robojerk/codeql-action

Merge branch 'main' into split-upload-method

Browse source
This commit is contained in:
Sam Partington 2020-12-22 11:23:49 +00:00
commit 82a8fa443e
76 changed files with 8064 additions and 489 deletions
Download patch file Download diff file Expand all files Collapse all files

351
src/actions-util.test.ts
View file

@ -1,4 +1,5 @@
import test from "ava";
import * as yaml from "js-yaml";
import sinon from "sinon";
import * as actionsutil from "./actions-util";
@ -81,3 +82,353 @@ test("prepareEnvironment() when a local run", (t) => {
t.deepEqual(process.env.GITHUB_JOB, "UNKNOWN-JOB");
t.deepEqual(process.env.CODEQL_ACTION_ANALYSIS_KEY, "LOCAL-RUN:UNKNOWN-JOB");
});
test("validateWorkflow() when on is missing", (t) => {
const errors = actionsutil.validateWorkflow({});
t.deepEqual(errors, [actionsutil.WorkflowErrors.MissingHooks]);
});
test("validateWorkflow() when on.push is missing", (t) => {
const errors = actionsutil.validateWorkflow({ on: {} });
console.log(errors);
t.deepEqual(errors, [actionsutil.WorkflowErrors.MissingHooks]);
});
test("validateWorkflow() when on.push is an array missing pull_request", (t) => {
const errors = actionsutil.validateWorkflow({ on: ["push"] });
t.deepEqual(errors, [actionsutil.WorkflowErrors.MissingPullRequestHook]);
});
test("validateWorkflow() when on.push is an array missing push", (t) => {
const errors = actionsutil.validateWorkflow({ on: ["pull_request"] });
t.deepEqual(errors, [actionsutil.WorkflowErrors.MissingPushHook]);
});
test("validateWorkflow() when on.push is valid", (t) => {
const errors = actionsutil.validateWorkflow({
on: ["push", "pull_request"],
});
t.deepEqual(errors, []);
});
test("validateWorkflow() when on.push is a valid superset", (t) => {
const errors = actionsutil.validateWorkflow({
on: ["push", "pull_request", "schedule"],
});
t.deepEqual(errors, []);
});
test("validateWorkflow() when on.push should not have a path", (t) => {
const errors = actionsutil.validateWorkflow({
on: {
push: { branches: ["main"], paths: ["test/*"] },
pull_request: { branches: ["main"] },
},
});
t.deepEqual(errors, [actionsutil.WorkflowErrors.PathsSpecified]);
});
test("validateWorkflow() when on.push is a correct object", (t) => {
const errors = actionsutil.validateWorkflow({
on: { push: { branches: ["main"] }, pull_request: { branches: ["main"] } },
});
t.deepEqual(errors, []);
});
test("validateWorkflow() when on.pull_requests is a string", (t) => {
const errors = actionsutil.validateWorkflow({
on: { push: { branches: ["main"] }, pull_request: { branches: "*" } },
});
t.deepEqual(errors, [actionsutil.WorkflowErrors.MismatchedBranches]);
});
test("validateWorkflow() when on.pull_requests is a string and correct", (t) => {
const errors = actionsutil.validateWorkflow({
on: { push: { branches: "*" }, pull_request: { branches: "*" } },
});
t.deepEqual(errors, []);
});
test("validateWorkflow() when on.push is correct with empty objects", (t) => {
const errors = actionsutil.validateWorkflow({
on: { push: undefined, pull_request: undefined },
});
t.deepEqual(errors, []);
});
test("validateWorkflow() when on.push is mismatched", (t) => {
const errors = actionsutil.validateWorkflow({
on: {
push: { branches: ["main"] },
pull_request: { branches: ["feature"] },
},
});
t.deepEqual(errors, [actionsutil.WorkflowErrors.MismatchedBranches]);
});
test("validateWorkflow() when on.push is not mismatched", (t) => {
const errors = actionsutil.validateWorkflow({
on: {
push: { branches: ["main", "feature"] },
pull_request: { branches: ["main"] },
},
});
t.deepEqual(errors, []);
});
test("validateWorkflow() when on.push is mismatched for pull_request", (t) => {
const errors = actionsutil.validateWorkflow({
on: {
push: { branches: ["main"] },
pull_request: { branches: ["main", "feature"] },
},
});
t.deepEqual(errors, [actionsutil.WorkflowErrors.MismatchedBranches]);
});
test("validateWorkflow() for a range of malformed workflows", (t) => {
t.deepEqual(
actionsutil.validateWorkflow({
on: {
push: 1,
pull_request: 1,
},
} as any),
[]
);
t.deepEqual(
actionsutil.validateWorkflow({
on: 1,
} as any),
[actionsutil.WorkflowErrors.MissingHooks]
);
t.deepEqual(
actionsutil.validateWorkflow({
on: 1,
jobs: 1,
} as any),
[actionsutil.WorkflowErrors.MissingHooks]
);
t.deepEqual(
actionsutil.validateWorkflow({
on: 1,
jobs: [1],
} as any),
[actionsutil.WorkflowErrors.MissingHooks]
);
t.deepEqual(
actionsutil.validateWorkflow({
on: 1,
jobs: { 1: 1 },
} as any),
[actionsutil.WorkflowErrors.MissingHooks]
);
t.deepEqual(
actionsutil.validateWorkflow({
on: 1,
jobs: { test: 1 },
} as any),
[actionsutil.WorkflowErrors.MissingHooks]
);
t.deepEqual(
actionsutil.validateWorkflow({
on: 1,
jobs: { test: [1] },
} as any),
[actionsutil.WorkflowErrors.MissingHooks]
);
t.deepEqual(
actionsutil.validateWorkflow({
on: 1,
jobs: { test: { steps: 1 } },
} as any),
[actionsutil.WorkflowErrors.MissingHooks]
);
t.deepEqual(
actionsutil.validateWorkflow({
on: 1,
jobs: { test: { steps: [{ notrun: "git checkout HEAD^2" }] } },
} as any),
[actionsutil.WorkflowErrors.MissingHooks]
);
t.deepEqual(
actionsutil.validateWorkflow({
on: 1,
jobs: { test: [undefined] },
} as any),
[actionsutil.WorkflowErrors.MissingHooks]
);
t.deepEqual(actionsutil.validateWorkflow(1 as any), [
actionsutil.WorkflowErrors.MissingHooks,
]);
t.deepEqual(
actionsutil.validateWorkflow({
on: {
push: {
branches: 1,
},
pull_request: {
branches: 1,
},
},
} as any),
[]
);
});
test("validateWorkflow() when on.pull_request for every branch but push specifies branches", (t) => {
const errors = actionsutil.validateWorkflow({
on: {
push: { branches: ["main"] },
pull_request: null,
},
});
t.deepEqual(errors, [actionsutil.WorkflowErrors.MismatchedBranches]);
});
test("validateWorkflow() when on.pull_request for wildcard branches", (t) => {
const errors = actionsutil.validateWorkflow({
on: {
push: { branches: ["feature/*"] },
pull_request: { branches: "feature/moose" },
},
});
t.deepEqual(errors, []);
});
test("validateWorkflow() when on.pull_request for mismatched wildcard branches", (t) => {
const errors = actionsutil.validateWorkflow({
on: {
push: { branches: ["feature/moose"] },
pull_request: { branches: "feature/*" },
},
});
t.deepEqual(errors, [actionsutil.WorkflowErrors.MismatchedBranches]);
});
test("validateWorkflow() when HEAD^2 is checked out", (t) => {
const errors = actionsutil.validateWorkflow({
on: ["push", "pull_request"],
jobs: { test: { steps: [{ run: "git checkout HEAD^2" }] } },
});
t.deepEqual(errors, [actionsutil.WorkflowErrors.CheckoutWrongHead]);
});
test("formatWorkflowErrors() when there is one error", (t) => {
const message = actionsutil.formatWorkflowErrors([
actionsutil.WorkflowErrors.CheckoutWrongHead,
]);
t.true(message.startsWith("1 issue was detected with this workflow:"));
});
test("formatWorkflowErrors() when there are multiple errors", (t) => {
const message = actionsutil.formatWorkflowErrors([
actionsutil.WorkflowErrors.CheckoutWrongHead,
actionsutil.WorkflowErrors.PathsSpecified,
]);
t.true(message.startsWith("2 issues were detected with this workflow:"));
});
test("formatWorkflowCause()", (t) => {
const message = actionsutil.formatWorkflowCause([
actionsutil.WorkflowErrors.CheckoutWrongHead,
actionsutil.WorkflowErrors.PathsSpecified,
]);
t.deepEqual(message, "CheckoutWrongHead,PathsSpecified");
t.deepEqual(actionsutil.formatWorkflowCause([]), undefined);
});
test("patternIsSuperset()", (t) => {
t.false(actionsutil.patternIsSuperset("main-*", "main"));
t.true(actionsutil.patternIsSuperset("*", "*"));
t.true(actionsutil.patternIsSuperset("*", "main-*"));
t.false(actionsutil.patternIsSuperset("main-*", "*"));
t.false(actionsutil.patternIsSuperset("main-*", "main"));
t.true(actionsutil.patternIsSuperset("main", "main"));
t.false(actionsutil.patternIsSuperset("*", "feature/*"));
t.true(actionsutil.patternIsSuperset("**", "feature/*"));
t.false(actionsutil.patternIsSuperset("feature-*", "**"));
t.false(actionsutil.patternIsSuperset("a/**/c", "a/**/d"));
t.false(actionsutil.patternIsSuperset("a/**/c", "a/**"));
t.true(actionsutil.patternIsSuperset("a/**", "a/**/c"));
t.true(actionsutil.patternIsSuperset("a/**/c", "a/main-**/c"));
t.false(actionsutil.patternIsSuperset("a/**/b/**/c", "a/**/d/**/c"));
t.true(actionsutil.patternIsSuperset("a/**/b/**/c", "a/**/b/c/**/c"));
t.true(actionsutil.patternIsSuperset("a/**/b/**/c", "a/**/b/d/**/c"));
t.false(actionsutil.patternIsSuperset("a/**/c/d/**/c", "a/**/b/**/c"));
t.false(actionsutil.patternIsSuperset("a/main-**/c", "a/**/c"));
t.true(
actionsutil.patternIsSuperset(
"/robin/*/release/*",
"/robin/moose/release/goose"
)
);
t.false(
actionsutil.patternIsSuperset(
"/robin/moose/release/goose",
"/robin/*/release/*"
)
);
});
test("validateWorkflow() when branches contain dots", (t) => {
const errors = actionsutil.validateWorkflow(
yaml.safeLoad(`
on:
push:
branches: [4.1, master]
pull_request:
# The branches below must be a subset of the branches above
branches: [4.1, master]
`)
);
t.deepEqual(errors, []);
});
test("validateWorkflow() when on.push has a trailing comma", (t) => {
const errors = actionsutil.validateWorkflow(
yaml.safeLoad(`
name: "CodeQL"
on:
push:
branches: [master, ]
pull_request:
# The branches below must be a subset of the branches above
branches: [master]
`)
);
t.deepEqual(errors, []);
});

