robojerk/codeql-action

Merge branch 'main' into aeisenberg/enable-kotlin-tests

Browse source
This commit is contained in:
Andrew Eisenberg 2024-04-01 11:27:17 -07:00 committed by GitHub
commit 72f5fb9a00
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
1827 changed files with 154945 additions and 250316 deletions
Download patch file Download diff file Expand all files Collapse all files

29
pr-checks/checks/build-mode-autobuild.yml Normal file
View file

@ -0,0 +1,29 @@
name: "Build mode autobuild"
description: "An end-to-end integration test of a Java repository built using 'build-mode: autobuild'"
operatingSystems: ["ubuntu"]
versions: ["nightly-latest"]
steps:
- name: Set up Java test repo configuration
run: |
mv * .github ../action/tests/multi-language-repo/
mv ../action/tests/multi-language-repo/.github/workflows .github
mv ../action/tests/java-repo/* .
- uses: ./../action/init
id: init
with:
build-mode: autobuild
db-location: "${{ runner.temp }}/customDbLocation"
languages: java
tools: ${{ steps.prepare-test.outputs.tools-url }}
- name: Validate database build mode
run: |
metadata_path="$RUNNER_TEMP/customDbLocation/java/codeql-database.yml"
build_mode=$(yq eval '.buildMode' "$metadata_path")
if [[ "$build_mode" != "autobuild" ]]; then
echo "Expected build mode to be 'autobuild' but was $build_mode"
exit 1
fi
- uses: ./../action/analyze

31
pr-checks/checks/build-mode-manual.yml Normal file
View file

@ -0,0 +1,31 @@
name: "Build mode manual"
description: "An end-to-end integration test of a Java repository built using 'build-mode: manual'"
operatingSystems: ["ubuntu"]
versions: ["nightly-latest"]
steps:
- uses: ./../action/init
id: init
with:
build-mode: manual
db-location: "${{ runner.temp }}/customDbLocation"
languages: java
tools: ${{ steps.prepare-test.outputs.tools-url }}
- name: Validate database build mode
run: |
metadata_path="$RUNNER_TEMP/customDbLocation/java/codeql-database.yml"
build_mode=$(yq eval '.buildMode' "$metadata_path")
if [[ "$build_mode" != "manual" ]]; then
echo "Expected build mode to be 'manual' but was $build_mode"
exit 1
fi
- uses: ./../action/.github/actions/setup-swift
with:
codeql-path: ${{ steps.init.outputs.codeql-path }}
- name: Build code
shell: bash
run: ./build.sh
- uses: ./../action/analyze

27
pr-checks/checks/build-mode-none.yml Normal file
View file

@ -0,0 +1,27 @@
name: "Build mode none"
description: "An end-to-end integration test of a Java repository built using 'build-mode: none'"
operatingSystems: ["ubuntu"]
versions: ["latest", "nightly-latest"]
steps:
- uses: ./../action/init
id: init
with:
build-mode: none
db-location: "${{ runner.temp }}/customDbLocation"
languages: java
tools: ${{ steps.prepare-test.outputs.tools-url }}
- name: Validate database build mode
run: |
metadata_path="$RUNNER_TEMP/customDbLocation/java/codeql-database.yml"
build_mode=$(yq eval '.buildMode' "$metadata_path")
if [[ "$build_mode" != "none" ]]; then
echo "Expected build mode to be 'none' but was $build_mode"
exit 1
fi
# The latest nightly supports omitting the autobuild Action when the build mode is specified.
- uses: ./../action/autobuild
if: matrix.version != 'nightly-latest'
- uses: ./../action/analyze

