTOR_JAVA_AGENT_DISABLE_KOTLIN=true PATH="$PATH" HOME="$HOME" ./build.sh
- uses: ./../action/analyze
id: analysis
- shell: bash

3
pr-checks/sync.py
View file

@ -126,6 +126,9 @@ for file in os.listdir('checks'):
'env': {
'GITHUB_TOKEN': '${{ secrets.GITHUB_TOKEN }}',
'GO111MODULE': 'auto',
# Disable Kotlin analysis while it's incompatible with Kotlin 1.8, until we find a
# workaround for our PR checks.
'CODEQL_EXTRACTOR_JAVA_AGENT_DISABLE_KOTLIN': 'true',
},
'on': {
'push': {

12
python-setup/tests/pipenv/requests-2/Pipfile
View file

@ -1,12 +0,0 @@
[[source]]
name = "pypi"
url = "https://pypi.org/simple"
verify_ssl = true
[dev-packages]
[packages]
requests = "*"
[requires]
python_version = "2.7"

60
python-setup/tests/pipenv/requests-2/Pipfile.lock generated
View file

@ -1,60 +0,0 @@
{
"_meta": {
"hash": {
"sha256": "76839637c628c87a4ac26d62aa559b8a572f4a742c8b6bd2f339f36514692676"
},
"pipfile-spec": 6,
"requires": {
"python_version": "2.7"
},
"sources": [
{
"name": "pypi",
"url": "https://pypi.org/simple",
"verify_ssl": true
}
]
},
"default": {
"certifi": {
"hashes": [
"sha256:78884e7c1d4b00ce3cea67b44566851c4343c120abd683433ce934a68ea58872",
"sha256:d62a0163eb4c2344ac042ab2bdf75399a71a2d8c7d47eac2e2ee91b9d6339569"
],
"version": "==2021.10.8"
},
"chardet": {
"hashes": [
"sha256:0d6f53a15db4120f2b08c94f11e7d93d2c911ee118b6b30a04ec3ee8310179fa",
"sha256:f864054d66fd9118f2e67044ac8981a54775ec5b67aed0441892edb553d21da5"
],
"markers": "python_version < '3'",
"version": "==4.0.0"
},
"idna": {
"hashes": [
"sha256:b307872f855b18632ce0c21c5e45be78c0ea7ae4c15c828c20788b26921eb3f6",
"sha256:b97d804b1e9b523befed77c48dacec60e6dcb0b5391d57af6a65a312a90648c0"
],
"markers": "python_version < '3'",
"version": "==2.10"
},
"requests": {
"hashes": [
"sha256:6c1246513ecd5ecd4528a0906f910e8f0f9c6b8ec72030dc9fd154dc1a6efd24",
"sha256:b8aa58f8cf793ffd8782d3d8cb19e66ef36f7aba4353eec859e74678b01b07a7"
],
"index": "pypi",
"version": "==2.26.0"
},
"urllib3": {
"hashes": [
"sha256:4987c65554f7a2dbf30c18fd48778ef124af6fab771a377103da0585e2336ece",
"sha256:c4fdf4019605b6e5423637e01bc9fe4daef873709a7973e195ceba0a62bbc844"
],
"markers": "python_version >= '2.7' and python_version not in '3.0, 3.1, 3.2, 3.3, 3.4' and python_version < '4'",
"version": "==1.26.7"
}
},
"develop": {}
}

81
python-setup/tests/poetry/requests-2/poetry.lock generated
View file

@ -1,81 +0,0 @@
[[package]]
name = "certifi"
version = "2021.10.8"
description = "Python package for providing Mozilla's CA Bundle."
category = "main"
optional = false
python-versions = "*"
[[package]]
name = "chardet"
version = "4.0.0"
description = "Universal encoding detector for Python 2 and 3"
category = "main"
optional = false
python-versions = ">=2.7, !=3.0.*, !=3.1.*, !=3.2.*, !=3.3.*, !=3.4.*"
[[package]]
name = "idna"
version = "2.10"
description = "Internationalized Domain Names in Applications (IDNA)"
category = "main"
optional = false
python-versions = ">=2.7, !=3.0.*, !=3.1.*, !=3.2.*, !=3.3.*"
[[package]]
name = "requests"
version = "2.26.0"
description = "Python HTTP for Humans."
category = "main"
optional = false
python-versions = ">=2.7, !=3.0.*, !=3.1.*, !=3.2.*, !=3.3.*, !=3.4.*, !=3.5.*"
[package.dependencies]
certifi = ">=2017.4.17"
chardet = {version = ">=3.0.2,<5", markers = "python_version < \"3\""}
idna = {version = ">=2.5,<3", markers = "python_version < \"3\""}
urllib3 = ">=1.21.1,<1.27"
[package.extras]
socks = ["PySocks (>=1.5.6,!=1.5.7)", "win-inet-pton"]
use_chardet_on_py3 = ["chardet (>=3.0.2,<5)"]
[[package]]
name = "urllib3"
version = "1.26.7"
description = "HTTP library with thread-safe connection pooling, file post, and more."
category = "main"
optional = false
python-versions = ">=2.7, !=3.0.*, !=3.1.*, !=3.2.*, !=3.3.*, !=3.4.*, <4"
[package.extras]
brotli = ["brotlipy (>=0.6.0)"]
secure = ["pyOpenSSL (>=0.14)", "cryptography (>=1.3.4)", "idna (>=2.0.0)", "certifi", "ipaddress"]
socks = ["PySocks (>=1.5.6,!=1.5.7,<2.0)"]
[metadata]
lock-version = "1.1"
python-versions = "^2.7"
content-hash = "c8501f2d45b33db399d74760be224bc771094fccce218ac8fe28f9b0ff85c63d"
[metadata.files]
certifi = [
{file = "certifi-2021.10.8-py2.py3-none-any.whl", hash = "sha256:d62a0163eb4c2344ac042ab2bdf75399a71a2d8c7d47eac2e2ee91b9d6339569"},
{file = "certifi-2021.10.8.tar.gz", hash = "sha256:78884e7c1d4b00ce3cea67b44566851c4343c120abd683433ce934a68ea58872"},
]
chardet = [
{file = "chardet-4.0.0-py2.py3-none-any.whl", hash = "sha256:f864054d66fd9118f2e67044ac8981a54775ec5b67aed0441892edb553d21da5"},
{file = "chardet-4.0.0.tar.gz", hash = "sha256:0d6f53a15db4120f2b08c94f11e7d93d2c911ee118b6b30a04ec3ee8310179fa"},
]
idna = [
{file = "idna-2.10-py2.py3-none-any.whl", hash = "sha256:b97d804b1e9b523befed77c48dacec60e6dcb0b5391d57af6a65a312a90648c0"},
{file = "idna-2.10.tar.gz", hash = "sha256:b307872f855b18632ce0c21c5e45be78c0ea7ae4c15c828c20788b26921eb3f6"},
]
requests = [
{file = "requests-2.26.0-py2.py3-none-any.whl", hash = "sha256:6c1246513ecd5ecd4528a0906f910e8f0f9c6b8ec72030dc9fd154dc1a6efd24"},
{file = "requests-2.26.0.tar.gz", hash = "sha256:b8aa58f8cf793ffd8782d3d8cb19e66ef36f7aba4353eec859e74678b01b07a7"},
]
urllib3 = [
{file = "urllib3-1.26.7-py2.py3-none-any.whl", hash = "sha256:c4fdf4019605b6e5423637e01bc9fe4daef873709a7973e195ceba0a62bbc844"},
{file = "urllib3-1.26.7.tar.gz", hash = "sha256:4987c65554f7a2dbf30c18fd48778ef124af6fab771a377103da0585e2336ece"},
]