263
src/actions-util.ts
View file

@ -1,8 +1,10 @@
import * as fs from "fs";
import * as path from "path";
import * as core from "@actions/core";
import * as toolrunner from "@actions/exec/lib/toolrunner";
import * as safeWhich from "@chrisgavin/safe-which";
import * as yaml from "js-yaml";
import * as api from "./api-client";
import * as sharedEnv from "./shared-environment";
@ -100,10 +102,267 @@ export const getCommitOid = async function (): Promise<string> {
}
};
interface WorkflowJobStep {
run: any;
}
interface WorkflowJob {
steps?: WorkflowJobStep[];
}
interface WorkflowTrigger {
branches?: string[] | string;
paths?: string[];
}
// on: {} then push/pull_request are undefined
// on:
// push:
// pull_request:
// then push/pull_request are null
interface WorkflowTriggers {
push?: WorkflowTrigger | null;
pull_request?: WorkflowTrigger | null;
}
interface Workflow {
jobs?: { [key: string]: WorkflowJob };
on?: string | string[] | WorkflowTriggers;
}
function isObject(o: unknown): o is object {
return o !== null && typeof o === "object";
}
const GLOB_PATTERN = new RegExp("(\\*\\*?)");
function escapeRegExp(string) {
return string.replace(/[.*+?^${}()|[\]\\]/g, "\\$&"); // $& means the whole matched string
}
function patternToRegExp(value) {
return new RegExp(
`^${value
.toString()
.split(GLOB_PATTERN)
.reduce(function (arr, cur) {
if (cur === "**") {
arr.push(".*?");
} else if (cur === "*") {
arr.push("[^/]*?");
} else if (cur) {
arr.push(escapeRegExp(cur));
}
return arr;
}, [])
.join("")}$`
);
}
// this function should return true if patternA is a superset of patternB
// e.g: * is a superset of main-* but main-* is not a superset of *.
export function patternIsSuperset(patternA: string, patternB: string): boolean {
return patternToRegExp(patternA).test(patternB);
}
function branchesToArray(branches?: string | null | string[]): string[] | "**" {
if (typeof branches === "string") {
return [branches];
}
if (Array.isArray(branches)) {
if (branches.length === 0) {
return "**";
}
return branches;
}
return "**";
}
enum MissingTriggers {
None = 0,
Push = 1,
PullRequest = 2,
}
interface CodedError {
message: string;
code: string;
}
function toCodedErrors(errors: {
[key: string]: string;
}): { [key: string]: CodedError } {
return Object.entries(errors).reduce((acc, [key, value]) => {
acc[key] = { message: value, code: key };
return acc;
}, {} as ReturnType<typeof toCodedErrors>);
}
export const WorkflowErrors = toCodedErrors({
MismatchedBranches: `Please make sure that every branch in on.pull_request is also in on.push so that Code Scanning can compare pull requests against the state of the base branch.`,
MissingHooks: `Please specify on.push and on.pull_request hooks so that Code Scanning can compare pull requests against the state of the base branch.`,
MissingPullRequestHook: `Please specify an on.pull_request hook so that Code Scanning is explicitly run against pull requests. This will be required to see results on pull requests from January 31 2021.`,
MissingPushHook: `Please specify an on.push hook so that Code Scanning can compare pull requests against the state of the base branch.`,
PathsSpecified: `Using on.push.paths can prevent Code Scanning annotating new alerts in your pull requests.`,
PathsIgnoreSpecified: `Using on.push.paths-ignore can prevent Code Scanning annotating new alerts in your pull requests.`,
CheckoutWrongHead: `git checkout HEAD^2 is no longer necessary. Please remove this step as Code Scanning recommends analyzing the merge commit for best results.`,
LintFailed: `Unable to lint workflow for CodeQL.`,
});
export function validateWorkflow(doc: Workflow): CodedError[] {
const errors: CodedError[] = [];
// .jobs[key].steps[].run
for (const job of Object.values(doc?.jobs || {})) {
if (Array.isArray(job?.steps)) {
for (const step of job?.steps) {
// this was advice that we used to give in the README
// we actually want to run the analysis on the merge commit
// to produce results that are more inline with expectations
// (i.e: this is what will happen if you merge this PR)
// and avoid some race conditions
if (step?.run === "git checkout HEAD^2") {
errors.push(WorkflowErrors.CheckoutWrongHead);
}
}
}
}
let missing = MissingTriggers.None;
if (doc.on === undefined) {
missing = MissingTriggers.Push | MissingTriggers.PullRequest;
} else if (typeof doc.on === "string") {
switch (doc.on) {
case "push":
missing = MissingTriggers.PullRequest;
break;
case "pull_request":
missing = MissingTriggers.Push;
break;
default:
missing = MissingTriggers.Push | MissingTriggers.PullRequest;
break;
}
} else if (Array.isArray(doc.on)) {
if (!doc.on.includes("push")) {
missing = missing | MissingTriggers.Push;
}
if (!doc.on.includes("pull_request")) {
missing = missing | MissingTriggers.PullRequest;
}
} else if (isObject(doc.on)) {
if (!Object.prototype.hasOwnProperty.call(doc.on, "pull_request")) {
missing = missing | MissingTriggers.PullRequest;
}
if (!Object.prototype.hasOwnProperty.call(doc.on, "push")) {
missing = missing | MissingTriggers.Push;
} else {
const paths = doc.on.push?.paths;
// if you specify paths or paths-ignore you can end up with commits that have no baseline
// if they didn't change any files
// currently we cannot go back through the history and find the most recent baseline
if (Array.isArray(paths) && paths.length > 0) {
errors.push(WorkflowErrors.PathsSpecified);
}
const pathsIgnore = doc.on.push?.["paths-ignore"];
if (Array.isArray(pathsIgnore) && pathsIgnore.length > 0) {
errors.push(WorkflowErrors.PathsIgnoreSpecified);
}
}
const push = branchesToArray(doc.on.push?.branches);
if (push !== "**") {
const pull_request = branchesToArray(doc.on.pull_request?.branches);
if (pull_request !== "**") {
const difference = pull_request.filter(
(value) => !push.some((o) => patternIsSuperset(o, value))
);
if (difference.length > 0) {
// there are branches in pull_request that may not have a baseline
// because we are not building them on push
errors.push(WorkflowErrors.MismatchedBranches);
}
} else if (push.length > 0) {
// push is set up to run on a subset of branches
// and you could open a PR against a branch with no baseline
errors.push(WorkflowErrors.MismatchedBranches);
}
}
} else {
// on is not a known type
// this workflow is likely malformed
missing = MissingTriggers.Push | MissingTriggers.PullRequest;
}
switch (missing) {
case MissingTriggers.PullRequest | MissingTriggers.Push:
errors.push(WorkflowErrors.MissingHooks);
break;
case MissingTriggers.PullRequest:
errors.push(WorkflowErrors.MissingPullRequestHook);
break;
case MissingTriggers.Push:
errors.push(WorkflowErrors.MissingPushHook);
break;
}
return errors;
}
export async function getWorkflowErrors(): Promise<CodedError[]> {
try {
const workflow = await getWorkflow();
if (workflow === undefined) {
return [];
}
return validateWorkflow(workflow);
} catch (e) {
return [WorkflowErrors.LintFailed];
}
}
export function formatWorkflowErrors(errors: CodedError[]): string {
const issuesWere = errors.length === 1 ? "issue was" : "issues were";
const errorsList = errors.map((e) => e.message).join(" ");
return `${errors.length} ${issuesWere} detected with this workflow: ${errorsList}`;
}
export function formatWorkflowCause(errors: CodedError[]): undefined | string {
if (errors.length === 0) {
return undefined;
}
return errors.map((e) => e.code).join(",");
}
export async function getWorkflow(): Promise<Workflow | undefined> {
const relativePath = await getWorkflowPath();
const absolutePath = path.join(
getRequiredEnvParam("GITHUB_WORKSPACE"),
relativePath
);
try {
return yaml.safeLoad(fs.readFileSync(absolutePath, "utf-8"));
} catch (e) {
core.warning(`Could not read workflow: ${e.toString()}`);
return undefined;
}
}
/**
* Get the path of the currently executing workflow.
*/
async function getWorkflowPath(): Promise<string> {
if (isLocalRun()) {
return getRequiredEnvParam("WORKFLOW_PATH");
}
const repo_nwo = getRequiredEnvParam("GITHUB_REPOSITORY").split("/");
const owner = repo_nwo[0];
const repo = repo_nwo[1];
@ -356,11 +615,11 @@ export async function sendStatusReport<S extends StatusReportBase>(
// this means that this action version is no longer compatible with the API
// we still want to continue as it is likely the analysis endpoint will work
if (getRequiredEnvParam("GITHUB_SERVER_URL") !== GITHUB_DOTCOM_URL) {
core.warning(
core.debug(
"CodeQL Action version is incompatible with the code scanning endpoint. Please update to a compatible version of codeql-action."
);
} else {
core.warning(
core.debug(
"CodeQL Action is out-of-date. Please upgrade to the latest version of codeql-action."
);
}

3
src/analysis-paths.test.ts
View file

@ -19,6 +19,7 @@ test("emptyPaths", async (t) => {
tempDir: tmpDir,
toolCacheDir: tmpDir,
codeQLCmd: "",
gitHubVersion: { type: "dotcom" } as util.GitHubVersion,
};
analysisPaths.includeAndExcludeAnalysisPaths(config);
t.is(process.env["LGTM_INDEX_INCLUDE"], undefined);
@ -38,6 +39,7 @@ test("nonEmptyPaths", async (t) => {
tempDir: tmpDir,
toolCacheDir: tmpDir,
codeQLCmd: "",
gitHubVersion: { type: "dotcom" } as util.GitHubVersion,
};
analysisPaths.includeAndExcludeAnalysisPaths(config);
t.is(process.env["LGTM_INDEX_INCLUDE"], "path1\npath2");
@ -61,6 +63,7 @@ test("exclude temp dir", async (t) => {
tempDir,
toolCacheDir,
codeQLCmd: "",
gitHubVersion: { type: "dotcom" } as util.GitHubVersion,
};
analysisPaths.includeAndExcludeAnalysisPaths(config);
t.is(process.env["LGTM_INDEX_INCLUDE"], undefined);