31
pr-checks/checks/build-mode-rollback.yml Normal file
View file

@ -0,0 +1,31 @@
name: "Build mode rollback"
description: "The build mode is rolled back from none to autobuild when the relevant feature flag is enabled."
operatingSystems: ["ubuntu"]
versions: ["nightly-latest"]
env:
CODEQL_ACTION_DISABLE_JAVA_BUILDLESS: true
steps:
- name: Set up Java test repo configuration
run: |
mv * .github ../action/tests/multi-language-repo/
mv ../action/tests/multi-language-repo/.github/workflows .github
mv ../action/tests/java-repo/* .
- uses: ./../action/init
id: init
with:
build-mode: none
db-location: "${{ runner.temp }}/customDbLocation"
languages: java
tools: ${{ steps.prepare-test.outputs.tools-url }}
- name: Validate database build mode
run: |
metadata_path="$RUNNER_TEMP/customDbLocation/java/codeql-database.yml"
build_mode=$(yq eval '.buildMode' "$metadata_path")
if [[ "$build_mode" != "autobuild" ]]; then
echo "Expected build mode to be 'autobuild' but was $build_mode"
exit 1
fi
- uses: ./../action/analyze

8
pr-checks/checks/config-export.yml
View file

@ -1,8 +1,6 @@
name: "Config export"
description: "Tests that the code scanning configuration file is exported to SARIF correctly."
versions: ["latest", "nightly-latest"]
env:
CODEQL_PASS_CONFIG_TO_CLI: true
steps:
- uses: ./../action/init
with:
@ -20,7 +18,7 @@ steps:
path: "${{ runner.temp }}/results/javascript.sarif"
retention-days: 7
- name: Check config properties appear in SARIF
uses: actions/github-script@v6
uses: actions/github-script@v7
env:
SARIF_PATH: "${{ runner.temp }}/results/javascript.sarif"
with:
@ -35,13 +33,13 @@ steps:
core.setFailed('`codeqlConfigSummary` property not found in the SARIF run property bag.');
}
if (configSummary.disableDefaultQueries !== false) {
core.setFailed('`disableDefaultQueries` property incorrect: expected false, got ' +
core.setFailed('`disableDefaultQueries` property incorrect: expected false, got ' +
`${JSON.stringify(configSummary.disableDefaultQueries)}.`);
}
const expectedQueries = [{ type: 'builtinSuite', uses: 'security-extended' }];
// Use JSON.stringify to deep-equal the arrays.
if (JSON.stringify(configSummary.queries) !== JSON.stringify(expectedQueries)) {
core.setFailed(`\`queries\` property incorrect: expected ${JSON.stringify(expectedQueries)}, got ` +
core.setFailed(`\`queries\` property incorrect: expected ${JSON.stringify(expectedQueries)}, got ` +
`${JSON.stringify(configSummary.queries)}.`);
}
core.info('Finished config export tests.');

33
pr-checks/checks/config-input.yml Normal file
View file

@ -0,0 +1,33 @@
name: "Config input"
description: "Tests specifying configuration using the config input"
operatingSystems: ["ubuntu"]
versions: ["latest"]
steps:
- name: Copy queries into workspace
run: |
cp -a ../action/queries .
- uses: ./../action/init
with:
tools: ${{ steps.prepare-test.outputs.tools-url }}
languages: javascript
build-mode: none
config: |
disable-default-queries: true
queries:
- name: Run custom query
uses: ./queries/default-setup-environment-variables.ql
paths-ignore:
- tests
- lib
- uses: ./../action/analyze
with:
output: ${{ runner.temp }}/results
- name: Check SARIF
uses: ./../action/.github/actions/check-sarif
with:
sarif-file: ${{ runner.temp }}/results/javascript.sarif
queries-run: javascript/codeql-action/default-setup-env-vars
queries-not-run: javascript/codeql-action/default-setup-context-properties