15
python-setup/tests/poetry/requests-2/pyproject.toml
View file

@ -1,15 +0,0 @@
[tool.poetry]
name = "autoinstall-test"
version = "0.1.0"
description = ""
authors = ["Your Name <you@example.com>"]
[tool.poetry.dependencies]
python = "^2.7"
requests = "*"
[tool.poetry.dev-dependencies]
[build-system]
requires = ["poetry>=0.12"]
build-backend = "poetry.masonry.api"

1
python-setup/tests/requirements/requests-2/requirements.txt
View file

@ -1 +0,0 @@
requests==2.26.0

3
python-setup/tests/requirements/requests-2/setup.py
View file

@ -1,3 +0,0 @@
# fake setup.py with Trove classifier to fool Python extractor to believe this is Python 2 for sure
# Programming Language :: Python :: 2.7

12
python-setup/tests/setup_py/requests-2/setup.py
View file

@ -1,12 +0,0 @@
from setuptools import setup
# has fake Trove classifier to fool Python extractor to believe this is Python 2 for sure
# Programming Language :: Python :: 2.7
setup(
name="example-setup.py",
install_requires=["requests==2.26.0"],
python_requires=">=2.7, <3",
)

7
src/analyze-action.ts
View file

@ -24,7 +24,7 @@ import { Features } from "./feature-flags";
import { Language } from "./languages";
import { getActionsLogger, Logger } from "./logging";
import { parseRepositoryNwo } from "./repository";
import { CODEQL_ACTION_ANALYZE_DID_UPLOAD_SARIF } from "./shared-environment";
import { CODEQL_ACTION_ANALYZE_DID_COMPLETE_SUCCESSFULLY } from "./shared-environment";
import { getTotalCacheSize, uploadTrapCaches } from "./trap-caching";
import * as upload_lib from "./upload-lib";
import { UploadResult } from "./upload-lib";
@ -279,7 +279,6 @@ async function run() {
logger
);
core.setOutput("sarif-id", uploadResult.sarifID);
core.exportVariable(CODEQL_ACTION_ANALYZE_DID_UPLOAD_SARIF, "true");
} else {
logger.info("Not uploading results");
}
@ -312,6 +311,10 @@ async function run() {
`expect-error input was set to true but no error was thrown.`
);
}
core.exportVariable(
CODEQL_ACTION_ANALYZE_DID_COMPLETE_SUCCESSFULLY,
"true"
);
} catch (origError) {
const error =
origError instanceof Error ? origError : new Error(String(origError));

1
src/analyze.ts
View file

@ -262,6 +262,7 @@ export async function runQueries(
logger.endGroup();
logger.info(analysisSummary);
} else {
// config was generated by the action, so must be interpreted by the action.
logger.startGroup(`Running queries for ${language}`);
const querySuitePaths: string[] = [];
if (queries["builtin"].length > 0) {