16
src/analyze-action.ts
View file

@ -84,6 +84,7 @@ async function run() {
return;
}
const gitHubVersion = await util.getGitHubVersion(apiDetails);
const uploadStats = await upload_lib.uploadFromActions(
outputDir,
parseRepositoryNwo(actionsUtil.getRequiredEnvParam("GITHUB_REPOSITORY")),
@ -94,6 +95,7 @@ async function run() {
actionsUtil.getWorkflowRunID(),
actionsUtil.getRequiredInput("checkout_path"),
actionsUtil.getRequiredInput("matrix"),
gitHubVersion,
apiDetails,
logger
);
@ -114,7 +116,13 @@ async function run() {
await sendStatusReport(startedAt, stats);
}
run().catch((e) => {
core.setFailed(`analyze action failed: ${e}`);
console.log(e);
});
async function runWrapper() {
try {
await run();
} catch (error) {
core.setFailed(`analyze action failed: ${error}`);
console.log(error);
}
}
void runWrapper();

1
src/analyze.test.ts
View file

@ -34,6 +34,7 @@ test("status report fields", async (t) => {
tempDir: tmpDir,
toolCacheDir: tmpDir,
codeQLCmd: "",
gitHubVersion: { type: "dotcom" } as util.GitHubVersion,
};
fs.mkdirSync(util.getCodeQLDatabasePath(config.tempDir, language), {
recursive: true,

19
src/api-client.test.ts
View file

@ -1,19 +0,0 @@
import test from "ava";
import { apiVersionInRange, DisallowedAPIVersionReason } from "./api-client";
test("allowed API versions", async (t) => {
t.is(apiVersionInRange("1.33.0", "1.33", "2.0"), undefined);
t.is(apiVersionInRange("1.33.1", "1.33", "2.0"), undefined);
t.is(apiVersionInRange("1.34.0", "1.33", "2.0"), undefined);
t.is(apiVersionInRange("2.0.0", "1.33", "2.0"), undefined);
t.is(apiVersionInRange("2.0.1", "1.33", "2.0"), undefined);
t.is(
apiVersionInRange("1.32.0", "1.33", "2.0"),
DisallowedAPIVersionReason.ACTION_TOO_NEW
);
t.is(
apiVersionInRange("2.1.0", "1.33", "2.0"),
DisallowedAPIVersionReason.ACTION_TOO_OLD
);
});

82
src/api-client.ts
View file

@ -1,16 +1,10 @@
import * as path from "path";
import { exportVariable } from "@actions/core";
import * as githubUtils from "@actions/github/lib/utils";
import * as retry from "@octokit/plugin-retry";
import { OctokitResponse } from "@octokit/types";
import consoleLogLevel from "console-log-level";
import * as semver from "semver";
import { getRequiredEnvParam, getRequiredInput } from "./actions-util";
import * as apiCompatibility from "./api-compatibility.json";
import { Logger, getActionsLogger } from "./logging";
import { isLocalRun, Mode } from "./util";
import { isLocalRun } from "./util";
export enum DisallowedAPIVersionReason {
ACTION_TOO_OLD,
@ -22,66 +16,14 @@ export interface GitHubApiDetails {
url: string;
}
const GITHUB_ENTERPRISE_VERSION_HEADER = "x-github-enterprise-version";
const CODEQL_ACTION_WARNED_ABOUT_VERSION_ENV_VAR =
"CODEQL_ACTION_WARNED_ABOUT_VERSION";
let hasBeenWarnedAboutVersion = false;
export const getApiClient = function (
apiDetails: GitHubApiDetails,
mode: Mode,
logger: Logger,
allowLocalRun = false,
possibleFailureExpected = false
allowLocalRun = false
) {
if (isLocalRun() && !allowLocalRun) {
throw new Error("Invalid API call in local run");
}
const customOctokit = githubUtils.GitHub.plugin(retry.retry, (octokit, _) => {
octokit.hook.after("request", (response: OctokitResponse<any>, __) => {
if (response.status < 400 && !possibleFailureExpected) {
if (hasBeenWarnedAboutVersion) {
return;
}
}
if (
response.headers[GITHUB_ENTERPRISE_VERSION_HEADER] === undefined ||
process.env[CODEQL_ACTION_WARNED_ABOUT_VERSION_ENV_VAR] === undefined
) {
return;
}
const installedVersion = response.headers[
GITHUB_ENTERPRISE_VERSION_HEADER
] as string;
const disallowedAPIVersionReason = apiVersionInRange(
installedVersion,
apiCompatibility.minimumVersion,
apiCompatibility.maximumVersion
);
const toolName = mode === "actions" ? "Action" : "Runner";
if (
disallowedAPIVersionReason === DisallowedAPIVersionReason.ACTION_TOO_OLD
) {
logger.warning(
`The CodeQL ${toolName} version you are using is too old to be compatible with GitHub Enterprise ${installedVersion}. If you experience issues, please upgrade to a more recent version of the CodeQL ${toolName}.`
);
}
if (
disallowedAPIVersionReason === DisallowedAPIVersionReason.ACTION_TOO_NEW
) {
logger.warning(
`GitHub Enterprise ${installedVersion} is too old to be compatible with this version of the CodeQL ${toolName}. If you experience issues, please upgrade to a more recent version of GitHub Enterprise or use an older version of the CodeQL ${toolName}.`
);
}
hasBeenWarnedAboutVersion = true;
if (mode === "actions") {
exportVariable(CODEQL_ACTION_WARNED_ABOUT_VERSION_ENV_VAR, true);
}
});
});
return new customOctokit(
return new githubUtils.GitHub(
githubUtils.getOctokitOptions(apiDetails.auth, {
baseUrl: getApiUrl(apiDetails.url),
userAgent: "CodeQL Action",
@ -93,7 +35,7 @@ export const getApiClient = function (
function getApiUrl(githubUrl: string): string {
const url = new URL(githubUrl);
// If we detect this is trying to be to github.com
// If we detect this is trying to connect to github.com
// then return with a fixed canonical URL.
if (url.hostname === "github.com" || url.hostname === "api.github.com") {
return "https://api.github.com";
@ -113,19 +55,5 @@ export function getActionsApiClient(allowLocalRun = false) {
url: getRequiredEnvParam("GITHUB_SERVER_URL"),
};
return getApiClient(apiDetails, "actions", getActionsLogger(), allowLocalRun);
}
export function apiVersionInRange(
version: string,
minimumVersion: string,
maximumVersion: string
): DisallowedAPIVersionReason | undefined {
if (!semver.satisfies(version, `>=${minimumVersion}`)) {
return DisallowedAPIVersionReason.ACTION_TOO_NEW;
}
if (!semver.satisfies(version, `<=${maximumVersion}`)) {
return DisallowedAPIVersionReason.ACTION_TOO_OLD;
}
return undefined;
return getApiClient(apiDetails, allowLocalRun);
}

14
src/autobuild-action.ts
View file

@ -86,7 +86,13 @@ async function run() {
await sendCompletedStatusReport(startedAt, language ? [language] : []);
}
run().catch((e) => {
core.setFailed(`autobuild action failed. ${e}`);
console.log(e);
});
async function runWrapper() {
try {
await run();
} catch (error) {
core.setFailed(`autobuild action failed. ${error}`);
console.log(error);
}
}
void runWrapper();

12
src/codeql.ts
View file

@ -190,13 +190,11 @@ async function getCodeQLBundleDownloadURL(
}
const [repositoryOwner, repositoryName] = repository.split("/");
try {
const release = await api
.getApiClient(apiDetails, mode, logger, false, true)
.repos.getReleaseByTag({
owner: repositoryOwner,
repo: repositoryName,
tag: CODEQL_BUNDLE_VERSION,
});
const release = await api.getApiClient(apiDetails).repos.getReleaseByTag({
owner: repositoryOwner,
repo: repositoryName,
tag: CODEQL_BUNDLE_VERSION,
});
for (const asset of release.data.assets) {
if (asset.name === codeQLBundleName) {
logger.info(

