Update CodeQL releases used in PR checks

2023-03-28 18:57:30 +01:00 · 2023-03-28 18:57:30 +01:00 · 6ef37003ca
commit 6ef37003ca
parent d13d683355
39 changed files with 469 additions and 240 deletions
--- a/pr-checks/checks/export-file-baseline-information.yml
+++ b/pr-checks/checks/export-file-baseline-information.yml
@ -1,8 +1,6 @@
 name: "Export file baseline information"
 description: "Tests that file baseline information is exported when the feature is enabled"
 versions: ["nightly-latest"]
-env: 
-  CODEQL_ENABLE_EXPERIMENTAL_FEATURES_SWIFT: true # Remove when Swift is GA.
 steps:
  - uses: ./../action/init
    id: init
@ -10,6 +8,7 @@ steps:
      languages: javascript
      tools: ${{ steps.prepare-test.outputs.tools-url }}
    env:
+      CODEQL_ENABLE_EXPERIMENTAL_FEATURES_SWIFT: true
      CODEQL_FILE_BASELINE_INFORMATION: true
  - uses: ./../action/.github/setup-swift
    with:
--- a/pr-checks/checks/ml-powered-queries.yml
+++ b/pr-checks/checks/ml-powered-queries.yml
@ -1,12 +1,5 @@
 name: "ML-powered queries"
 description: "Tests that ML-powered queries are run with the security-extended suite and that they produce alerts on a test DB"
-versions: [
-    # Latest release in 2.7.x series
-    "stable-20220120",
-    "cached",
-    "latest",
-    "nightly-latest",
-  ]
 steps:
  - uses: ./../action/init
    with:
@ -30,7 +23,7 @@ steps:
  - name: Check sarif
    uses: ./../action/.github/check-sarif
    # Running on Windows requires CodeQL CLI 2.9.0+.
-    if: "!(matrix.version == 'stable-20220120' && runner.os == 'Windows')"
+    if: "!(matrix.version == 'stable-20220401' && runner.os == 'Windows')"
    with:
      sarif-file: ${{ runner.temp }}/results/javascript.sarif
      queries-run: js/ml-powered/nosql-injection,js/ml-powered/path-injection,js/ml-powered/sql-injection,js/ml-powered/xss
@ -39,7 +32,7 @@ steps:
  - name: Check results
    env:
      # Running on Windows requires CodeQL CLI 2.9.0+.
-      SHOULD_RUN_ML_POWERED_QUERIES: ${{ !(matrix.version == 'stable-20220120' && runner.os == 'Windows') }}
+      SHOULD_RUN_ML_POWERED_QUERIES: ${{ !(matrix.version == 'stable-20220401' && runner.os == 'Windows') }}
    shell: bash
    run: |
      echo "Expecting ML-powered queries to be run: ${SHOULD_RUN_ML_POWERED_QUERIES}"
--- a/pr-checks/checks/multi-language-autodetect.yml
+++ b/pr-checks/checks/multi-language-autodetect.yml
@ -1,8 +1,6 @@
 name: "Multi-language repository"
 description: "An end-to-end integration test of a multi-language repository using automatic language detection"
 operatingSystems: ["ubuntu", "macos"]
-env:
-  CODEQL_ENABLE_EXPERIMENTAL_FEATURES_SWIFT: "true" # Remove when Swift is GA.
 steps:
  - uses: ./../action/init
    id: init
@ -58,7 +56,7 @@ steps:
      fi

  - name: Check language autodetect for Ruby
-    if: "(matrix.version == 'cached' || matrix.version == 'latest' || matrix.version == 'nightly-latest')"
+    if: env.CODEQL_ENABLE_EXPERIMENTAL_FEATURES_SWIFT == 'true'
    shell: bash
    run: |
      RUBY_DB=${{ fromJson(steps.analysis.outputs.db-locations).ruby }}
@ -68,7 +66,7 @@ steps:
      fi