226
src/codeql.test.ts
View file

@ -15,7 +15,7 @@ import { GitHubApiDetails } from "./api-client";
import * as codeql from "./codeql";
import { AugmentationProperties, Config } from "./config-utils";
import * as defaults from "./defaults.json";
import { Feature } from "./feature-flags";
import { Feature, featureConfig } from "./feature-flags";
import { Language } from "./languages";
import { getRunnerLogger } from "./logging";
import { setupTests, setupActionsVars, createFeatures } from "./testing-utils";
@ -27,15 +27,13 @@ setupTests(test);
const sampleApiDetails = {
auth: "token",
url: "https://github.com",
apiURL: undefined,
registriesAuthTokens: undefined,
apiURL: "https://api.github.com",
};
const sampleGHAEApiDetails = {
auth: "token",
url: "https://example.githubenterprise.com",
apiURL: undefined,
registriesAuthTokens: undefined,
apiURL: "https://example.githubenterprise.com/api/v3",
};
let stubConfig: Config;
@ -69,21 +67,21 @@ test.beforeEach(() => {
};
});
async function mockApiAndSetupCodeQL({
apiDetails,
bypassToolcache,
/**
* Mocks the API for downloading the bundle tagged `tagName`.
*
* @returns the download URL for the bundle. This can be passed to the tools parameter of
* `codeql.setupCodeQL`.
*/
async function mockDownloadApi({
apiDetails = sampleApiDetails,
isPinned,
tmpDir,
toolsInput,
version,
tagName,
}: {
apiDetails?: GitHubApiDetails;
bypassToolcache?: boolean;
isPinned?: boolean;
tmpDir: string;
toolsInput?: { input?: string };
version: string;
}): Promise<{ codeql: codeql.CodeQL; toolsVersion: string }> {
tagName: string;
}): Promise<string> {
const platform =
process.platform === "win32"
? "win64"
@ -93,8 +91,8 @@ async function mockApiAndSetupCodeQL({
const baseUrl = apiDetails?.url ?? "https://example.com";
const relativeUrl = apiDetails
? `/github/codeql-action/releases/download/${version}/codeql-bundle-${platform}.tar.gz`
: `/download/codeql-bundle-${version}/codeql-bundle.tar.gz`;
? `/github/codeql-action/releases/download/${tagName}/codeql-bundle-${platform}.tar.gz`
: `/download/${tagName}/codeql-bundle.tar.gz`;
nock(baseUrl)
.get(relativeUrl)
@ -106,18 +104,33 @@ async function mockApiAndSetupCodeQL({
)
);
return await codeql.setupCodeQL(
toolsInput ? toolsInput.input : `${baseUrl}${relativeUrl}`,
apiDetails ?? sampleApiDetails,
return `${baseUrl}${relativeUrl}`;
}
async function installIntoToolcache({
apiDetails = sampleApiDetails,
isPinned,
tagName,
tmpDir,
}: {
apiDetails?: GitHubApiDetails;
isPinned: boolean;
tagName: string;
tmpDir: string;
}) {
const url = await mockDownloadApi({ apiDetails, isPinned, tagName });
await codeql.setupCodeQL(
url,
apiDetails,
tmpDir,
util.GitHubVariant.DOTCOM,
!!bypassToolcache,
false,
getRunnerLogger(true),
false
);
}
test("download codeql bundle cache", async (t) => {
test("downloads and caches explicitly requested bundles that aren't in the toolcache", async (t) => {
await util.withTmpDir(async (tmpDir) => {
setupActionsVars(tmpDir, tmpDir);
@ -126,50 +139,65 @@ test("download codeql bundle cache", async (t) => {
for (let i = 0; i < versions.length; i++) {
const version = versions[i];
const codeQLConfig = await mockApiAndSetupCodeQL({ version, tmpDir });
const url = await mockDownloadApi({
tagName: `codeql-bundle-${version}`,
isPinned: false,
});
const result = await codeql.setupCodeQL(
url,
sampleApiDetails,
tmpDir,
util.GitHubVariant.DOTCOM,
false,
getRunnerLogger(true),
false
);
t.assert(toolcache.find("CodeQL", `0.0.0-${version}`));
t.deepEqual(codeQLConfig.toolsVersion, version);
t.is(result.toolsVersion, version);
}
t.is(toolcache.findAllVersions("CodeQL").length, 2);
});
});
test("download codeql bundle cache explicitly requested with pinned different version cached", async (t) => {
test("downloads an explicitly requested bundle even if a different version is cached", async (t) => {
await util.withTmpDir(async (tmpDir) => {
setupActionsVars(tmpDir, tmpDir);
const pinnedCodeQLConfig = await mockApiAndSetupCodeQL({
version: "20200601",
await installIntoToolcache({
tagName: "codeql-bundle-20200601",
isPinned: true,
tmpDir,
});
t.assert(toolcache.find("CodeQL", "0.0.0-20200601"));
t.deepEqual(pinnedCodeQLConfig.toolsVersion, "20200601");
const unpinnedCodeQLConfig = await mockApiAndSetupCodeQL({
version: "20200610",
tmpDir,
const url = await mockDownloadApi({
tagName: "codeql-bundle-20200610",
});
const result = await codeql.setupCodeQL(
url,
sampleApiDetails,
tmpDir,
util.GitHubVariant.DOTCOM,
false,
getRunnerLogger(true),
false
);
t.assert(toolcache.find("CodeQL", "0.0.0-20200610"));
t.deepEqual(unpinnedCodeQLConfig.toolsVersion, "20200610");
t.deepEqual(result.toolsVersion, "20200610");
});
});
test("don't download codeql bundle cache with pinned different version cached", async (t) => {
test("uses a cached bundle when no tools input is given", async (t) => {
await util.withTmpDir(async (tmpDir) => {
setupActionsVars(tmpDir, tmpDir);
const pinnedCodeQLConfig = await mockApiAndSetupCodeQL({
version: "20200601",
await installIntoToolcache({
tagName: "codeql-bundle-20200601",
isPinned: true,
tmpDir,
});
t.assert(toolcache.find("CodeQL", "0.0.0-20200601"));
t.deepEqual(pinnedCodeQLConfig.toolsVersion, "20200601");
const codeQLConfig = await codeql.setupCodeQL(
const result = await codeql.setupCodeQL(
undefined,
sampleApiDetails,
tmpDir,
@ -178,69 +206,73 @@ test("don't download codeql bundle cache with pinned different version cached",
getRunnerLogger(true),
false
);
t.deepEqual(codeQLConfig.toolsVersion, "0.0.0-20200601");
t.deepEqual(result.toolsVersion, "0.0.0-20200601");
const cachedVersions = toolcache.findAllVersions("CodeQL");
t.is(cachedVersions.length, 1);
});
});
test("download codeql bundle cache with different version cached (not pinned)", async (t) => {
test("downloads bundle if only an unpinned version is cached", async (t) => {
await util.withTmpDir(async (tmpDir) => {
setupActionsVars(tmpDir, tmpDir);
const cachedCodeQLConfig = await mockApiAndSetupCodeQL({
version: "20200601",
await installIntoToolcache({
tagName: "codeql-bundle-20200601",
isPinned: false,
tmpDir,
});
t.assert(toolcache.find("CodeQL", "0.0.0-20200601"));
t.deepEqual(cachedCodeQLConfig.toolsVersion, "20200601");
const codeQLConfig = await mockApiAndSetupCodeQL({
version: defaults.bundleVersion,
tmpDir,
apiDetails: sampleApiDetails,
toolsInput: { input: undefined },
await mockDownloadApi({
tagName: defaults.bundleVersion,
});
const result = await codeql.setupCodeQL(
undefined,
sampleApiDetails,
tmpDir,
util.GitHubVariant.DOTCOM,
false,
getRunnerLogger(true),
false
);
t.deepEqual(
codeQLConfig.toolsVersion,
result.toolsVersion,
defaults.bundleVersion.replace("codeql-bundle-", "")
);
const cachedVersions = toolcache.findAllVersions("CodeQL");
t.is(cachedVersions.length, 2);
});
});
test('download codeql bundle cache with pinned different version cached if "latest" tools specified', async (t) => {
test('downloads bundle if "latest" tools specified but not cached', async (t) => {
await util.withTmpDir(async (tmpDir) => {
setupActionsVars(tmpDir, tmpDir);
const pinnedCodeQLConfig = await mockApiAndSetupCodeQL({
version: "20200601",
await installIntoToolcache({
tagName: "codeql-bundle-20200601",
isPinned: true,
tmpDir,
});
t.assert(toolcache.find("CodeQL", "0.0.0-20200601"));
t.deepEqual(pinnedCodeQLConfig.toolsVersion, "20200601");
const latestCodeQLConfig = await mockApiAndSetupCodeQL({
version: defaults.bundleVersion,
apiDetails: sampleApiDetails,
toolsInput: { input: "latest" },
tmpDir,
await mockDownloadApi({
tagName: defaults.bundleVersion,
});
const result = await codeql.setupCodeQL(
"latest",
sampleApiDetails,
tmpDir,
util.GitHubVariant.DOTCOM,
false,
getRunnerLogger(true),
false
);
t.deepEqual(
latestCodeQLConfig.toolsVersion,
result.toolsVersion,
defaults.bundleVersion.replace("codeql-bundle-", "")
);
const cachedVersions = toolcache.findAllVersions("CodeQL");
t.is(cachedVersions.length, 2);
});
});
@ -270,25 +302,26 @@ for (const [
await util.withTmpDir(async (tmpDir) => {
setupActionsVars(tmpDir, tmpDir);
await mockApiAndSetupCodeQL({
version: "codeql-bundle-20200601",
apiDetails: sampleApiDetails,
await installIntoToolcache({
tagName: "codeql-bundle-20200601",
isPinned: true,
tmpDir,
});
t.assert(toolcache.find("CodeQL", "0.0.0-20200601"));
await mockApiAndSetupCodeQL({
version: defaults.bundleVersion,
apiDetails: sampleApiDetails,
bypassToolcache: isFeatureEnabled,
toolsInput: { input: toolsInput },
tmpDir,
await mockDownloadApi({
tagName: defaults.bundleVersion,
});
await codeql.setupCodeQL(
toolsInput,
sampleApiDetails,
tmpDir,
util.GitHubVariant.DOTCOM,
isFeatureEnabled,
getRunnerLogger(true),
false
);
const cachedVersions = toolcache.findAllVersions("CodeQL");
t.is(cachedVersions.length, shouldToolcacheBeBypassed ? 2 : 1);
});
});
@ -333,6 +366,25 @@ test("download codeql bundle from github ae endpoint", async (t) => {
path.join(__dirname, `/../src/testdata/codeql-bundle-pinned.tar.gz`)
);
// This is a workaround to mock `api.getApiDetails()` since it doesn't seem to be possible to
// mock this directly. The difficulty is that `getApiDetails()` is called locally in
// `api-client.ts`, but `sinon.stub(api, "getApiDetails")` only affects calls to
// `getApiDetails()` via an imported `api` module.
sinon
.stub(actionsUtil, "getRequiredInput")
.withArgs("token")
.returns(sampleGHAEApiDetails.auth);
const requiredEnvParamStub = sinon.stub(util, "getRequiredEnvParam");
requiredEnvParamStub
.withArgs("GITHUB_SERVER_URL")
.returns(sampleGHAEApiDetails.url);
requiredEnvParamStub
.withArgs("GITHUB_API_URL")
.returns(sampleGHAEApiDetails.apiURL);
sinon.stub(actionsUtil, "isRunningLocalAction").returns(false);
process.env["GITHUB_ACTION_REPOSITORY"] = "github/codeql-action";
await codeql.setupCodeQL(
undefined,
sampleGHAEApiDetails,
@ -513,7 +565,7 @@ const injectedConfigMacro = test.macro({
const codeqlObject = await codeql.getCodeQLForTesting();
sinon
.stub(codeqlObject, "getVersion")
.resolves(codeql.CODEQL_VERSION_CONFIG_FILES);
.resolves(featureConfig[Feature.CliConfigFileEnabled].minimumVersion);
const thisStubConfig: Config = {
...stubConfig,
@ -570,7 +622,7 @@ test(
},
{},
{
packs: ["codeql/javascript-experimental-atm-queries@~0.3.0"],
packs: ["codeql/javascript-experimental-atm-queries@~0.4.0"],
}
);
@ -591,7 +643,7 @@ test(
packs: {
javascript: [
"codeql/something-else",
"codeql/javascript-experimental-atm-queries@~0.3.0",
"codeql/javascript-experimental-atm-queries@~0.4.0",
],
},
}
@ -613,7 +665,7 @@ test(
{
packs: {
cpp: ["codeql/something-else"],
javascript: ["codeql/javascript-experimental-atm-queries@~0.3.0"],
javascript: ["codeql/javascript-experimental-atm-queries@~0.4.0"],
},
}
);
@ -694,7 +746,7 @@ test(
},
},
{
packs: ["xxx", "yyy", "codeql/javascript-experimental-atm-queries@~0.3.0"],
packs: ["xxx", "yyy", "codeql/javascript-experimental-atm-queries@~0.4.0"],
}
);
@ -826,7 +878,7 @@ test("does not use injected config", async (t: ExecutionContext<unknown>) => {
const codeqlObject = await codeql.getCodeQLForTesting();
sinon
.stub(codeqlObject, "getVersion")
.resolves(codeql.CODEQL_VERSION_CONFIG_FILES);
.resolves(featureConfig[Feature.CliConfigFileEnabled].minimumVersion);
await codeqlObject.databaseInitCluster(
stubConfig,