43
src/config-utils.test.ts
View file

@ -20,6 +20,8 @@ const sampleApiDetails = {
url: "https://github.example.com",
};
const gitHubVersion = { type: "dotcom" } as util.GitHubVersion;
// Returns the filepath of the newly-created file
function createConfigFile(inputFileContents: string, tmpDir: string): string {
const configFilePath = path.join(tmpDir, "input");
@ -81,8 +83,8 @@ test("load empty config", async (t) => {
tmpDir,
codeQL,
tmpDir,
gitHubVersion,
sampleApiDetails,
"runner",
logger
);
@ -96,8 +98,8 @@ test("load empty config", async (t) => {
tmpDir,
codeQL,
tmpDir,
gitHubVersion,
sampleApiDetails,
"runner",
logger
)
);
@ -133,8 +135,8 @@ test("loading config saves config", async (t) => {
tmpDir,
codeQL,
tmpDir,
gitHubVersion,
sampleApiDetails,
"runner",
logger
);
@ -159,8 +161,8 @@ test("load input outside of workspace", async (t) => {
tmpDir,
getCachedCodeQL(),
tmpDir,
gitHubVersion,
sampleApiDetails,
"runner",
getRunnerLogger(true)
);
throw new Error("initConfig did not throw error");
@ -192,8 +194,8 @@ test("load non-local input with invalid repo syntax", async (t) => {
tmpDir,
getCachedCodeQL(),
tmpDir,
gitHubVersion,
sampleApiDetails,
"runner",
getRunnerLogger(true)
);
throw new Error("initConfig did not throw error");
@ -226,8 +228,8 @@ test("load non-existent input", async (t) => {
tmpDir,
getCachedCodeQL(),
tmpDir,
gitHubVersion,
sampleApiDetails,
"runner",
getRunnerLogger(true)
);
throw new Error("initConfig did not throw error");
@ -296,6 +298,7 @@ test("load non-empty input", async (t) => {
tempDir: tmpDir,
toolCacheDir: tmpDir,
codeQLCmd: codeQL.getPath(),
gitHubVersion,
};
const languages = "javascript";
@ -310,8 +313,8 @@ test("load non-empty input", async (t) => {
tmpDir,
codeQL,
tmpDir,
gitHubVersion,
sampleApiDetails,
"runner",
getRunnerLogger(true)
);
@ -371,8 +374,8 @@ test("Default queries are used", async (t) => {
tmpDir,
codeQL,
tmpDir,
gitHubVersion,
sampleApiDetails,
"runner",
getRunnerLogger(true)
);
@ -440,8 +443,8 @@ test("Queries can be specified in config file", async (t) => {
tmpDir,
codeQL,
tmpDir,
gitHubVersion,
sampleApiDetails,
"runner",
getRunnerLogger(true)
);
@ -503,8 +506,8 @@ test("Queries from config file can be overridden in workflow file", async (t) =>
tmpDir,
codeQL,
tmpDir,
gitHubVersion,
sampleApiDetails,
"runner",
getRunnerLogger(true)
);
@ -564,8 +567,8 @@ test("Queries in workflow file can be used in tandem with the 'disable default q
tmpDir,
codeQL,
tmpDir,
gitHubVersion,
sampleApiDetails,
"runner",
getRunnerLogger(true)
);
@ -615,8 +618,8 @@ test("Multiple queries can be specified in workflow file, no config file require
tmpDir,
codeQL,
tmpDir,
gitHubVersion,
sampleApiDetails,
"runner",
getRunnerLogger(true)
);
@ -684,8 +687,8 @@ test("Queries in workflow file can be added to the set of queries without overri
tmpDir,
codeQL,
tmpDir,
gitHubVersion,
sampleApiDetails,
"runner",
getRunnerLogger(true)
);
@ -746,8 +749,8 @@ test("Invalid queries in workflow file handled correctly", async (t) => {
tmpDir,
codeQL,
tmpDir,
gitHubVersion,
sampleApiDetails,
"runner",
getRunnerLogger(true)
);
t.fail("initConfig did not throw error");
@ -808,8 +811,8 @@ test("API client used when reading remote config", async (t) => {
tmpDir,
codeQL,
tmpDir,
gitHubVersion,
sampleApiDetails,
"runner",
getRunnerLogger(true)
);
t.assert(spyGetContents.called);
@ -832,8 +835,8 @@ test("Remote config handles the case where a directory is provided", async (t) =
tmpDir,
getCachedCodeQL(),
tmpDir,
gitHubVersion,
sampleApiDetails,
"runner",
getRunnerLogger(true)
);
throw new Error("initConfig did not throw error");
@ -864,8 +867,8 @@ test("Invalid format of remote config handled correctly", async (t) => {
tmpDir,
getCachedCodeQL(),
tmpDir,
gitHubVersion,
sampleApiDetails,
"runner",
getRunnerLogger(true)
);
throw new Error("initConfig did not throw error");
@ -892,8 +895,8 @@ test("No detected languages", async (t) => {
tmpDir,
getCachedCodeQL(),
tmpDir,
gitHubVersion,
sampleApiDetails,
"runner",
getRunnerLogger(true)
);
throw new Error("initConfig did not throw error");
@ -917,8 +920,8 @@ test("Unknown languages", async (t) => {
tmpDir,
getCachedCodeQL(),
tmpDir,
gitHubVersion,
sampleApiDetails,
"runner",
getRunnerLogger(true)
);
throw new Error("initConfig did not throw error");
@ -963,8 +966,8 @@ function doInvalidInputTest(
tmpDir,
codeQL,
tmpDir,
gitHubVersion,
sampleApiDetails,
"runner",
getRunnerLogger(true)
);
throw new Error("initConfig did not throw error");

47
src/config-utils.ts
View file

@ -9,7 +9,7 @@ import * as externalQueries from "./external-queries";
import { Language, parseLanguage } from "./languages";
import { Logger } from "./logging";
import { RepositoryNwo } from "./repository";
import { Mode } from "./util";
import { GitHubVersion } from "./util";
// Property names from the user-supplied config file.
const NAME_PROPERTY = "name";
@ -93,6 +93,11 @@ export interface Config {
* Path of the CodeQL executable.
*/
codeQLCmd: string;
/**
* Version of GHES that we have determined that we are talking to, or undefined
* if talking to github.com.
*/
gitHubVersion: GitHubVersion;
}
/**
@ -592,12 +597,11 @@ export function getUnknownLanguagesError(languages: string[]): string {
async function getLanguagesInRepo(
repository: RepositoryNwo,
apiDetails: api.GitHubApiDetails,
mode: Mode,
logger: Logger
): Promise<Language[]> {
logger.debug(`GitHub repo ${repository.owner} ${repository.repo}`);
const response = await api
.getApiClient(apiDetails, mode, logger, true)
.getApiClient(apiDetails, true)
.repos.listLanguages({
owner: repository.owner,
repo: repository.repo,
@ -633,7 +637,6 @@ async function getLanguages(
languagesInput: string | undefined,
repository: RepositoryNwo,
apiDetails: api.GitHubApiDetails,
mode: Mode,
logger: Logger
): Promise<Language[]> {
// Obtain from action input 'languages' if set
@ -645,7 +648,7 @@ async function getLanguages(
if (languages.length === 0) {
// Obtain languages as all languages in the repo that can be analysed
languages = await getLanguagesInRepo(repository, apiDetails, mode, logger);
languages = await getLanguagesInRepo(repository, apiDetails, logger);
logger.info(
`Automatically detected languages: ${JSON.stringify(languages)}`
);
@ -726,15 +729,14 @@ export async function getDefaultConfig(
toolCacheDir: string,
codeQL: CodeQL,
checkoutPath: string,
gitHubVersion: GitHubVersion,
apiDetails: api.GitHubApiDetails,
mode: Mode,
logger: Logger
): Promise<Config> {
const languages = await getLanguages(
languagesInput,
repository,
apiDetails,
mode,
logger
);
const queries: Queries = {};
@ -761,6 +763,7 @@ export async function getDefaultConfig(
tempDir,
toolCacheDir,
codeQLCmd: codeQL.getPath(),
gitHubVersion,
};
}
@ -776,8 +779,8 @@ async function loadConfig(
toolCacheDir: string,
codeQL: CodeQL,
checkoutPath: string,
gitHubVersion: GitHubVersion,
apiDetails: api.GitHubApiDetails,
mode: Mode,
logger: Logger
): Promise<Config> {
let parsedYAML: UserConfig;
@ -787,7 +790,7 @@ async function loadConfig(
configFile = path.resolve(checkoutPath, configFile);
parsedYAML = getLocalConfig(configFile, checkoutPath);
} else {
parsedYAML = await getRemoteConfig(configFile, apiDetails, mode, logger);
parsedYAML = await getRemoteConfig(configFile, apiDetails);
}
// Validate that the 'name' property is syntactically correct,
@ -805,7 +808,6 @@ async function loadConfig(
languagesInput,
repository,
apiDetails,
mode,
logger
);
@ -925,6 +927,7 @@ async function loadConfig(
tempDir,
toolCacheDir,
codeQLCmd: codeQL.getPath(),
gitHubVersion,
};
}
@ -943,8 +946,8 @@ export async function initConfig(
toolCacheDir: string,
codeQL: CodeQL,
checkoutPath: string,
gitHubVersion: GitHubVersion,
apiDetails: api.GitHubApiDetails,
mode: Mode,
logger: Logger
): Promise<Config> {
let config: Config;
@ -960,8 +963,8 @@ export async function initConfig(
toolCacheDir,
codeQL,
checkoutPath,
gitHubVersion,
apiDetails,
mode,
logger
);
} else {
@ -974,8 +977,8 @@ export async function initConfig(
toolCacheDir,
codeQL,
checkoutPath,
gitHubVersion,
apiDetails,
mode,
logger
);
}
@ -1010,9 +1013,7 @@ function getLocalConfig(configFile: string, checkoutPath: string): UserConfig {
async function getRemoteConfig(
configFile: string,
apiDetails: api.GitHubApiDetails,
mode: Mode,
logger: Logger
apiDetails: api.GitHubApiDetails
): Promise<UserConfig> {
// retrieve the various parts of the config location, and ensure they're present
const format = new RegExp(
@ -1024,14 +1025,12 @@ async function getRemoteConfig(
throw new Error(getConfigFileRepoFormatInvalidMessage(configFile));
}
const response = await api
.getApiClient(apiDetails, mode, logger, true)
.repos.getContent({
owner: pieces.groups.owner,
repo: pieces.groups.repo,
path: pieces.groups.path,
ref: pieces.groups.ref,
});
const response = await api.getApiClient(apiDetails, true).repos.getContent({
owner: pieces.groups.owner,
repo: pieces.groups.repo,
path: pieces.groups.path,
ref: pieces.groups.ref,
});
let fileContents: string;
if ("content" in response.data && response.data.content !== undefined) {

2
src/defaults.json
View file

@ -1,3 +1,3 @@
{
"bundleVersion": "codeql-bundle-20201106"
"bundleVersion": "codeql-bundle-20201127"
}

52
src/init-action.ts
View file

@ -13,6 +13,7 @@ import {
import { Language } from "./languages";
import { getActionsLogger } from "./logging";
import { parseRepositoryNwo } from "./repository";
import { checkGitHubVersionInRange, getGitHubVersion } from "./util";
interface InitSuccessStatusReport extends actionsUtil.StatusReportBase {
// Comma-separated list of languages that analysis was run for
@ -93,22 +94,45 @@ async function run() {
let codeql: CodeQL;
let toolsVersion: string;
const apiDetails = {
auth: actionsUtil.getRequiredInput("token"),
url: actionsUtil.getRequiredEnvParam("GITHUB_SERVER_URL"),
};
const gitHubVersion = await getGitHubVersion(apiDetails);
if (gitHubVersion !== undefined) {
checkGitHubVersionInRange(gitHubVersion, "actions", logger);
}
try {
actionsUtil.prepareLocalRunEnvironment();
const workflowErrors = await actionsUtil.getWorkflowErrors();
// we do not want to worry users if linting is failing
// but we do want to send a status report containing this error code
// below
const userWorkflowErrors = workflowErrors.filter(
(o) => o.code !== "LintFailed"
);
if (userWorkflowErrors.length > 0) {
core.warning(actionsUtil.formatWorkflowErrors(userWorkflowErrors));
}
if (
!(await actionsUtil.sendStatusReport(
await actionsUtil.createStatusReportBase("init", "starting", startedAt)
await actionsUtil.createStatusReportBase(
"init",
"starting",
startedAt,
actionsUtil.formatWorkflowCause(workflowErrors)
)
))
) {
return;
}
const apiDetails = {
auth: actionsUtil.getRequiredInput("token"),
url: actionsUtil.getRequiredEnvParam("GITHUB_SERVER_URL"),
};
const initCodeQLResult = await initCodeQL(
actionsUtil.getOptionalInput("tools"),
apiDetails,
@ -129,8 +153,8 @@ async function run() {
actionsUtil.getRequiredEnvParam("RUNNER_TOOL_CACHE"),
codeql,
actionsUtil.getRequiredEnvParam("GITHUB_WORKSPACE"),
gitHubVersion,
apiDetails,
"actions",
logger
);
@ -209,7 +233,13 @@ async function run() {
await sendSuccessStatusReport(startedAt, config, toolsVersion);
}
run().catch((e) => {
core.setFailed(`init action failed: ${e}`);
console.log(e);
});
async function runWrapper() {
try {
await run();
} catch (error) {
core.setFailed(`init action failed: ${error}`);
console.log(error);
}
}
void runWrapper();