  - name: Check language autodetect for Swift
-    if: "(matrix.version == 'cached' || matrix.version == 'latest' || matrix.version == 'nightly-latest')"
+    if: env.CODEQL_ENABLE_EXPERIMENTAL_FEATURES_SWIFT == 'true'
    shell: bash
    run: |
      SWIFT_DB=${{ fromJson(steps.analysis.outputs.db-locations).swift }}
--- a/pr-checks/checks/swift-autobuild.yml
+++ b/pr-checks/checks/swift-autobuild.yml
@ -3,8 +3,6 @@ description: "Tests creation of a Swift database using autobuild"
 versions: ["latest", "cached", "nightly-latest"]
 # Swift autobuilder is only supported on MacOS for private beta
 operatingSystems: ["macos"]
-env:
-  CODEQL_ENABLE_EXPERIMENTAL_FEATURES_SWIFT: "true" # Remove when Swift is GA.
 steps:
  - uses: ./../action/init
    id: init
--- a/pr-checks/checks/swift-custom-build.yml
+++ b/pr-checks/checks/swift-custom-build.yml
@ -3,7 +3,6 @@ description: "Tests creation of a Swift database using custom build"
 versions: ["latest", "cached", "nightly-latest"]
 operatingSystems: ["ubuntu", "macos"]
 env:
-  CODEQL_ENABLE_EXPERIMENTAL_FEATURES_SWIFT: "true" # Remove when Swift is GA.
  DOTNET_GENERATE_ASPNET_CERTIFICATE: "false"
 steps:
  - uses: ./../action/init
--- a/pr-checks/sync.py
+++ b/pr-checks/sync.py
@ -3,12 +3,14 @@ import os

 # The default set of CodeQL Bundle versions to use for the PR checks.
 defaultTestVersions = [
-    # The oldest supported CodeQL version: 2.6.3. If bumping, update `CODEQL_MINIMUM_VERSION` in `codeql.ts`
-    "stable-20211005",
-    # The last CodeQL release in the 2.7 series: 2.7.6.
-    "stable-20220120",
-    # The last CodeQL release in the 2.8 series: 2.8.5.
+    # The oldest supported CodeQL version: 2.8.5. If bumping, update `CODEQL_MINIMUM_VERSION` in `codeql.ts`
    "stable-20220401",
+    # The last CodeQL release in the 2.9 series: 2.9.6.
+    "stable-20220615",
+    # The last CodeQL release in the 2.10 series: 2.10.6.
+    "stable-20220908",
+    # The last CodeQL release in the 2.11 series: 2.11.6.
+    "stable-20221211",
    # The version of CodeQL currently in the toolcache. Typically either the latest release or the one before.
    "cached",
    # The latest release of CodeQL.
@ -18,22 +20,6 @@ defaultTestVersions = [
 ]


-def isCompatibleWithLatestImages(version):
-    if version in ["cached", "latest", "nightly-latest"]:
-        return True
-    date = version.split("-")[1]
-    # The first version of the CodeQL CLI compatible with `ubuntu-22.04` and `windows-2022` is
-    # 2.8.2. This appears in CodeQL Bundle version codeql-bundle-20220224.
-    return date >= "20220224"
-
-
-def operatingSystemsForVersion(version):
-    if isCompatibleWithLatestImages(version):
-        return ["ubuntu-latest", "macos-latest", "windows-latest"]
-    else:
-        return ["ubuntu-20.04", "macos-latest", "windows-2019"]
-
-
 header = """# Warning: This file is generated automatically, and should not be modified.
 # Instead, please modify the template in the pr-checks directory and run:
 #     pip install ruamel.yaml && python3 sync.py
@ -60,7 +46,7 @@ for file in os.listdir('checks'):

    matrix = []
    for version in checkSpecification.get('versions', defaultTestVersions):
-        runnerImages = operatingSystemsForVersion(version)
+        runnerImages = ["ubuntu-latest", "macos-latest", "windows-latest"]
        if checkSpecification.get('operatingSystems', None):
            runnerImages = [image for image in runnerImages for operatingSystem in checkSpecification['operatingSystems']
                            if image.startswith(operatingSystem)]
@ -83,19 +69,24 @@ for file in os.listdir('checks'):
            'with': {
                'version': '${{ matrix.version }}'
            }
-        }
+        },
+        # We don't support Swift on Windows or prior versions of the CLI.
+        {
+            'name': 'Set environment variable for Swift enablement',
+            'if': '''
+                runner.os != 'Windows' && (
+                    matrix.version == '20220908' ||
+                    matrix.version == '20221211' ||
+                    matrix.version == 'cached' ||
+                    matrix.version == 'latest' ||
+                    matrix.version == 'nightly-latest'
+                )
+            ''',
+            'shell': 'bash',
+            'run': 'echo "CODEQL_ENABLE_EXPERIMENTAL_FEATURES_SWIFT=true" >> $GITHUB_ENV'
+        },
    ]

-    if any(not isCompatibleWithLatestImages(m['version']) for m in matrix):
-        steps.append({
-            'name': 'Set up Go',
-            'if': "matrix.os == 'ubuntu-20.04' || matrix.os == 'windows-2019'",
-            'uses': 'actions/setup-go@v4',
-            'with': {
-                'go-version': '^1.13.1'
-            }
-        })
-
    steps.extend(checkSpecification['steps'])

    checkJob = {