314
src/codeql.ts
View file

@ -9,7 +9,7 @@ import * as yaml from "js-yaml";
import * as semver from "semver";
import { v4 as uuidV4 } from "uuid";
import { isRunningLocalAction } from "./actions-util";
import { getOptionalInput, isRunningLocalAction } from "./actions-util";
import * as api from "./api-client";
import { Config } from "./config-utils";
import * as defaults from "./defaults.json"; // Referenced from codeql-action-sync-tool!
@ -23,7 +23,7 @@ import {
getTrapCachingExtractorConfigArgsForLang,
} from "./trap-caching";
import * as util from "./util";
import { isGoodVersion } from "./util";
import { assertNever, isGoodVersion } from "./util";
type Options = Array<string | number | boolean>;
@ -252,7 +252,6 @@ const CODEQL_MINIMUM_VERSION = "2.6.3";
*/
const CODEQL_VERSION_CUSTOM_QUERY_HELP = "2.7.1";
const CODEQL_VERSION_LUA_TRACER_CONFIG = "2.10.0";
export const CODEQL_VERSION_CONFIG_FILES = "2.10.1";
const CODEQL_VERSION_LUA_TRACING_GO_WINDOWS_FIXED = "2.10.4";
export const CODEQL_VERSION_GHES_PACK_DOWNLOAD = "2.10.4";
const CODEQL_VERSION_FILE_BASELINE_INFORMATION = "2.11.3";
@ -403,21 +402,161 @@ async function getCodeQLBundleDownloadURL(
return `https://github.com/${CODEQL_DEFAULT_ACTION_REPOSITORY}/releases/download/${CODEQL_BUNDLE_VERSION}/${codeQLBundleName}`;
}
type CodeQLToolsSource =
| { codeqlTarPath: string; sourceType: "local"; toolsVersion: "local" }
| {
codeqlFolder: string;
sourceType: "toolcache";
toolsVersion: string;
}
| {
codeqlURL: string;
semanticVersion: string;
sourceType: "download";
toolsVersion: string;
};
async function getCodeQLSource(
toolsInput: string | undefined,
bypassToolcache: boolean,
apiDetails: api.GitHubApiDetails,
variant: util.GitHubVariant,
logger: Logger
): Promise<CodeQLToolsSource> {
if (toolsInput && toolsInput !== "latest" && !toolsInput.startsWith("http")) {
return {
codeqlTarPath: toolsInput,
sourceType: "local",
toolsVersion: "local",
};
}
const forceLatestReason =
// We use the special value of 'latest' to prioritize the version in the
// defaults over any pinned cached version.
toolsInput === "latest"
? '"tools: latest" was requested'
: // If the user hasn't requested a particular CodeQL version, then bypass
// the toolcache when the appropriate feature is enabled. This
// allows us to quickly rollback a broken bundle that has made its way
// into the toolcache.
toolsInput === undefined && bypassToolcache
? "a specific version of CodeQL was not requested and the bypass toolcache feature is enabled"
: undefined;
const forceLatest = forceLatestReason !== undefined;
if (forceLatest) {
logger.debug(
`Forcing the latest version of the CodeQL tools since ${forceLatestReason}.`
);
}
const codeqlURL = forceLatest ? undefined : toolsInput;
const requestedSemVer = convertToSemVer(
getCodeQLURLVersion(codeqlURL || `/${CODEQL_BUNDLE_VERSION}/`),
logger
);
// If we find the specified version, we always use that.
const codeqlFolder = toolcache.find("CodeQL", requestedSemVer);
if (codeqlFolder) {
return {
codeqlFolder,
sourceType: "toolcache",
toolsVersion: requestedSemVer,
};
}
// If we don't find the requested version, in some cases we may allow a
// different version to save download time if the version hasn't been
// specified explicitly (in which case we always honor it).
if (!codeqlURL && !forceLatest) {
const codeqlVersions = toolcache.findAllVersions("CodeQL");
if (codeqlVersions.length === 1 && isGoodVersion(codeqlVersions[0])) {
const tmpCodeqlFolder = toolcache.find("CodeQL", codeqlVersions[0]);
if (fs.existsSync(path.join(tmpCodeqlFolder, "pinned-version"))) {
logger.debug(
`CodeQL in cache overriding the default ${CODEQL_BUNDLE_VERSION}`
);
return {
codeqlFolder: tmpCodeqlFolder,
sourceType: "toolcache",
toolsVersion: codeqlVersions[0],
};
}
}
}
return {
codeqlURL:
codeqlURL ||
(await getCodeQLBundleDownloadURL(apiDetails, variant, logger)),
semanticVersion: requestedSemVer,
sourceType: "download",
toolsVersion:
semver.prerelease(requestedSemVer)?.join(".") || requestedSemVer,
};
}
async function downloadCodeQL(
codeqlURL: string,
semanticVersion: string,
apiDetails: api.GitHubApiDetails,
tempDir: string,
logger: Logger
): Promise<string> {
const parsedCodeQLURL = new URL(codeqlURL);
const searchParams = new URLSearchParams(parsedCodeQLURL.search);
const headers: OutgoingHttpHeaders = {
accept: "application/octet-stream",
};
// We only want to provide an authorization header if we are downloading
// from the same GitHub instance the Action is running on.
// This avoids leaking Enterprise tokens to dotcom.
// We also don't want to send an authorization header if there's already a token provided in the URL.
if (searchParams.has("token")) {
logger.debug("CodeQL tools URL contains an authorization token.");
} else if (codeqlURL.startsWith(`${apiDetails.url}/`)) {
logger.debug("Providing an authorization token to download CodeQL tools.");
headers.authorization = `token ${apiDetails.auth}`;
} else {
logger.debug("Downloading CodeQL tools without an authorization token.");
}
logger.info(
`Downloading CodeQL tools from ${codeqlURL}. This may take a while.`
);
const dest = path.join(tempDir, uuidV4());
const finalHeaders = Object.assign(
{ "User-Agent": "CodeQL Action" },
headers
);
const codeqlPath = await toolcache.downloadTool(
codeqlURL,
dest,
undefined,
finalHeaders
);
logger.debug(`CodeQL bundle download to ${codeqlPath} complete.`);
const codeqlExtracted = await toolcache.extractTar(codeqlPath);
return await toolcache.cacheDir(codeqlExtracted, "CodeQL", semanticVersion);
}
/**
* Set up CodeQL CLI access.
*
* @param codeqlURL
* @param toolsInput
* @param apiDetails
* @param tempDir
* @param variant
* @param features
* @param bypassToolcache
* @param logger
* @param checkVersion Whether to check that CodeQL CLI meets the minimum
* version requirement. Must be set to true outside tests.
* @returns a { CodeQL, toolsVersion } object.
*/
export async function setupCodeQL(
codeqlURL: string | undefined,
toolsInput: string | undefined,
apiDetails: api.GitHubApiDetails,
tempDir: string,
variant: util.GitHubVariant,