4
src/init.ts
View file

@ -44,8 +44,8 @@ export async function initConfig(
toolCacheDir: string,
codeQL: CodeQL,
checkoutPath: string,
gitHubVersion: util.GitHubVersion,
apiDetails: GitHubApiDetails,
mode: util.Mode,
logger: Logger
): Promise<configUtils.Config> {
logger.startGroup("Load language configuration");
@ -58,8 +58,8 @@ export async function initConfig(
toolCacheDir,
codeQL,
checkoutPath,
gitHubVersion,
apiDetails,
mode,
logger
);
analysisPaths.printPathFiltersWarning(config, logger);

13
src/runner.ts
View file

@ -14,7 +14,9 @@ import { getRunnerLogger } from "./logging";
import { parseRepositoryNwo } from "./repository";
import * as upload_lib from "./upload-lib";
import {
checkGitHubVersionInRange,
getAddSnippetsFlag,
getGitHubVersion,
getMemoryFlag,
getThreadsFlag,
parseGithubUrl,
@ -151,6 +153,11 @@ program
url: parseGithubUrl(cmd.githubUrl),
};
const gitHubVersion = await getGitHubVersion(apiDetails);
if (gitHubVersion !== undefined) {
checkGitHubVersionInRange(gitHubVersion, "runner", logger);
}
let codeql: CodeQL;
if (cmd.codeqlPath !== undefined) {
codeql = getCodeQL(cmd.codeqlPath);
@ -176,8 +183,8 @@ program
toolsDir,
codeql,
cmd.checkoutPath || process.cwd(),
gitHubVersion,
apiDetails,
"runner",
logger
);
@ -385,12 +392,14 @@ program
return;
}
const gitHubVersion = await getGitHubVersion(apiDetails);
await upload_lib.uploadFromRunner(
outputDir,
parseRepositoryNwo(cmd.repository),
cmd.commit,
parseRef(cmd.ref),
cmd.checkoutPath || process.cwd(),
gitHubVersion,
apiDetails,
logger
);
@ -444,12 +453,14 @@ program
url: parseGithubUrl(cmd.githubUrl),
};
try {
const gitHubVersion = await getGitHubVersion(apiDetails);
await upload_lib.uploadFromRunner(
cmd.sarifFile,
parseRepositoryNwo(cmd.repository),
cmd.commit,
parseRef(cmd.ref),
cmd.checkoutPath || process.cwd(),
gitHubVersion,
apiDetails,
logger
);