26
pr-checks/checks/cpp-deptrace-disabled.yml Normal file
View file

@ -0,0 +1,26 @@
name: "C/C++: disabling autoinstalling dependencies (Linux)"
description: "Checks that running C/C++ autobuild with autoinstalling dependencies explicitly disabled works"
operatingSystems: ["ubuntu"]
versions: ["latest", "default", "nightly-latest"] # This feature is not compatible with CLIs < 2.15.0
env:
DOTNET_GENERATE_ASPNET_CERTIFICATE: "false"
steps:
- name: Test setup
shell: bash
run: |
cp -a ../action/tests/cpp-autobuild autobuild-dir
- uses: ./../action/init
with:
languages: cpp
tools: ${{ steps.prepare-test.outputs.tools-url }}
- uses: ./../action/autobuild
with:
working-directory: autobuild-dir
env:
CODEQL_EXTRACTOR_CPP_AUTOINSTALL_DEPENDENCIES: false
- shell: bash
run: |
if ls /usr/bin/errno; then
echo "C/C++ autobuild installed errno, but it should not have since auto-install dependencies is disabled."
exit 1
fi

28
pr-checks/checks/cpp-deptrace-enabled-on-macos.yml Normal file
View file

@ -0,0 +1,28 @@
name: "C/C++: autoinstalling dependencies is skipped (macOS)"
description: "Checks that running C/C++ autobuild with autoinstalling dependencies explicitly enabled is a no-op on macOS"
operatingSystems: ["macos"]
versions: ["nightly-latest"] # This is not released yet, will come with 2.15.2
env:
DOTNET_GENERATE_ASPNET_CERTIFICATE: "false"
steps:
- name: Test setup
shell: bash
run: |
cp -a ../action/tests/cpp-autobuild autobuild-dir
- uses: ./../action/init
with:
languages: cpp
tools: ${{ steps.prepare-test.outputs.tools-url }}
- uses: ./../action/autobuild
with:
working-directory: autobuild-dir
env:
CODEQL_EXTRACTOR_CPP_AUTOINSTALL_DEPENDENCIES: true
- shell: bash
run: |
if ! ls /usr/bin/errno; then
echo "As expected, CODEQL_EXTRACTOR_CPP_AUTOINSTALL_DEPENDENCIES is a no-op on macOS"
else
echo "CODEQL_EXTRACTOR_CPP_AUTOINSTALL_DEPENDENCIES should not have had any effect on macOS"
exit 1
fi

26
pr-checks/checks/cpp-deptrace-enabled.yml Normal file
View file

@ -0,0 +1,26 @@
name: "C/C++: autoinstalling dependencies (Linux)"
description: "Checks that running C/C++ autobuild with autoinstalling dependencies works"
operatingSystems: ["ubuntu"]
versions: ["latest", "default", "nightly-latest"] # This feature is not compatible with CLIs < 2.15.0
env:
DOTNET_GENERATE_ASPNET_CERTIFICATE: "false"
steps:
- name: Test setup
shell: bash
run: |
cp -a ../action/tests/cpp-autobuild autobuild-dir
- uses: ./../action/init
with:
languages: cpp
tools: ${{ steps.prepare-test.outputs.tools-url }}
- uses: ./../action/autobuild
with:
working-directory: autobuild-dir
env:
CODEQL_EXTRACTOR_CPP_AUTOINSTALL_DEPENDENCIES: true
- shell: bash
run: |
if ! ls /usr/bin/errno; then
echo "Did not autoinstall errno"
exit 1
fi

4
pr-checks/checks/diagnostics-export.yml
View file

@ -38,7 +38,7 @@ steps:
path: "${{ runner.temp }}/results/javascript.sarif"
retention-days: 7
- name: Check diagnostics appear in SARIF
uses: actions/github-script@v6
uses: actions/github-script@v7
env:
SARIF_PATH: "${{ runner.temp }}/results/javascript.sarif"
with:
@ -66,7 +66,7 @@ steps:
core.setFailed(
'Expected exactly one status page reporting descriptor for this diagnostic in the ' +
`'runs[].invocations[].toolExecutionNotifications[]' SARIF property, but found ` +
`${statusPageNotifications.length}. All notification reporting descriptors: ` +
`${statusPageNotifications.length}. All notification reporting descriptors: ` +
`${JSON.stringify(toolExecutionNotifications)}.`
);
}