@ -426,110 +565,37 @@ export async function setupCodeQL(
checkVersion: boolean
): Promise<{ codeql: CodeQL; toolsVersion: string }> {
try {
const forceLatestReason =
// We use the special value of 'latest' to prioritize the version in the
// defaults over any pinned cached version.
codeqlURL === "latest"
? '"tools: latest" was requested'
: // If the user hasn't requested a particular CodeQL version, then bypass
// the toolcache when the appropriate feature is enabled. This
// allows us to quickly rollback a broken bundle that has made its way
// into the toolcache.
codeqlURL === undefined && bypassToolcache
? "a specific version of CodeQL was not requested and the bypass toolcache feature is enabled"
: undefined;
const forceLatest = forceLatestReason !== undefined;
if (forceLatest) {
logger.debug(
`Forcing the latest version of the CodeQL tools since ${forceLatestReason}.`
);
codeqlURL = undefined;
}
const source = await getCodeQLSource(
toolsInput,
bypassToolcache,
apiDetails,
variant,
logger
);
let codeqlFolder: string;
let codeqlURLVersion: string;
if (codeqlURL && !codeqlURL.startsWith("http")) {
codeqlFolder = await toolcache.extractTar(codeqlURL);
codeqlURLVersion = "local";
} else {
codeqlURLVersion = getCodeQLURLVersion(
codeqlURL || `/${CODEQL_BUNDLE_VERSION}/`
);
const codeqlURLSemVer = convertToSemVer(codeqlURLVersion, logger);
// If we find the specified version, we always use that.
codeqlFolder = toolcache.find("CodeQL", codeqlURLSemVer);
// If we don't find the requested version, in some cases we may allow a
// different version to save download time if the version hasn't been
// specified explicitly (in which case we always honor it).
if (!codeqlFolder && !codeqlURL && !forceLatest) {
const codeqlVersions = toolcache.findAllVersions("CodeQL");
if (codeqlVersions.length === 1 && isGoodVersion(codeqlVersions[0])) {
const tmpCodeqlFolder = toolcache.find("CodeQL", codeqlVersions[0]);
if (fs.existsSync(path.join(tmpCodeqlFolder, "pinned-version"))) {
logger.debug(
`CodeQL in cache overriding the default ${CODEQL_BUNDLE_VERSION}`
);
codeqlFolder = tmpCodeqlFolder;
codeqlURLVersion = codeqlVersions[0];
}
}
}
if (codeqlFolder) {
switch (source.sourceType) {
case "local":
codeqlFolder = await toolcache.extractTar(source.codeqlTarPath);
break;
case "toolcache":
codeqlFolder = source.codeqlFolder;
logger.debug(`CodeQL found in cache ${codeqlFolder}`);
} else {
if (!codeqlURL) {
codeqlURL = await getCodeQLBundleDownloadURL(
apiDetails,
variant,
logger
);
}
const parsedCodeQLURL = new URL(codeqlURL);
const searchParams = new URLSearchParams(parsedCodeQLURL.search);
const headers: OutgoingHttpHeaders = {
accept: "application/octet-stream",
};
// We only want to provide an authorization header if we are downloading
// from the same GitHub instance the Action is running on.
// This avoids leaking Enterprise tokens to dotcom.
// We also don't want to send an authorization header if there's already a token provided in the URL.
if (
codeqlURL.startsWith(`${apiDetails.url}/`) &&
!searchParams.has("token")
) {
logger.debug("Downloading CodeQL bundle with token.");
headers.authorization = `token ${apiDetails.auth}`;
} else {
logger.debug("Downloading CodeQL bundle without token.");
}
logger.info(
`Downloading CodeQL tools from ${codeqlURL}. This may take a while.`
break;
case "download":
codeqlFolder = await downloadCodeQL(
source.codeqlURL,
source.semanticVersion,
apiDetails,
tempDir,
logger
);
const dest = path.join(tempDir, uuidV4());
const finalHeaders = Object.assign(
{ "User-Agent": "CodeQL Action" },
headers
);
const codeqlPath = await toolcache.downloadTool(
codeqlURL,
dest,
undefined,
finalHeaders
);
logger.debug(`CodeQL bundle download to ${codeqlPath} complete.`);
const codeqlExtracted = await toolcache.extractTar(codeqlPath);
codeqlFolder = await toolcache.cacheDir(
codeqlExtracted,
"CodeQL",
codeqlURLSemVer
);
}
break;
default:
assertNever(source);
}
let codeqlCmd = path.join(codeqlFolder, "codeql", "codeql");
if (process.platform === "win32") {
codeqlCmd += ".exe";
@ -538,7 +604,7 @@ export async function setupCodeQL(
}
cachedCodeQL = await getCodeQLForCmd(codeqlCmd, checkVersion);
return { codeql: cachedCodeQL, toolsVersion: codeqlURLVersion };
return { codeql: cachedCodeQL, toolsVersion: source.toolsVersion };
} catch (e) {
logger.error(e instanceof Error ? e : new Error(String(e)));
throw new Error("Unable to download and extract CodeQL CLI");
@ -818,24 +884,35 @@ async function getCodeQLForCmd(
}
}
// A config file is only generated if the CliConfigFileEnabled feature flag is enabled.
const configLocation = await generateCodeScanningConfig(
codeql,
config,
featureEnablement
);
// Only pass external repository token if a config file is going to be parsed by the CLI.
let externalRepositoryToken: string | undefined;
if (configLocation) {
extraArgs.push(`--codescanning-config=${configLocation}`);
externalRepositoryToken = getOptionalInput("external-repository-token");
if (externalRepositoryToken) {
extraArgs.push("--external-repository-token-stdin");
}
}
await runTool(cmd, [
"database",
"init",
"--db-cluster",
config.dbLocation,
`--source-root=${sourceRoot}`,
...extraArgs,
...getExtraOptionsFromEnv(["database", "init"]),
]);
await runTool(
cmd,
[
"database",
"init",
"--db-cluster",
config.dbLocation,
`--source-root=${sourceRoot}`,
...extraArgs,
...getExtraOptionsFromEnv(["database", "init"]),
],
{ stdin: externalRepositoryToken }
);
},
async runAutobuild(language: Language) {
const cmdName =
@ -1268,7 +1345,11 @@ export function getExtraOptions(
*/
const maxErrorSize = 20_000;
async function runTool(cmd: string, args: string[] = []) {
async function runTool(
cmd: string,
args: string[] = [],
opts: { stdin?: string } = {}
) {
let output = "";
let error = "";
const exitCode = await new toolrunner.ToolRunner(cmd, args, {
@ -1287,6 +1368,7 @@ async function runTool(cmd: string, args: string[] = []) {
},
},
ignoreReturnCode: true,
...(opts.stdin ? { input: Buffer.from(opts.stdin || "") } : {}),
}).exec();
if (exitCode !== 0)
throw new CommandInvocationError(cmd, args, exitCode, error, output);