446
src/testdata/pull_request.json vendored Normal file
View file

@ -0,0 +1,446 @@
{
"action": "opened",
"number": 2,
"pull_request": {
"url": "https://api.github.com/repos/Codertocat/Hello-World/pulls/2",
"id": 279147437,
"node_id": "MDExOlB1bGxSZXF1ZXN0Mjc5MTQ3NDM3",
"html_url": "https://github.com/Codertocat/Hello-World/pull/2",
"diff_url": "https://github.com/Codertocat/Hello-World/pull/2.diff",
"patch_url": "https://github.com/Codertocat/Hello-World/pull/2.patch",
"issue_url": "https://api.github.com/repos/Codertocat/Hello-World/issues/2",
"number": 2,
"state": "open",
"locked": false,
"title": "Update the README with new information.",
"user": {
"login": "Codertocat",
"id": 21031067,
"node_id": "MDQ6VXNlcjIxMDMxMDY3",
"avatar_url": "https://avatars1.githubusercontent.com/u/21031067?v=4",
"gravatar_id": "",
"url": "https://api.github.com/users/Codertocat",
"html_url": "https://github.com/Codertocat",
"followers_url": "https://api.github.com/users/Codertocat/followers",
"following_url": "https://api.github.com/users/Codertocat/following{/other_user}",
"gists_url": "https://api.github.com/users/Codertocat/gists{/gist_id}",
"starred_url": "https://api.github.com/users/Codertocat/starred{/owner}{/repo}",
"subscriptions_url": "https://api.github.com/users/Codertocat/subscriptions",
"organizations_url": "https://api.github.com/users/Codertocat/orgs",
"repos_url": "https://api.github.com/users/Codertocat/repos",
"events_url": "https://api.github.com/users/Codertocat/events{/privacy}",
"received_events_url": "https://api.github.com/users/Codertocat/received_events",
"type": "User",
"site_admin": false
},
"body": "This is a pretty simple change that we need to pull into master.",
"created_at": "2019-05-15T15:20:33Z",
"updated_at": "2019-05-15T15:20:33Z",
"closed_at": null,
"merged_at": null,
"merge_commit_sha": null,
"assignee": null,
"assignees": [],
"requested_reviewers": [],
"requested_teams": [],
"labels": [],
"milestone": null,
"commits_url": "https://api.github.com/repos/Codertocat/Hello-World/pulls/2/commits",
"review_comments_url": "https://api.github.com/repos/Codertocat/Hello-World/pulls/2/comments",
"review_comment_url": "https://api.github.com/repos/Codertocat/Hello-World/pulls/comments{/number}",
"comments_url": "https://api.github.com/repos/Codertocat/Hello-World/issues/2/comments",
"statuses_url": "https://api.github.com/repos/Codertocat/Hello-World/statuses/ec26c3e57ca3a959ca5aad62de7213c562f8c821",
"head": {
"label": "Codertocat:changes",
"ref": "changes",
"sha": "ec26c3e57ca3a959ca5aad62de7213c562f8c821",
"user": {
"login": "Codertocat",
"id": 21031067,
"node_id": "MDQ6VXNlcjIxMDMxMDY3",
"avatar_url": "https://avatars1.githubusercontent.com/u/21031067?v=4",
"gravatar_id": "",
"url": "https://api.github.com/users/Codertocat",
"html_url": "https://github.com/Codertocat",
"followers_url": "https://api.github.com/users/Codertocat/followers",
"following_url": "https://api.github.com/users/Codertocat/following{/other_user}",
"gists_url": "https://api.github.com/users/Codertocat/gists{/gist_id}",
"starred_url": "https://api.github.com/users/Codertocat/starred{/owner}{/repo}",
"subscriptions_url": "https://api.github.com/users/Codertocat/subscriptions",
"organizations_url": "https://api.github.com/users/Codertocat/orgs",
"repos_url": "https://api.github.com/users/Codertocat/repos",
"events_url": "https://api.github.com/users/Codertocat/events{/privacy}",
"received_events_url": "https://api.github.com/users/Codertocat/received_events",
"type": "User",
"site_admin": false
},
"repo": {
"id": 186853002,
"node_id": "MDEwOlJlcG9zaXRvcnkxODY4NTMwMDI=",
"name": "Hello-World",
"full_name": "Codertocat/Hello-World",
"private": false,
"owner": {
"login": "Codertocat",
"id": 21031067,
"node_id": "MDQ6VXNlcjIxMDMxMDY3",
"avatar_url": "https://avatars1.githubusercontent.com/u/21031067?v=4",
"gravatar_id": "",
"url": "https://api.github.com/users/Codertocat",
"html_url": "https://github.com/Codertocat",
"followers_url": "https://api.github.com/users/Codertocat/followers",
"following_url": "https://api.github.com/users/Codertocat/following{/other_user}",
"gists_url": "https://api.github.com/users/Codertocat/gists{/gist_id}",
"starred_url": "https://api.github.com/users/Codertocat/starred{/owner}{/repo}",
"subscriptions_url": "https://api.github.com/users/Codertocat/subscriptions",
"organizations_url": "https://api.github.com/users/Codertocat/orgs",
"repos_url": "https://api.github.com/users/Codertocat/repos",
"events_url": "https://api.github.com/users/Codertocat/events{/privacy}",
"received_events_url": "https://api.github.com/users/Codertocat/received_events",
"type": "User",
"site_admin": false
},
"html_url": "https://github.com/Codertocat/Hello-World",
"description": null,
"fork": false,
"url": "https://api.github.com/repos/Codertocat/Hello-World",
"forks_url": "https://api.github.com/repos/Codertocat/Hello-World/forks",
"keys_url": "https://api.github.com/repos/Codertocat/Hello-World/keys{/key_id}",
"collaborators_url": "https://api.github.com/repos/Codertocat/Hello-World/collaborators{/collaborator}",
"teams_url": "https://api.github.com/repos/Codertocat/Hello-World/teams",
"hooks_url": "https://api.github.com/repos/Codertocat/Hello-World/hooks",
"issue_events_url": "https://api.github.com/repos/Codertocat/Hello-World/issues/events{/number}",
"events_url": "https://api.github.com/repos/Codertocat/Hello-World/events",
"assignees_url": "https://api.github.com/repos/Codertocat/Hello-World/assignees{/user}",
"branches_url": "https://api.github.com/repos/Codertocat/Hello-World/branches{/branch}",
"tags_url": "https://api.github.com/repos/Codertocat/Hello-World/tags",
"blobs_url": "https://api.github.com/repos/Codertocat/Hello-World/git/blobs{/sha}",
"git_tags_url": "https://api.github.com/repos/Codertocat/Hello-World/git/tags{/sha}",
"git_refs_url": "https://api.github.com/repos/Codertocat/Hello-World/git/refs{/sha}",
"trees_url": "https://api.github.com/repos/Codertocat/Hello-World/git/trees{/sha}",
"statuses_url": "https://api.github.com/repos/Codertocat/Hello-World/statuses/{sha}",
"languages_url": "https://api.github.com/repos/Codertocat/Hello-World/languages",
"stargazers_url": "https://api.github.com/repos/Codertocat/Hello-World/stargazers",
"contributors_url": "https://api.github.com/repos/Codertocat/Hello-World/contributors",
"subscribers_url": "https://api.github.com/repos/Codertocat/Hello-World/subscribers",
"subscription_url": "https://api.github.com/repos/Codertocat/Hello-World/subscription",
"commits_url": "https://api.github.com/repos/Codertocat/Hello-World/commits{/sha}",
"git_commits_url": "https://api.github.com/repos/Codertocat/Hello-World/git/commits{/sha}",
"comments_url": "https://api.github.com/repos/Codertocat/Hello-World/comments{/number}",
"issue_comment_url": "https://api.github.com/repos/Codertocat/Hello-World/issues/comments{/number}",
"contents_url": "https://api.github.com/repos/Codertocat/Hello-World/contents/{+path}",
"compare_url": "https://api.github.com/repos/Codertocat/Hello-World/compare/{base}...{head}",
"merges_url": "https://api.github.com/repos/Codertocat/Hello-World/merges",
"archive_url": "https://api.github.com/repos/Codertocat/Hello-World/{archive_format}{/ref}",
"downloads_url": "https://api.github.com/repos/Codertocat/Hello-World/downloads",
"issues_url": "https://api.github.com/repos/Codertocat/Hello-World/issues{/number}",
"pulls_url": "https://api.github.com/repos/Codertocat/Hello-World/pulls{/number}",
"milestones_url": "https://api.github.com/repos/Codertocat/Hello-World/milestones{/number}",
"notifications_url": "https://api.github.com/repos/Codertocat/Hello-World/notifications{?since,all,participating}",
"labels_url": "https://api.github.com/repos/Codertocat/Hello-World/labels{/name}",
"releases_url": "https://api.github.com/repos/Codertocat/Hello-World/releases{/id}",
"deployments_url": "https://api.github.com/repos/Codertocat/Hello-World/deployments",
"created_at": "2019-05-15T15:19:25Z",
"updated_at": "2019-05-15T15:19:27Z",
"pushed_at": "2019-05-15T15:20:32Z",
"git_url": "git://github.com/Codertocat/Hello-World.git",
"ssh_url": "git@github.com:Codertocat/Hello-World.git",
"clone_url": "https://github.com/Codertocat/Hello-World.git",
"svn_url": "https://github.com/Codertocat/Hello-World",
"homepage": null,
"size": 0,
"stargazers_count": 0,
"watchers_count": 0,
"language": null,
"has_issues": true,
"has_projects": true,
"has_downloads": true,
"has_wiki": true,
"has_pages": true,
"forks_count": 0,
"mirror_url": null,
"archived": false,
"disabled": false,
"open_issues_count": 2,
"license": null,
"forks": 0,
"open_issues": 2,
"watchers": 0,
"default_branch": "master"
}
},
"base": {
"label": "Codertocat:master",
"ref": "master",
"sha": "f95f852bd8fca8fcc58a9a2d6c842781e32a215e",
"user": {
"login": "Codertocat",
"id": 21031067,
"node_id": "MDQ6VXNlcjIxMDMxMDY3",
"avatar_url": "https://avatars1.githubusercontent.com/u/21031067?v=4",
"gravatar_id": "",
"url": "https://api.github.com/users/Codertocat",
"html_url": "https://github.com/Codertocat",
"followers_url": "https://api.github.com/users/Codertocat/followers",
"following_url": "https://api.github.com/users/Codertocat/following{/other_user}",
"gists_url": "https://api.github.com/users/Codertocat/gists{/gist_id}",
"starred_url": "https://api.github.com/users/Codertocat/starred{/owner}{/repo}",
"subscriptions_url": "https://api.github.com/users/Codertocat/subscriptions",
"organizations_url": "https://api.github.com/users/Codertocat/orgs",
"repos_url": "https://api.github.com/users/Codertocat/repos",
"events_url": "https://api.github.com/users/Codertocat/events{/privacy}",
"received_events_url": "https://api.github.com/users/Codertocat/received_events",
"type": "User",
"site_admin": false
},
"repo": {
"id": 186853002,
"node_id": "MDEwOlJlcG9zaXRvcnkxODY4NTMwMDI=",
"name": "Hello-World",
"full_name": "Codertocat/Hello-World",
"private": false,
"owner": {
"login": "Codertocat",
"id": 21031067,
"node_id": "MDQ6VXNlcjIxMDMxMDY3",
"avatar_url": "https://avatars1.githubusercontent.com/u/21031067?v=4",
"gravatar_id": "",
"url": "https://api.github.com/users/Codertocat",
"html_url": "https://github.com/Codertocat",
"followers_url": "https://api.github.com/users/Codertocat/followers",
"following_url": "https://api.github.com/users/Codertocat/following{/other_user}",
"gists_url": "https://api.github.com/users/Codertocat/gists{/gist_id}",
"starred_url": "https://api.github.com/users/Codertocat/starred{/owner}{/repo}",
"subscriptions_url": "https://api.github.com/users/Codertocat/subscriptions",
"organizations_url": "https://api.github.com/users/Codertocat/orgs",
"repos_url": "https://api.github.com/users/Codertocat/repos",
"events_url": "https://api.github.com/users/Codertocat/events{/privacy}",
"received_events_url": "https://api.github.com/users/Codertocat/received_events",
"type": "User",
"site_admin": false
},
"html_url": "https://github.com/Codertocat/Hello-World",
"description": null,
"fork": false,
"url": "https://api.github.com/repos/Codertocat/Hello-World",
"forks_url": "https://api.github.com/repos/Codertocat/Hello-World/forks",
"keys_url": "https://api.github.com/repos/Codertocat/Hello-World/keys{/key_id}",
"collaborators_url": "https://api.github.com/repos/Codertocat/Hello-World/collaborators{/collaborator}",
"teams_url": "https://api.github.com/repos/Codertocat/Hello-World/teams",
"hooks_url": "https://api.github.com/repos/Codertocat/Hello-World/hooks",
"issue_events_url": "https://api.github.com/repos/Codertocat/Hello-World/issues/events{/number}",
"events_url": "https://api.github.com/repos/Codertocat/Hello-World/events",
"assignees_url": "https://api.github.com/repos/Codertocat/Hello-World/assignees{/user}",
"branches_url": "https://api.github.com/repos/Codertocat/Hello-World/branches{/branch}",
"tags_url": "https://api.github.com/repos/Codertocat/Hello-World/tags",
"blobs_url": "https://api.github.com/repos/Codertocat/Hello-World/git/blobs{/sha}",
"git_tags_url": "https://api.github.com/repos/Codertocat/Hello-World/git/tags{/sha}",
"git_refs_url": "https://api.github.com/repos/Codertocat/Hello-World/git/refs{/sha}",
"trees_url": "https://api.github.com/repos/Codertocat/Hello-World/git/trees{/sha}",
"statuses_url": "https://api.github.com/repos/Codertocat/Hello-World/statuses/{sha}",
"languages_url": "https://api.github.com/repos/Codertocat/Hello-World/languages",
"stargazers_url": "https://api.github.com/repos/Codertocat/Hello-World/stargazers",
"contributors_url": "https://api.github.com/repos/Codertocat/Hello-World/contributors",
"subscribers_url": "https://api.github.com/repos/Codertocat/Hello-World/subscribers",
"subscription_url": "https://api.github.com/repos/Codertocat/Hello-World/subscription",
"commits_url": "https://api.github.com/repos/Codertocat/Hello-World/commits{/sha}",
"git_commits_url": "https://api.github.com/repos/Codertocat/Hello-World/git/commits{/sha}",
"comments_url": "https://api.github.com/repos/Codertocat/Hello-World/comments{/number}",
"issue_comment_url": "https://api.github.com/repos/Codertocat/Hello-World/issues/comments{/number}",
"contents_url": "https://api.github.com/repos/Codertocat/Hello-World/contents/{+path}",
"compare_url": "https://api.github.com/repos/Codertocat/Hello-World/compare/{base}...{head}",
"merges_url": "https://api.github.com/repos/Codertocat/Hello-World/merges",
"archive_url": "https://api.github.com/repos/Codertocat/Hello-World/{archive_format}{/ref}",
"downloads_url": "https://api.github.com/repos/Codertocat/Hello-World/downloads",
"issues_url": "https://api.github.com/repos/Codertocat/Hello-World/issues{/number}",
"pulls_url": "https://api.github.com/repos/Codertocat/Hello-World/pulls{/number}",
"milestones_url": "https://api.github.com/repos/Codertocat/Hello-World/milestones{/number}",
"notifications_url": "https://api.github.com/repos/Codertocat/Hello-World/notifications{?since,all,participating}",
"labels_url": "https://api.github.com/repos/Codertocat/Hello-World/labels{/name}",
"releases_url": "https://api.github.com/repos/Codertocat/Hello-World/releases{/id}",
"deployments_url": "https://api.github.com/repos/Codertocat/Hello-World/deployments",
"created_at": "2019-05-15T15:19:25Z",
"updated_at": "2019-05-15T15:19:27Z",
"pushed_at": "2019-05-15T15:20:32Z",
"git_url": "git://github.com/Codertocat/Hello-World.git",
"ssh_url": "git@github.com:Codertocat/Hello-World.git",
"clone_url": "https://github.com/Codertocat/Hello-World.git",
"svn_url": "https://github.com/Codertocat/Hello-World",
"homepage": null,
"size": 0,
"stargazers_count": 0,
"watchers_count": 0,
"language": null,
"has_issues": true,
"has_projects": true,
"has_downloads": true,
"has_wiki": true,
"has_pages": true,
"forks_count": 0,
"mirror_url": null,
"archived": false,
"disabled": false,
"open_issues_count": 2,
"license": null,
"forks": 0,
"open_issues": 2,
"watchers": 0,
"default_branch": "master"
}
},
"_links": {
"self": {
"href": "https://api.github.com/repos/Codertocat/Hello-World/pulls/2"
},
"html": {
"href": "https://github.com/Codertocat/Hello-World/pull/2"
},
"issue": {
"href": "https://api.github.com/repos/Codertocat/Hello-World/issues/2"
},
"comments": {
"href": "https://api.github.com/repos/Codertocat/Hello-World/issues/2/comments"
},
"review_comments": {
"href": "https://api.github.com/repos/Codertocat/Hello-World/pulls/2/comments"
},
"review_comment": {
"href": "https://api.github.com/repos/Codertocat/Hello-World/pulls/comments{/number}"
},
"commits": {
"href": "https://api.github.com/repos/Codertocat/Hello-World/pulls/2/commits"
},
"statuses": {
"href": "https://api.github.com/repos/Codertocat/Hello-World/statuses/ec26c3e57ca3a959ca5aad62de7213c562f8c821"
}
},
"author_association": "OWNER",
"draft": false,
"merged": false,
"mergeable": null,
"rebaseable": null,
"mergeable_state": "unknown",
"merged_by": null,
"comments": 0,
"review_comments": 0,
"maintainer_can_modify": false,
"commits": 1,
"additions": 1,
"deletions": 1,
"changed_files": 1
},
"repository": {
"id": 186853002,
"node_id": "MDEwOlJlcG9zaXRvcnkxODY4NTMwMDI=",
"name": "Hello-World",
"full_name": "Codertocat/Hello-World",
"private": false,
"owner": {
"login": "Codertocat",
"id": 21031067,
"node_id": "MDQ6VXNlcjIxMDMxMDY3",
"avatar_url": "https://avatars1.githubusercontent.com/u/21031067?v=4",
"gravatar_id": "",
"url": "https://api.github.com/users/Codertocat",
"html_url": "https://github.com/Codertocat",
"followers_url": "https://api.github.com/users/Codertocat/followers",
"following_url": "https://api.github.com/users/Codertocat/following{/other_user}",
"gists_url": "https://api.github.com/users/Codertocat/gists{/gist_id}",
"starred_url": "https://api.github.com/users/Codertocat/starred{/owner}{/repo}",
"subscriptions_url": "https://api.github.com/users/Codertocat/subscriptions",
"organizations_url": "https://api.github.com/users/Codertocat/orgs",
"repos_url": "https://api.github.com/users/Codertocat/repos",
"events_url": "https://api.github.com/users/Codertocat/events{/privacy}",
"received_events_url": "https://api.github.com/users/Codertocat/received_events",
"type": "User",
"site_admin": false
},
"html_url": "https://github.com/Codertocat/Hello-World",
"description": null,
"fork": false,
"url": "https://api.github.com/repos/Codertocat/Hello-World",
"forks_url": "https://api.github.com/repos/Codertocat/Hello-World/forks",
"keys_url": "https://api.github.com/repos/Codertocat/Hello-World/keys{/key_id}",
"collaborators_url": "https://api.github.com/repos/Codertocat/Hello-World/collaborators{/collaborator}",
"teams_url": "https://api.github.com/repos/Codertocat/Hello-World/teams",
"hooks_url": "https://api.github.com/repos/Codertocat/Hello-World/hooks",
"issue_events_url": "https://api.github.com/repos/Codertocat/Hello-World/issues/events{/number}",
"events_url": "https://api.github.com/repos/Codertocat/Hello-World/events",
"assignees_url": "https://api.github.com/repos/Codertocat/Hello-World/assignees{/user}",
"branches_url": "https://api.github.com/repos/Codertocat/Hello-World/branches{/branch}",
"tags_url": "https://api.github.com/repos/Codertocat/Hello-World/tags",
"blobs_url": "https://api.github.com/repos/Codertocat/Hello-World/git/blobs{/sha}",
"git_tags_url": "https://api.github.com/repos/Codertocat/Hello-World/git/tags{/sha}",
"git_refs_url": "https://api.github.com/repos/Codertocat/Hello-World/git/refs{/sha}",
"trees_url": "https://api.github.com/repos/Codertocat/Hello-World/git/trees{/sha}",
"statuses_url": "https://api.github.com/repos/Codertocat/Hello-World/statuses/{sha}",
"languages_url": "https://api.github.com/repos/Codertocat/Hello-World/languages",
"stargazers_url": "https://api.github.com/repos/Codertocat/Hello-World/stargazers",
"contributors_url": "https://api.github.com/repos/Codertocat/Hello-World/contributors",
"subscribers_url": "https://api.github.com/repos/Codertocat/Hello-World/subscribers",
"subscription_url": "https://api.github.com/repos/Codertocat/Hello-World/subscription",
"commits_url": "https://api.github.com/repos/Codertocat/Hello-World/commits{/sha}",
"git_commits_url": "https://api.github.com/repos/Codertocat/Hello-World/git/commits{/sha}",
"comments_url": "https://api.github.com/repos/Codertocat/Hello-World/comments{/number}",
"issue_comment_url": "https://api.github.com/repos/Codertocat/Hello-World/issues/comments{/number}",
"contents_url": "https://api.github.com/repos/Codertocat/Hello-World/contents/{+path}",
"compare_url": "https://api.github.com/repos/Codertocat/Hello-World/compare/{base}...{head}",
"merges_url": "https://api.github.com/repos/Codertocat/Hello-World/merges",
"archive_url": "https://api.github.com/repos/Codertocat/Hello-World/{archive_format}{/ref}",
"downloads_url": "https://api.github.com/repos/Codertocat/Hello-World/downloads",
"issues_url": "https://api.github.com/repos/Codertocat/Hello-World/issues{/number}",
"pulls_url": "https://api.github.com/repos/Codertocat/Hello-World/pulls{/number}",
"milestones_url": "https://api.github.com/repos/Codertocat/Hello-World/milestones{/number}",
"notifications_url": "https://api.github.com/repos/Codertocat/Hello-World/notifications{?since,all,participating}",
"labels_url": "https://api.github.com/repos/Codertocat/Hello-World/labels{/name}",
"releases_url": "https://api.github.com/repos/Codertocat/Hello-World/releases{/id}",
"deployments_url": "https://api.github.com/repos/Codertocat/Hello-World/deployments",
"created_at": "2019-05-15T15:19:25Z",
"updated_at": "2019-05-15T15:19:27Z",
"pushed_at": "2019-05-15T15:20:32Z",
"git_url": "git://github.com/Codertocat/Hello-World.git",
"ssh_url": "git@github.com:Codertocat/Hello-World.git",
"clone_url": "https://github.com/Codertocat/Hello-World.git",
"svn_url": "https://github.com/Codertocat/Hello-World",
"homepage": null,
"size": 0,
"stargazers_count": 0,
"watchers_count": 0,
"language": null,
"has_issues": true,
"has_projects": true,
"has_downloads": true,
"has_wiki": true,
"has_pages": true,
"forks_count": 0,
"mirror_url": null,
"archived": false,
"disabled": false,
"open_issues_count": 2,
"license": null,
"forks": 0,
"open_issues": 2,
"watchers": 0,
"default_branch": "master"
},
"sender": {
"login": "Codertocat",
"id": 21031067,
"node_id": "MDQ6VXNlcjIxMDMxMDY3",
"avatar_url": "https://avatars1.githubusercontent.com/u/21031067?v=4",
"gravatar_id": "",
"url": "https://api.github.com/users/Codertocat",
"html_url": "https://github.com/Codertocat",
"followers_url": "https://api.github.com/users/Codertocat/followers",
"following_url": "https://api.github.com/users/Codertocat/following{/other_user}",
"gists_url": "https://api.github.com/users/Codertocat/gists{/gist_id}",
"starred_url": "https://api.github.com/users/Codertocat/starred{/owner}{/repo}",
"subscriptions_url": "https://api.github.com/users/Codertocat/subscriptions",
"organizations_url": "https://api.github.com/users/Codertocat/orgs",
"repos_url": "https://api.github.com/users/Codertocat/repos",
"events_url": "https://api.github.com/users/Codertocat/events{/privacy}",
"received_events_url": "https://api.github.com/users/Codertocat/received_events",
"type": "User",
"site_admin": false
}
}