10
pr-checks/checks/export-file-baseline-information.yml
View file

@ -1,14 +1,14 @@
name: "Export file baseline information"
description: "Tests that file baseline information is exported when the feature is enabled"
versions: ["nightly-latest"]
env:
CODEQL_ACTION_SUBLANGUAGE_FILE_COVERAGE: true
steps:
- uses: ./../action/init
id: init
with:
languages: javascript
tools: ${{ steps.prepare-test.outputs.tools-url }}
env:
CODEQL_FILE_BASELINE_INFORMATION: true
- uses: ./../action/.github/actions/setup-swift
with:
codeql-path: ${{ steps.init.outputs.codeql-path }}
@ -18,8 +18,6 @@ steps:
- uses: ./../action/analyze
with:
output: "${{ runner.temp }}/results"
env:
CODEQL_FILE_BASELINE_INFORMATION: true
- name: Upload SARIF
uses: actions/upload-artifact@v3
with:
@ -30,13 +28,13 @@ steps:
shell: bash
run: |
cd "$RUNNER_TEMP/results"
expected_baseline_languages="cpp cs go java js py rb"
expected_baseline_languages="c csharp go java kotlin javascript python ruby"
if [[ $RUNNER_OS != "Windows" ]]; then
expected_baseline_languages+=" swift"
fi
for lang in ${expected_baseline_languages}; do
rule_name="${lang}/baseline/expected-extracted-files"
rule_name="cli/expected-extracted-files/${lang}"
found_notification=$(jq --arg rule_name "${rule_name}" '[.runs[0].tool.driver.notifications |
select(. != null) | flatten | .[].id] | any(. == $rule_name)' javascript.sarif)
if [[ "${found_notification}" != "true" ]]; then

6
pr-checks/checks/go-indirect-tracing-workaround-diagnostic.yml
View file

@ -5,7 +5,7 @@ operatingSystems: ["ubuntu"]
# pinned to a version which does not support statically linked binaries for indirect tracing
versions: ["stable-v2.14.6"]
steps:
- uses: actions/setup-go@v4
- uses: actions/setup-go@v5
with:
# We need a Go version that ships with statically linked binaries on Linux
go-version: ">=1.21.0"
@ -14,7 +14,7 @@ steps:
languages: go
tools: ${{ steps.prepare-test.outputs.tools-url }}
# Deliberately change Go after the `init` step
- uses: actions/setup-go@v4
- uses: actions/setup-go@v5
with:
go-version: "1.20"
- name: Build code
@ -25,7 +25,7 @@ steps:
output: "${{ runner.temp }}/results"
upload-database: false
- name: Check diagnostic appears in SARIF
uses: actions/github-script@v6
uses: actions/github-script@v7
env:
SARIF_PATH: "${{ runner.temp }}/results/go.sarif"
with:

2
pr-checks/checks/go-indirect-tracing-workaround.yml
View file

@ -5,7 +5,7 @@ operatingSystems: ["ubuntu"]
# pinned to a version which does not support statically linked binaries for indirect tracing
versions: ["stable-v2.14.6"]
steps:
- uses: actions/setup-go@v4
- uses: actions/setup-go@v5
with:
# We need a Go version that ships with statically linked binaries on Linux
go-version: ">=1.21.0"

7
pr-checks/checks/go-tracing-autobuilder.yml
View file

@ -4,9 +4,12 @@ operatingSystems: ["ubuntu", "macos"]
env:
DOTNET_GENERATE_ASPNET_CERTIFICATE: "false"
steps:
- uses: actions/setup-go@v4
- uses: actions/setup-go@v5
with:
go-version: "~1.21.1"
go-version: "~1.22.0"
# to avoid potentially misleading autobuilder results where we expect it to download
# dependencies successfully, but they actually come from a warm cache
cache: false
- uses: ./../action/init
with:
languages: go