53
src/config-utils.ts
View file

@ -582,16 +582,20 @@ async function parseQueryUses(
);
}
// Otherwise, must be a reference to another repo
await addRemoteQueries(
codeQL,
resultMap,
queryUses,
tempDir,
apiDetails,
logger,
configFile
);
// Otherwise, must be a reference to another repo.
// If config parsing is handled in CLI, then this repo will be downloaded
// later by the CLI.
if (!(await useCodeScanningConfigInCli(codeQL, featureEnablement))) {
await addRemoteQueries(
codeQL,
resultMap,
queryUses,
tempDir,
apiDetails,
logger,
configFile
);
}
return false;
}
@ -1724,26 +1728,27 @@ export async function initConfig(
);
}
// The list of queries should not be empty for any language. If it is then
// it is a user configuration error.
for (const language of config.languages) {
const hasBuiltinQueries = config.queries[language]?.builtin.length > 0;
const hasCustomQueries = config.queries[language]?.custom.length > 0;
const hasPacks = (config.packs[language]?.length || 0) > 0;
if (!hasPacks && !hasBuiltinQueries && !hasCustomQueries) {
throw new Error(
`Did not detect any queries to run for ${language}. ` +
"Please make sure that the default queries are enabled, or you are specifying queries to run."
);
}
}
// When using the codescanning config in the CLI, pack downloads
// happen in the CLI during the `database init` command, so no need
// to download them here.
await logCodeScanningConfigInCli(codeQL, featureEnablement, logger);
if (!(await useCodeScanningConfigInCli(codeQL, featureEnablement))) {
// The list of queries should not be empty for any language. If it is then
// it is a user configuration error.
// This check occurs in the CLI when it parses the config file.
for (const language of config.languages) {
const hasBuiltinQueries = config.queries[language]?.builtin.length > 0;
const hasCustomQueries = config.queries[language]?.custom.length > 0;
const hasPacks = (config.packs[language]?.length || 0) > 0;
if (!hasPacks && !hasBuiltinQueries && !hasCustomQueries) {
throw new Error(
`Did not detect any queries to run for ${language}. ` +
"Please make sure that the default queries are enabled, or you are specifying queries to run."
);
}
}
const registries = parseRegistries(registriesInput);
await downloadPacks(
codeQL,

49
src/database-upload.ts
View file

@ -36,29 +36,34 @@ export async function uploadDatabases(
const codeql = await getCodeQL(config.codeQLCmd);
for (const language of config.languages) {
// Upload the database bundle.
// Although we are uploading arbitrary file contents to the API, it's worth
// noting that it's the API's job to validate that the contents is acceptable.
// This API method is available to anyone with write access to the repo.
const payload = fs.readFileSync(
await bundleDb(config, language, codeql, language)
);
try {
await client.request(
`POST https://uploads.github.com/repos/:owner/:repo/code-scanning/codeql/databases/:language?name=:name`,
{
owner: repositoryNwo.owner,
repo: repositoryNwo.repo,
language,
name: `${language}-database`,
data: payload,
headers: {
authorization: `token ${apiDetails.auth}`,
"Content-Type": "application/zip",
},
}
);
logger.debug(`Successfully uploaded database for ${language}`);
// Upload the database bundle.
// Although we are uploading arbitrary file contents to the API, it's worth
// noting that it's the API's job to validate that the contents is acceptable.
// This API method is available to anyone with write access to the repo.
const bundledDb = await bundleDb(config, language, codeql, language);
const bundledDbSize = fs.statSync(bundledDb).size;
const bundledDbReadStream = fs.createReadStream(bundledDb);
try {
await client.request(
`POST https://uploads.github.com/repos/:owner/:repo/code-scanning/codeql/databases/:language?name=:name`,
{
owner: repositoryNwo.owner,
repo: repositoryNwo.repo,
language,
name: `${language}-database`,
data: bundledDbReadStream,
headers: {
authorization: `token ${apiDetails.auth}`,
"Content-Type": "application/zip",
"Content-Length": bundledDbSize,
},
}
);
logger.debug(`Successfully uploaded database for ${language}`);
} finally {
bundledDbReadStream.close();
}
} catch (e) {
console.log(e);
// Log a warning but don't fail the workflow

5
src/defaults.json
View file

@ -1,3 +1,6 @@
{
"bundleVersion": "codeql-bundle-20221211"
"bundleVersion": "codeql-bundle-20230105",
"cliVersion": "2.12.0",
"priorBundleVersion": "codeql-bundle-20221211",
"priorCliVersion": "2.11.6"
}