1
src/tracer-config.test.ts
View file

@ -26,6 +26,7 @@ function getTestConfig(tmpDir: string): configUtils.Config {
tempDir: tmpDir,
toolCacheDir: tmpDir,
codeQLCmd: "",
gitHubVersion: { type: "dotcom" } as util.GitHubVersion,
};
}

74
src/upload-lib.test.ts
View file

@ -3,6 +3,7 @@ import test from "ava";
import { getRunnerLogger } from "./logging";
import { setupTests } from "./testing-utils";
import * as uploadLib from "./upload-lib";
import { GitHubVersion } from "./util";
setupTests(test);
@ -19,3 +20,76 @@ test("validateSarifFileSchema - invalid", (t) => {
uploadLib.validateSarifFileSchema(inputFile, getRunnerLogger(true))
);
});
test("validate correct payload used per version", async (t) => {
const newVersions: GitHubVersion[] = [
{ type: "dotcom" },
{ type: "ghes", version: "3.1.0" },
];
const oldVersions: GitHubVersion[] = [
{ type: "ghes", version: "2.22.1" },
{ type: "ghes", version: "3.0.0" },
];
const allVersions = newVersions.concat(oldVersions);
process.env["GITHUB_EVENT_NAME"] = "push";
for (const version of allVersions) {
const payload: any = uploadLib.buildPayload(
"commit",
"refs/heads/master",
"key",
undefined,
"",
undefined,
"/opt/src",
undefined,
["CodeQL", "eslint"],
version,
"actions"
);
// Not triggered by a pull request
t.falsy(payload.base_ref);
t.falsy(payload.base_sha);
}
process.env["GITHUB_EVENT_NAME"] = "pull_request";
process.env[
"GITHUB_EVENT_PATH"
] = `${__dirname}/../src/testdata/pull_request.json`;
for (const version of newVersions) {
const payload: any = uploadLib.buildPayload(
"commit",
"refs/pull/123/merge",
"key",
undefined,
"",
undefined,
"/opt/src",
undefined,
["CodeQL", "eslint"],
version,
"actions"
);
t.truthy(payload.base_ref);
t.truthy(payload.base_sha);
}
for (const version of oldVersions) {
const payload: any = uploadLib.buildPayload(
"commit",
"refs/pull/123/merge",
"key",
undefined,
"",
undefined,
"/opt/src",
undefined,
["CodeQL", "eslint"],
version,
"actions"
);
// These older versions won't expect these values
t.falsy(payload.base_ref);
t.falsy(payload.base_sha);
}
});

