Enforce a minimum version of CodeQL CLI

src/analyze.ts

@@ -116,7 +116,7 @@ async function createdDBForScannedLanguages(
   // we extract any scanned languages.
   analysisPaths.includeAndExcludeAnalysisPaths(config);
 
-  const codeql = getCodeQL(config.codeQLCmd);
+  const codeql = await getCodeQL(config.codeQLCmd);
   for (const language of config.languages) {
     if (
       isScannedLanguage(language) &&
@@ -164,7 +164,7 @@ async function finalizeDatabaseCreation(
 ) {
   await createdDBForScannedLanguages(config, logger);
 
-  const codeql = getCodeQL(config.codeQLCmd);
+  const codeql = await getCodeQL(config.codeQLCmd);
   for (const language of config.languages) {
     if (dbIsFinalized(config, language, logger)) {
       logger.info(
@@ -230,7 +230,7 @@ export async function runQueries(
         logger.info("*************");
         logger.startGroup(`Downloading custom packs for ${language}`);
 
-        const codeql = getCodeQL(config.codeQLCmd);
+        const codeql = await getCodeQL(config.codeQLCmd);
         const results = await codeql.packDownload(packsWithVersion);
         logger.info(
           `Downloaded packs: ${results.packs
@@ -320,7 +320,7 @@ export async function runQueries(
     sarifFile: string
   ): Promise<string> {
     const databasePath = util.getCodeQLDatabasePath(config, language);
-    const codeql = getCodeQL(config.codeQLCmd);
+    const codeql = await getCodeQL(config.codeQLCmd);
     return await codeql.databaseInterpretResults(
       databasePath,
       queries,
@@ -346,7 +346,7 @@ export async function runQueries(
       `Query suite file for ${language}-${type}...\n${querySuiteContents}`
     );
 
-    const codeql = getCodeQL(config.codeQLCmd);
+    const codeql = await getCodeQL(config.codeQLCmd);
     await codeql.databaseRunQueries(
       databasePath,
       searchPath,
@@ -402,7 +402,7 @@ export async function runCleanup(
 ): Promise<void> {
   logger.startGroup("Cleaning up databases");
   for (const language of config.languages) {
-    const codeql = getCodeQL(config.codeQLCmd);
+    const codeql = await getCodeQL(config.codeQLCmd);
     const databasePath = util.getCodeQLDatabasePath(config, language);
     await codeql.databaseCleanup(databasePath, cleanupLevel);
   }

src/autobuild.ts

@@ -40,7 +40,7 @@ export async function runAutobuild(
   logger: Logger
 ) {
   logger.startGroup(`Attempting to automatically build ${language} code`);
-  const codeQL = getCodeQL(config.codeQLCmd);
+  const codeQL = await getCodeQL(config.codeQLCmd);
   await codeQL.runAutobuild(language);
   logger.endGroup();
 }

src/codeql.test.ts

@@ -49,7 +49,8 @@ test("download codeql bundle cache", async (t) => {
         tmpDir,
         tmpDir,
         util.GitHubVariant.DOTCOM,
-        getRunnerLogger(true)
+        getRunnerLogger(true),
+        false
       );
 
       t.assert(toolcache.find("CodeQL", `0.0.0-${version}`));
@@ -78,7 +79,8 @@ test("download codeql bundle cache explicitly requested with pinned different ve
       tmpDir,
       tmpDir,
       util.GitHubVariant.DOTCOM,
-      getRunnerLogger(true)
+      getRunnerLogger(true),
+      false
     );
 
     t.assert(toolcache.find("CodeQL", "0.0.0-20200601"));
@@ -96,7 +98,8 @@ test("download codeql bundle cache explicitly requested with pinned different ve
       tmpDir,
       tmpDir,
       util.GitHubVariant.DOTCOM,
-      getRunnerLogger(true)
+      getRunnerLogger(true),
+      false
     );
 
     t.assert(toolcache.find("CodeQL", "0.0.0-20200610"));
@@ -120,7 +123,8 @@ test("don't download codeql bundle cache with pinned different version cached",
       tmpDir,
       tmpDir,
       util.GitHubVariant.DOTCOM,
-      getRunnerLogger(true)
+      getRunnerLogger(true),
+      false
     );
 
     t.assert(toolcache.find("CodeQL", "0.0.0-20200601"));
@@ -131,7 +135,8 @@ test("don't download codeql bundle cache with pinned different version cached",
       tmpDir,
       tmpDir,
       util.GitHubVariant.DOTCOM,
-      getRunnerLogger(true)
+      getRunnerLogger(true),
+      false
     );
 
     const cachedVersions = toolcache.findAllVersions("CodeQL");
@@ -157,7 +162,8 @@ test("download codeql bundle cache with different version cached (not pinned)",
       tmpDir,
       tmpDir,
       util.GitHubVariant.DOTCOM,
-      getRunnerLogger(true)
+      getRunnerLogger(true),
+      false
     );
 
     t.assert(toolcache.find("CodeQL", "0.0.0-20200601"));
@@ -183,7 +189,8 @@ test("download codeql bundle cache with different version cached (not pinned)",
       tmpDir,
       tmpDir,
       util.GitHubVariant.DOTCOM,
-      getRunnerLogger(true)
+      getRunnerLogger(true),
+      false
     );
 