2
src/feature-flags.ts
View file

@ -43,7 +43,7 @@ export const featureConfig: Record<
},
[Feature.CliConfigFileEnabled]: {
envVar: "CODEQL_PASS_CONFIG_TO_CLI",
minimumVersion: "2.11.1",
minimumVersion: "2.11.6",
},
[Feature.MlPoweredQueriesEnabled]: {
envVar: "CODEQL_ML_POWERED_QUERIES",

114
src/init-action-post-helper.test.ts
View file

@ -8,12 +8,7 @@ import { Feature } from "./feature-flags";
import * as initActionPostHelper from "./init-action-post-helper";
import { getRunnerLogger } from "./logging";
import { parseRepositoryNwo } from "./repository";
import {
createFeatures,
getRecordingLogger,
LoggedMessage,
setupTests,
} from "./testing-utils";
import { createFeatures, setupTests } from "./testing-utils";
import * as uploadLib from "./upload-lib";
import * as util from "./util";
import * as workflow from "./workflow";
@ -134,16 +129,68 @@ test("doesn't upload failed SARIF for workflow with upload: false", async (t) =>
},
},
]);
await testFailedSarifUpload(t, actionsWorkflow, {
expectedLogs: [
{
message:
"Won't upload a failed SARIF file since SARIF upload is disabled.",
type: "debug",
},
],
const result = await testFailedSarifUpload(t, actionsWorkflow, {
expectUpload: false,
});
t.is(result.upload_failed_run_skipped_because, "SARIF upload is disabled");
});
test("uploading failed SARIF run succeeds when workflow uses an input with a matrix var", async (t) => {
const actionsWorkflow = createTestWorkflow([
{
name: "Checkout repository",
uses: "actions/checkout@v3",
},
{
name: "Initialize CodeQL",
uses: "github/codeql-action/init@v2",
with: {
languages: "javascript",
},
},
{
name: "Perform CodeQL Analysis",
uses: "github/codeql-action/analyze@v2",
with: {
category: "/language:${{ matrix.language }}",
},
},
]);
await testFailedSarifUpload(t, actionsWorkflow, {
category: "/language:csharp",
matrix: { language: "csharp" },
});
});
test("uploading failed SARIF run fails when workflow uses a complex upload input", async (t) => {
const actionsWorkflow = createTestWorkflow([
{
name: "Checkout repository",
uses: "actions/checkout@v3",
},
{
name: "Initialize CodeQL",
uses: "github/codeql-action/init@v2",
with: {
languages: "javascript",
},
},
{
name: "Perform CodeQL Analysis",
uses: "github/codeql-action/analyze@v2",
with: {
upload: "${{ matrix.language != 'csharp' }}",
},
},
]);
const result = await testFailedSarifUpload(t, actionsWorkflow, {
expectUpload: false,
});
t.is(
result.upload_failed_run_error,
"Could not get upload input to github/codeql-action/analyze since it contained an " +
"unrecognized dynamic value."
);
});
test("uploading failed SARIF run fails when workflow does not reference github/codeql-action", async (t) => {
@ -153,9 +200,15 @@ test("uploading failed SARIF run fails when workflow does not reference github/c
uses: "actions/checkout@v3",
},
]);
await t.throwsAsync(
async () => await testFailedSarifUpload(t, actionsWorkflow)
const result = await testFailedSarifUpload(t, actionsWorkflow, {
expectUpload: false,
});
t.is(
result.upload_failed_run_error,
"Could not get upload input to github/codeql-action/analyze since the analyze job does not " +
"call github/codeql-action/analyze."
);
t.truthy(result.upload_failed_run_stack_trace);
});
function createTestWorkflow(
@ -186,26 +239,28 @@ async function testFailedSarifUpload(
actionsWorkflow: workflow.Workflow,
{
category,
expectedLogs = [],
expectUpload = true,
matrix = {},
}: {
category?: string;
expectedLogs?: LoggedMessage[];
expectUpload?: boolean;
matrix?: { [key: string]: string };
} = {}
): Promise<void> {
): Promise<initActionPostHelper.UploadFailedSarifResult> {
const config = {
codeQLCmd: "codeql",
debugMode: true,
languages: [],
packs: [],
} as unknown as configUtils.Config;
const messages = [];
process.env["GITHUB_JOB"] = "analyze";
process.env["GITHUB_REPOSITORY"] = "github/codeql-action-fake-repository";
process.env["GITHUB_WORKSPACE"] =
"/home/runner/work/codeql-action/codeql-action";
sinon.stub(actionsUtil, "getRequiredInput").withArgs("matrix").returns("{}");
sinon
.stub(actionsUtil, "getRequiredInput")
.withArgs("matrix")
.returns(JSON.stringify(matrix));
const codeqlObject = await codeql.getCodeQLForTesting();
sinon.stub(codeql, "getCodeQL").resolves(codeqlObject);
@ -214,16 +269,24 @@ async function testFailedSarifUpload(
sinon.stub(workflow, "getWorkflow").resolves(actionsWorkflow);
const uploadFromActions = sinon.stub(uploadLib, "uploadFromActions");
uploadFromActions.resolves({ sarifID: "42" } as uploadLib.UploadResult);
uploadFromActions.resolves({
sarifID: "42",
statusReport: { raw_upload_size_bytes: 20, zipped_upload_size_bytes: 10 },
} as uploadLib.UploadResult);
const waitForProcessing = sinon.stub(uploadLib, "waitForProcessing");
await initActionPostHelper.uploadFailedSarif(
const result = await initActionPostHelper.tryUploadSarifIfRunFailed(
config,
parseRepositoryNwo("github/codeql-action"),
createFeatures([Feature.UploadFailedSarifEnabled]),
getRecordingLogger(messages)
getRunnerLogger(true)
);
t.deepEqual(messages, expectedLogs);
if (expectUpload) {
t.deepEqual(result, {
raw_upload_size_bytes: 20,
zipped_upload_size_bytes: 10,
});
}
if (expectUpload) {
t.true(
diagnosticsExportStub.calledOnceWith(sinon.match.string, category),
@ -248,4 +311,5 @@ async function testFailedSarifUpload(
t.true(uploadFromActions.notCalled);
t.true(waitForProcessing.notCalled);
}
return result;
}