7
pr-checks/checks/go-tracing-custom-build-steps.yml
View file

@ -2,9 +2,12 @@ name: "Go: tracing with custom build steps"
description: "Checks that Go tracing traces the build when using custom build steps"
operatingSystems: ["ubuntu", "macos"]
steps:
- uses: actions/setup-go@v4
- uses: actions/setup-go@v5
with:
go-version: "~1.21.1"
go-version: "~1.22.0"
# to avoid potentially misleading autobuilder results where we expect it to download
# dependencies successfully, but they actually come from a warm cache
cache: false
- uses: ./../action/init
with:
languages: go

7
pr-checks/checks/go-tracing-legacy-workflow.yml
View file

@ -4,9 +4,12 @@ operatingSystems: ["ubuntu", "macos"]
env:
DOTNET_GENERATE_ASPNET_CERTIFICATE: "false"
steps:
- uses: actions/setup-go@v4
- uses: actions/setup-go@v5
with:
go-version: "~1.21.1"
go-version: "~1.22.0"
# to avoid potentially misleading autobuilder results where we expect it to download
# dependencies successfully, but they actually come from a warm cache
cache: false
- uses: ./../action/init
with:
languages: go

4
pr-checks/checks/multi-language-autodetect.yml
View file

@ -61,8 +61,8 @@ steps:
fi
- name: Check language autodetect for Swift
if: >-
env.CODEQL_ENABLE_EXPERIMENTAL_FEATURES_SWIFT == 'true' ||
if: >-
env.CODEQL_ENABLE_EXPERIMENTAL_FEATURES_SWIFT == 'true' ||
(runner.os != 'Windows' && matrix.version == 'nightly-latest')
shell: bash
run: |

4
pr-checks/checks/packaging-codescanning-config-inputs-js.yml
View file

@ -1,10 +1,6 @@
name: "Packaging: Config and input passed to the CLI"
description: "Checks that specifying packages using a combination of a config file and input to the Action works"
versions: ["latest", "default", "nightly-latest"] # This feature is not compatible with old CLIs
env:
CODEQL_PASS_CONFIG_TO_CLI: true
steps:
- uses: ./../action/init
with:

26
pr-checks/checks/with-checkout-path.yml
View file

@ -1,29 +1,35 @@
name: "Use a custom `checkout_path`"
description: "Checks that a custom `checkout_path` will find the proper commit_oid"
versions: ["latest"]
steps:
# This ensures we don't accidentally use the original checkout for any part of the test.
- name: Delete original checkout
shell: bash
run: |
# delete the original checkout so we don't accidentally use it.
# Actions does not support deleting the current working directory, so we
# delete the contents of the directory instead.
rm -rf ./* .github .git
# Check out the actions repo again, but at a different location.
# choose an arbitrary SHA so that we can later test that the commit_oid is not from main
- uses: actions/checkout@v4
with:
ref: 474bbf07f9247ffe1856c6a0f94aeeb10e7afee6
path: x/y/z/some-path
- uses: ./../action/init
with:
tools: ${{ steps.prepare-test.outputs.tools-url }}
# it's enough to test one compiled language and one interpreted language
languages: csharp,javascript
source-path: x/y/z/some-path/tests/multi-language-repo
debug: true
- name: Build code (non-windows)
source-root: x/y/z/some-path/tests/multi-language-repo
- name: Build code
shell: bash
if: ${{ runner.os != 'Windows' }}
working-directory: x/y/z/some-path/tests/multi-language-repo
run: |
$CODEQL_RUNNER x/y/z/some-path/tests/multi-language-repo/build.sh
- name: Build code (windows)
shell: bash
if: ${{ runner.os == 'Windows' }}
run: |
x/y/z/some-path/tests/multi-language-repo/build.sh
./build.sh
- uses: ./../action/analyze
with:
checkout_path: x/y/z/some-path/tests/multi-language-repo