107
src/upload-lib.ts
View file

@ -5,6 +5,7 @@ import zlib from "zlib";
import * as core from "@actions/core";
import fileUrl from "file-url";
import * as jsonschema from "jsonschema";
import * as semver from "semver";
import * as api from "./api-client";
import * as fingerprints from "./fingerprints";
@ -55,7 +56,7 @@ async function uploadPayload(
return;
}
const client = api.getApiClient(apiDetails, mode, logger);
const client = api.getApiClient(apiDetails);
const reqURL =
mode === "actions"
@ -93,6 +94,7 @@ export async function uploadFromActions(
workflowRunID: number,
checkoutPath: string,
environment: string,
gitHubVersion: util.GitHubVersion,
apiDetails: api.GitHubApiDetails,
logger: Logger
): Promise<UploadStatusReport> {
@ -106,6 +108,7 @@ export async function uploadFromActions(
workflowRunID,
checkoutPath,
environment,
gitHubVersion,
apiDetails,
"actions",
logger
@ -121,6 +124,7 @@ export async function uploadFromRunner(
commitOid: string,
ref: string,
checkoutPath: string,
gitHubVersion: util.GitHubVersion,
apiDetails: api.GitHubApiDetails,
logger: Logger
): Promise<UploadStatusReport> {
@ -134,6 +138,7 @@ export async function uploadFromRunner(
undefined,
checkoutPath,
undefined,
gitHubVersion,
apiDetails,
"runner",
logger
@ -197,6 +202,65 @@ export function validateSarifFileSchema(sarifFilePath: string, logger: Logger) {
}
}
// buildPayload constructs a map ready to be uploaded to the API from the given
// parameters, respecting the current mode and target GitHub instance version.
export function buildPayload(
commitOid: string,
ref: string,
analysisKey: string | undefined,
analysisName: string | undefined,
zippedSarif: string,
workflowRunID: number | undefined,
checkoutURI: string,
environment: string | undefined,
toolNames: string[],
gitHubVersion: util.GitHubVersion,
mode: util.Mode
) {
if (mode === "actions") {
const payloadObj = {
commit_oid: commitOid,
ref,
analysis_key: analysisKey,
analysis_name: analysisName,
sarif: zippedSarif,
workflow_run_id: workflowRunID,
checkout_uri: checkoutURI,
environment,
started_at: process.env[sharedEnv.CODEQL_WORKFLOW_STARTED_AT],
tool_names: toolNames,
base_ref: undefined as undefined | string,
base_sha: undefined as undefined | string,
};
// This behaviour can be made the default when support for GHES 3.0 is discontinued.
if (
gitHubVersion.type === "dotcom" ||
semver.satisfies(gitHubVersion.version, `>=3.1`)
) {
if (
process.env.GITHUB_EVENT_NAME === "pull_request" &&
process.env.GITHUB_EVENT_PATH
) {
const githubEvent = JSON.parse(
fs.readFileSync(process.env.GITHUB_EVENT_PATH, "utf8")
);
payloadObj.base_ref = `refs/heads/$githubEvent.pull_request.base.ref`;
payloadObj.base_sha = githubEvent.pull_request.base.sha;
}
}
return payloadObj;
} else {
return {
commit_sha: commitOid,
ref,
sarif: zippedSarif,
checkout_uri: checkoutURI,
tool_name: toolNames[0],
};
}
}
// Uploads the given set of sarif files.
// Returns true iff the upload occurred and succeeded
async function uploadFiles(
@ -209,6 +273,7 @@ async function uploadFiles(
workflowRunID: number | undefined,
checkoutPath: string,
environment: string | undefined,
gitHubVersion: util.GitHubVersion,
apiDetails: api.GitHubApiDetails,
mode: util.Mode,
logger: Logger
@ -238,39 +303,29 @@ async function uploadFiles(
logger
);
const zipped_sarif = zlib.gzipSync(sarifPayload).toString("base64");
const zippedSarif = zlib.gzipSync(sarifPayload).toString("base64");
const checkoutURI = fileUrl(checkoutPath);
const toolNames = util.getToolNames(sarifPayload);
let payload: string;
if (mode === "actions") {
payload = JSON.stringify({
commit_oid: commitOid,
ref,
analysis_key: analysisKey,
analysis_name: analysisName,
sarif: zipped_sarif,
workflow_run_id: workflowRunID,
checkout_uri: checkoutURI,
environment,
started_at: process.env[sharedEnv.CODEQL_WORKFLOW_STARTED_AT],
tool_names: toolNames,
});
} else {
payload = JSON.stringify({
commit_sha: commitOid,
ref,
sarif: zipped_sarif,
checkout_uri: checkoutURI,
tool_name: toolNames[0],
});
}
const payload = buildPayload(
commitOid,
ref,
analysisKey,
analysisName,
zippedSarif,
workflowRunID,
checkoutURI,
environment,
toolNames,
gitHubVersion,
mode
);
// Log some useful debug info about the info
const rawUploadSizeBytes = sarifPayload.length;
logger.debug(`Raw upload size: ${rawUploadSizeBytes} bytes`);
const zippedUploadSizeBytes = zipped_sarif.length;
const zippedUploadSizeBytes = zippedSarif.length;
logger.debug(`Base64 zipped upload size: ${zippedUploadSizeBytes} bytes`);
const numResultInSarif = countResultsInSarif(sarifPayload);
logger.debug(`Number of results in upload: ${numResultInSarif}`);

18
src/upload-sarif-action.ts
View file

@ -4,6 +4,7 @@ import * as actionsUtil from "./actions-util";
import { getActionsLogger } from "./logging";
import { parseRepositoryNwo } from "./repository";
import * as upload_lib from "./upload-lib";
import { getGitHubVersion } from "./util";
interface UploadSarifStatusReport
extends actionsUtil.StatusReportBase,
@ -45,6 +46,8 @@ async function run() {
url: actionsUtil.getRequiredEnvParam("GITHUB_SERVER_URL"),
};
const gitHubVersion = await getGitHubVersion(apiDetails);
const uploadStats = await upload_lib.uploadFromActions(
actionsUtil.getRequiredInput("sarif_file"),
parseRepositoryNwo(actionsUtil.getRequiredEnvParam("GITHUB_REPOSITORY")),
@ -55,6 +58,7 @@ async function run() {
actionsUtil.getWorkflowRunID(),
actionsUtil.getRequiredInput("checkout_path"),
actionsUtil.getRequiredInput("matrix"),
gitHubVersion,
apiDetails,
getActionsLogger()
);
@ -75,7 +79,13 @@ async function run() {
}
}
run().catch((e) => {
core.setFailed(`codeql/upload-sarif action failed: ${e}`);
console.log(e);
});
async function runWrapper() {
try {
await run();
} catch (error) {
core.setFailed(`codeql/upload-sarif action failed: ${error}`);
console.log(error);
}
}
void runWrapper();

58
src/util.test.ts
View file

@ -1,8 +1,11 @@
import * as fs from "fs";
import * as os from "os";
import * as github from "@actions/github";
import test from "ava";
import sinon from "sinon";
import * as api from "./api-client";
import { getRunnerLogger } from "./logging";
import { setupTests } from "./testing-utils";
import * as util from "./util";
@ -179,3 +182,58 @@ test("parseGithubUrl", (t) => {
message: '"http:///::::433" is not a valid URL',
});
});
test("allowed API versions", async (t) => {
t.is(util.apiVersionInRange("1.33.0", "1.33", "2.0"), undefined);
t.is(util.apiVersionInRange("1.33.1", "1.33", "2.0"), undefined);
t.is(util.apiVersionInRange("1.34.0", "1.33", "2.0"), undefined);
t.is(util.apiVersionInRange("2.0.0", "1.33", "2.0"), undefined);
t.is(util.apiVersionInRange("2.0.1", "1.33", "2.0"), undefined);
t.is(
util.apiVersionInRange("1.32.0", "1.33", "2.0"),
util.DisallowedAPIVersionReason.ACTION_TOO_NEW
);
t.is(
util.apiVersionInRange("2.1.0", "1.33", "2.0"),
util.DisallowedAPIVersionReason.ACTION_TOO_OLD
);
});
function mockGetMetaVersionHeader(
versionHeader: string | undefined
): sinon.SinonStub<any, any> {
// Passing an auth token is required, so we just use a dummy value
const client = github.getOctokit("123");
const response = {
headers: {
"x-github-enterprise-version": versionHeader,
},
};
const spyGetContents = sinon
.stub(client.meta, "get")
.resolves(response as any);
sinon.stub(api, "getApiClient").value(() => client);
return spyGetContents;
}
test("getGitHubVersion", async (t) => {
const v = await util.getGitHubVersion({
auth: "",
url: "https://github.com",
});
t.deepEqual("dotcom", v.type);
mockGetMetaVersionHeader("2.0");
const v2 = await util.getGitHubVersion({
auth: "",
url: "https://ghe.example.com",
});
t.deepEqual({ type: "ghes", version: "2.0" }, v2);
mockGetMetaVersionHeader(undefined);
const v3 = await util.getGitHubVersion({
auth: "",
url: "https://ghe.example.com",
});
t.deepEqual({ type: "dotcom" }, v3);
});

93
src/util.ts
View file

@ -2,6 +2,11 @@ import * as fs from "fs";
import * as os from "os";
import * as path from "path";
import * as core from "@actions/core";
import * as semver from "semver";
import { getApiClient, GitHubApiDetails } from "./api-client";
import * as apiCompatibility from "./api-compatibility.json";
import { Language } from "./languages";
import { Logger } from "./logging";
@ -208,3 +213,91 @@ export function parseGithubUrl(inputUrl: string): string {
return url.toString();
}
const GITHUB_ENTERPRISE_VERSION_HEADER = "x-github-enterprise-version";
const CODEQL_ACTION_WARNED_ABOUT_VERSION_ENV_VAR =
"CODEQL_ACTION_WARNED_ABOUT_VERSION";
let hasBeenWarnedAboutVersion = false;
export type GitHubVersion =
| { type: "dotcom" }
| { type: "ghes"; version: string };
export async function getGitHubVersion(
apiDetails: GitHubApiDetails
): Promise<GitHubVersion> {
// We can avoid making an API request in the standard dotcom case
if (parseGithubUrl(apiDetails.url) === GITHUB_DOTCOM_URL) {
return { type: "dotcom" };
}
// Doesn't strictly have to be the meta endpoint as we're only
// using the response headers which are available on every request.
const apiClient = getApiClient(apiDetails);
const response = await apiClient.meta.get();
// This happens on dotcom, although we expect to have already returned in that
// case. This can also serve as a fallback in cases we haven't foreseen.
if (response.headers[GITHUB_ENTERPRISE_VERSION_HEADER] === undefined) {
return { type: "dotcom" };
}
const version = response.headers[GITHUB_ENTERPRISE_VERSION_HEADER] as string;
return { type: "ghes", version };
}
export function checkGitHubVersionInRange(
version: GitHubVersion,
mode: Mode,
logger: Logger
) {
if (hasBeenWarnedAboutVersion || version.type !== "ghes") {
return;
}
const disallowedAPIVersionReason = apiVersionInRange(
version.version,
apiCompatibility.minimumVersion,
apiCompatibility.maximumVersion
);
const toolName = mode === "actions" ? "Action" : "Runner";
if (
disallowedAPIVersionReason === DisallowedAPIVersionReason.ACTION_TOO_OLD
) {
logger.warning(
`The CodeQL ${toolName} version you are using is too old to be compatible with GitHub Enterprise ${version}. If you experience issues, please upgrade to a more recent version of the CodeQL ${toolName}.`
);
}
if (
disallowedAPIVersionReason === DisallowedAPIVersionReason.ACTION_TOO_NEW
) {
logger.warning(
`GitHub Enterprise ${version} is too old to be compatible with this version of the CodeQL ${toolName}. If you experience issues, please upgrade to a more recent version of GitHub Enterprise or use an older version of the CodeQL ${toolName}.`
);
}
hasBeenWarnedAboutVersion = true;
if (mode === "actions") {
core.exportVariable(CODEQL_ACTION_WARNED_ABOUT_VERSION_ENV_VAR, true);
}
}
export enum DisallowedAPIVersionReason {
ACTION_TOO_OLD,
ACTION_TOO_NEW,
}
export function apiVersionInRange(
version: string,
minimumVersion: string,
maximumVersion: string
): DisallowedAPIVersionReason | undefined {
if (!semver.satisfies(version, `>=${minimumVersion}`)) {
return DisallowedAPIVersionReason.ACTION_TOO_NEW;
}
if (!semver.satisfies(version, `<=${maximumVersion}`)) {
return DisallowedAPIVersionReason.ACTION_TOO_OLD;
}
return undefined;
}