     const cachedVersions = toolcache.findAllVersions("CodeQL");
@@ -209,7 +216,8 @@ test('download codeql bundle cache with pinned different version cached if "late
       tmpDir,
       tmpDir,
       util.GitHubVariant.DOTCOM,
-      getRunnerLogger(true)
+      getRunnerLogger(true),
+      false
     );
 
     t.assert(toolcache.find("CodeQL", "0.0.0-20200601"));
@@ -236,7 +244,8 @@ test('download codeql bundle cache with pinned different version cached if "late
       tmpDir,
       tmpDir,
       util.GitHubVariant.DOTCOM,
-      getRunnerLogger(true)
+      getRunnerLogger(true),
+      false
     );
 
     const cachedVersions = toolcache.findAllVersions("CodeQL");
@@ -290,7 +299,8 @@ test("download codeql bundle from github ae endpoint", async (t) => {
       tmpDir,
       tmpDir,
       util.GitHubVariant.GHAE,
-      getRunnerLogger(true)
+      getRunnerLogger(true),
+      false
     );
 
     const cachedVersions = toolcache.findAllVersions("CodeQL");

src/codeql.ts

@@ -178,9 +178,20 @@ let cachedCodeQL: CodeQL | undefined = undefined;
 const CODEQL_BUNDLE_VERSION = defaults.bundleVersion;
 const CODEQL_DEFAULT_ACTION_REPOSITORY = "github/codeql-action";
 
+/**
+ * The oldest version of CodeQL that the Action will run with. This should be
+ * at least three minor versions behind the current version. The version flags
+ * below can be used to conditionally enable certain features on versions newer
+ * than this. Please record the reason we cannot support an older version.
+ *
+ * Reason: Changes to how the tracing environment is set up.
+ */
+const CODEQL_MINIMUM_VERSION = "2.3.1";
+
 /**
  * Versions of CodeQL that version-flag certain functionality in the Action.
- * For convenience, please keep these in descending order.
+ * For convenience, please keep these in descending order. Once a version
+ * flag is older than the oldest supported version above, it may be removed.
  */
 const CODEQL_VERSION_RAM_FINALIZE = "2.5.8";
 const CODEQL_VERSION_DIAGNOSTICS = "2.5.6";
@@ -326,7 +337,8 @@ export async function setupCodeQL(
   tempDir: string,
   toolCacheDir: string,
   variant: util.GitHubVariant,
-  logger: Logger
+  logger: Logger,
+  checkVersion: boolean
 ): Promise<{ codeql: CodeQL; toolsVersion: string }> {
   try {
     // We use the special value of 'latest' to prioritize the version in the
@@ -437,7 +449,7 @@ export async function setupCodeQL(
       throw new Error(`Unsupported platform: ${process.platform}`);
     }
 
-    cachedCodeQL = getCodeQLForCmd(codeqlCmd);
+    cachedCodeQL = await getCodeQLForCmd(codeqlCmd, checkVersion);
     return { codeql: cachedCodeQL, toolsVersion: codeqlURLVersion };
   } catch (e) {
     logger.error(e);
@@ -474,9 +486,9 @@ export function convertToSemVer(version: string, logger: Logger): string {
 /**
  * Use the CodeQL executable located at the given path.
  */
-export function getCodeQL(cmd: string): CodeQL {
+export async function getCodeQL(cmd: string): Promise<CodeQL> {
   if (cachedCodeQL === undefined) {
-    cachedCodeQL = getCodeQLForCmd(cmd);
+    cachedCodeQL = await getCodeQLForCmd(cmd, true);
   }
   return cachedCodeQL;
 }
@@ -549,9 +561,12 @@ export function getCachedCodeQL(): CodeQL {
   return cachedCodeQL;
 }
 
-function getCodeQLForCmd(cmd: string): CodeQL {
+async function getCodeQLForCmd(
+  cmd: string,
+  checkVersion: boolean
+): Promise<CodeQL> {
   let cachedVersion: undefined | Promise<string> = undefined;
-  return {
+  const codeql = {
     getPath() {
       return cmd;
     },
@@ -869,6 +884,15 @@ function getCodeQLForCmd(cmd: string): CodeQL {
       await new toolrunner.ToolRunner(cmd, args).exec();
     },
   };
+  if (
+    checkVersion &&
+    !(await util.codeQlVersionAbove(codeql, CODEQL_MINIMUM_VERSION))
+  ) {
+    throw new Error(
+      `Expected a CodeQL CLI with version at least ${CODEQL_MINIMUM_VERSION} but got version ${await codeql.getVersion()}`
+    );
+  }
+  return codeql;
 }
 
 function packWithVersionToString(pack: PackWithVersion): string {

src/database-upload.ts

@@ -52,7 +52,7 @@ export async function uploadDatabases(
     return;
   }
 
-  const codeql = getCodeQL(config.codeQLCmd);
+  const codeql = await getCodeQL(config.codeQLCmd);
   for (const language of config.languages) {
     // Bundle the database up into a single zip file
     const databasePath = util.getCodeQLDatabasePath(config, language);

src/init.ts

@@ -28,7 +28,8 @@ export async function initCodeQL(
     tempDir,
     toolCacheDir,
     variant,
-    logger
+    logger,
+    true
   );
   await codeql.printVersion();
   logger.endGroup();

src/runner.ts

@@ -195,7 +195,7 @@ program
 
       let codeql: CodeQL;
       if (cmd.codeqlPath !== undefined) {
-        codeql = getCodeQL(cmd.codeqlPath);
+        codeql = await getCodeQL(cmd.codeqlPath);
       } else {
         codeql = (
           await initCodeQL(