45
pr-checks/sync.py Normal file → Executable file
View file

@ -1,13 +1,13 @@
#!/usr/bin/env python
import ruamel.yaml
from ruamel.yaml.scalarstring import FoldedScalarString
import os
import pathlib
import textwrap
# The default set of CodeQL Bundle versions to use for the PR checks.
defaultTestVersions = [
# The oldest supported CodeQL version: 2.10.5. If bumping, update `CODEQL_MINIMUM_VERSION` in `codeql.ts`
"stable-20220908",
# The last CodeQL release in the 2.11 series: 2.11.6.
# The oldest supported CodeQL version: 2.11.6. If bumping, update `CODEQL_MINIMUM_VERSION` in `codeql.ts`
"stable-20221211",
# The last CodeQL release in the 2.12 series: 2.12.7.
"stable-20230418",
@ -47,9 +47,11 @@ def writeHeader(checkStream):
yaml = ruamel.yaml.YAML()
yaml.Representer = NonAliasingRTRepresenter
this_dir = pathlib.Path(__file__).resolve().parent
allJobs = {}
for file in os.listdir('checks'):
with open(f"checks/{file}", 'r') as checkStream:
for file in (this_dir / 'checks').glob('*.yml'):
with open(file, 'r') as checkStream:
checkSpecification = yaml.load(checkStream)
matrix = []
@ -70,6 +72,22 @@ for file in os.listdir('checks'):
useAllPlatformBundle = checkSpecification['useAllPlatformBundle']
steps = [
{
'name': 'Setup Python on MacOS',
'uses': 'actions/setup-python@v5',
# Ensure that this is serialized as a folded (`>`) string to preserve the readability
# of the generated workflow.
'if': FoldedScalarString(textwrap.dedent('''
matrix.os == 'macos-latest' && (
matrix.version == 'stable-20221211' ||
matrix.version == 'stable-20230418' ||
matrix.version == 'stable-v2.13.5' ||
matrix.version == 'stable-v2.14.6')
''').strip()),
'with': {
'python-version': '3.11'
}
},
{
'name': 'Check out repository',
'uses': 'actions/checkout@v4'
@ -89,14 +107,7 @@ for file in os.listdir('checks'):
# We don't support Swift on Windows or prior versions of the CLI.
{
'name': 'Set environment variable for Swift enablement',
# Ensure that this is serialized as a folded (`>`) string to preserve the readability
# of the generated workflow.
'if': FoldedScalarString(textwrap.dedent('''
runner.os != 'Windows' && (
matrix.version == '20220908' ||
matrix.version == '20221211'
)
''').strip()),
'if': "runner.os != 'Windows' && matrix.version == '20221211'",
'shell': 'bash',
'run': 'echo "CODEQL_ENABLE_EXPERIMENTAL_FEATURES_SWIFT=true" >> $GITHUB_ENV'
},
@ -129,9 +140,9 @@ for file in os.listdir('checks'):
checkJob['env'] = checkJob.get('env', {})
if 'CODEQL_ACTION_TEST_MODE' not in checkJob['env']:
checkJob['env']['CODEQL_ACTION_TEST_MODE'] = True
checkName = file[:len(file) - 4]
checkName = file.stem
with open(f"../.github/workflows/__{checkName}.yml", 'w') as output_stream:
with open(this_dir.parent / ".github" / "workflows" / f"__{checkName}.yml", 'w') as output_stream:
writeHeader(output_stream)
yaml.dump({
'name': f"PR Check - {checkSpecification['name']}",
@ -141,7 +152,7 @@ for file in os.listdir('checks'):
},
'on': {
'push': {
'branches': ['main', 'releases/v2']
'branches': ['main', 'releases/v*']
},
'pull_request': {
'types': ["opened", "synchronize", "reopened", "ready_for_review"]