61
src/init-action-post-helper.ts
View file

@ -6,7 +6,7 @@ import { Config, getConfig } from "./config-utils";
import { Feature, FeatureEnablement } from "./feature-flags";
import { Logger } from "./logging";
import { RepositoryNwo } from "./repository";
import { CODEQL_ACTION_ANALYZE_DID_UPLOAD_SARIF } from "./shared-environment";
import { CODEQL_ACTION_ANALYZE_DID_COMPLETE_SUCCESSFULLY } from "./shared-environment";
import * as uploadLib from "./upload-lib";
import { getRequiredEnvParam, isInTestMode, parseMatrixInput } from "./util";
import {
@ -36,16 +36,17 @@ function createFailedUploadFailedSarifResult(
};
}
export async function uploadFailedSarif(
/**
* Upload a failed SARIF file if we can verify that SARIF upload is enabled and determine the SARIF
* category for the workflow.
*/
async function maybeUploadFailedSarif(
config: Config,
repositoryNwo: RepositoryNwo,
featureEnablement: FeatureEnablement,
logger: Logger
): Promise<UploadFailedSarifResult> {
if (!config.codeQLCmd) {
logger.warning(
"CodeQL command not found. Unable to upload failed SARIF file."
);
return { upload_failed_run_skipped_because: "CodeQL command not found" };
}
const codeql = await getCodeQL(config.codeQLCmd);
@ -55,7 +56,6 @@ export async function uploadFailedSarif(
codeql
))
) {
logger.debug("Uploading failed SARIF is disabled.");
return { upload_failed_run_skipped_because: "Feature disabled" };
}
const workflow = await getWorkflow();
@ -65,9 +65,6 @@ export async function uploadFailedSarif(
getUploadInputOrThrow(workflow, jobName, matrix) !== "true" ||
isInTestMode()
) {
logger.debug(
"Won't upload a failed SARIF file since SARIF upload is disabled."
);
return { upload_failed_run_skipped_because: "SARIF upload is disabled" };
}
const category = getCategoryInputOrThrow(workflow, jobName, matrix);
@ -92,43 +89,30 @@ export async function uploadFailedSarif(
return uploadResult?.statusReport ?? {};
}
export async function uploadSarifIfRunFailed(
export async function tryUploadSarifIfRunFailed(
config: Config,
repositoryNwo: RepositoryNwo,
featureEnablement: FeatureEnablement,
logger: Logger
): Promise<UploadFailedSarifResult> {
// Environment variable used to integration test uploading a SARIF file for failed runs
const expectFailedSarifUpload =
process.env["CODEQL_ACTION_EXPECT_UPLOAD_FAILED_SARIF"] === "true";
if (process.env[CODEQL_ACTION_ANALYZE_DID_UPLOAD_SARIF] !== "true") {
if (process.env[CODEQL_ACTION_ANALYZE_DID_COMPLETE_SUCCESSFULLY] !== "true") {
try {
return await uploadFailedSarif(
return await maybeUploadFailedSarif(
config,
repositoryNwo,
featureEnablement,
logger
);
} catch (e) {
if (expectFailedSarifUpload) {
throw new Error(
"Expected to upload a SARIF file for the failed run, but encountered " +
`the following error: ${e}`
);
}
logger.info(
`Failed to upload a SARIF file for the failed run. Error: ${e}`
logger.debug(
`Failed to upload a SARIF file for this failed CodeQL code scanning run. ${e}`
);
return createFailedUploadFailedSarifResult(e);
}
} else if (expectFailedSarifUpload) {
throw new Error(
"Expected to upload a SARIF file for the failed run, but didn't."
);
} else {
return {
upload_failed_run_skipped_because: "SARIF file already uploaded",
upload_failed_run_skipped_because:
"Analyze Action completed successfully",
};
}
}
@ -149,12 +133,29 @@ export async function run(
return;
}
const uploadFailedSarifResult = await uploadSarifIfRunFailed(
const uploadFailedSarifResult = await tryUploadSarifIfRunFailed(
config,
repositoryNwo,
featureEnablement,
logger
);
if (uploadFailedSarifResult.upload_failed_run_skipped_because) {
logger.debug(
"Won't upload a failed SARIF file for this CodeQL code scanning run because: " +
`${uploadFailedSarifResult.upload_failed_run_skipped_because}.`
);
}
// Throw an error if in integration tests, we expected to upload a SARIF file for a failed run
// but we didn't upload anything.
if (
process.env["CODEQL_ACTION_EXPECT_UPLOAD_FAILED_SARIF"] === "true" &&
!uploadFailedSarifResult.raw_upload_size_bytes
) {
throw new Error(
"Expected to upload a failed SARIF file for this CodeQL code scanning run, " +
`but the result was instead ${uploadFailedSarifResult}.`
);
}
// Upload appropriate Actions artifacts for debugging
if (config.debugMode) {

4
src/init.ts
View file

@ -16,7 +16,7 @@ import * as util from "./util";
import { codeQlVersionAbove } from "./util";
export async function initCodeQL(
codeqlURL: string | undefined,
toolsInput: string | undefined,
apiDetails: GitHubApiDetails,
tempDir: string,
variant: util.GitHubVariant,
@ -25,7 +25,7 @@ export async function initCodeQL(
): Promise<{ codeql: CodeQL; toolsVersion: string }> {
logger.startGroup("Setup CodeQL tools");
const { codeql, toolsVersion } = await setupCodeQL(
codeqlURL,
toolsInput,
apiDetails,
tempDir,
variant,

7
src/shared-environment.ts
View file

@ -1,10 +1,9 @@
/**
* This environment variable is set to true when the `analyze` Action
* successfully uploads a SARIF file. It does NOT indicate whether the
* SARIF file was processed successfully.
* completes successfully.
*/
export const CODEQL_ACTION_ANALYZE_DID_UPLOAD_SARIF =
"CODEQL_ACTION_ANALYZE_DID_UPLOAD_SARIF";
export const CODEQL_ACTION_ANALYZE_DID_COMPLETE_SUCCESSFULLY =
"CODEQL_ACTION_ANALYZE_DID_COMPLETE_SUCCESSFULLY";
export const CODEQL_ACTION_TESTING_ENVIRONMENT =
"CODEQL_ACTION_TESTING_ENVIRONMENT";

4
src/testing-utils.ts
View file

@ -1,5 +1,6 @@
import * as github from "@actions/github";
import { TestFn } from "ava";
import * as nock from "nock";
import * as sinon from "sinon";
import * as apiClient from "./api-client";
@ -90,6 +91,9 @@ export function setupTests(test: TestFn<any>) {
process.stdout.write(t.context.testOutput);
}
// Undo any modifications made by nock
nock.cleanAll();
// Undo any modifications made by sinon
sinon.restore();

18
src/workflow.ts
View file

@ -18,6 +18,7 @@ interface WorkflowJob {
name?: string;
"runs-on"?: string;
steps?: WorkflowJobStep[];
uses?: string;
}
interface WorkflowTrigger {
@ -258,7 +259,17 @@ export async function getWorkflow(): Promise<Workflow> {
relativePath
);
return yaml.load(fs.readFileSync(absolutePath, "utf-8")) as Workflow;
try {
return yaml.load(fs.readFileSync(absolutePath, "utf-8")) as Workflow;
} catch (e) {
if (e instanceof Error && e["code"] === "ENOENT") {
throw new Error(
`Unable to load code scanning workflow from ${absolutePath}. This can happen if the currently ` +
"running workflow checks out a branch that doesn't contain the corresponding workflow file."
);
}
throw e;
}
}
/**
@ -301,6 +312,11 @@ function getStepsCallingAction(
job: WorkflowJob,
actionName: string
): WorkflowJobStep[] {
if (job.uses) {
throw new Error(
`Could not get steps calling ${actionName} since the job calls a reusable workflow.`
);
}
const steps = job.steps;
if (!Array.isArray(steps)) {
throw new Error(