robojerk/codeql-action

Merge pull request #1634 from github/update-v2.2.10-66aeadb4c

Browse source 
Merge main into releases/v2
This commit is contained in:
Alexander Eyers-Taylor 2023-04-05 17:13:56 +01:00 committed by GitHub
commit 8c8d71dde4
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
98 changed files with 445 additions and 361 deletions
Download patch file Download diff file Expand all files Collapse all files

0
.github/check-codescanning-config/action.yml → .github/actions/check-codescanning-config/action.yml vendored
View file

0
.github/check-codescanning-config/index.ts → .github/actions/check-codescanning-config/index.ts vendored
View file

0
.github/check-sarif/action.yml → .github/actions/check-sarif/action.yml vendored
View file

0
.github/check-sarif/index.js → .github/actions/check-sarif/index.js vendored
View file

0
.github/prepare-test/action.yml → .github/actions/prepare-test/action.yml vendored
View file

2
.github/query-filter-test/action.yml → .github/actions/query-filter-test/action.yml vendored
View file

@ -44,7 +44,7 @@ runs:
env:
CODEQL_ACTION_TEST_MODE: "true"
- name: Check SARIF
uses: ./../action/.github/check-sarif
uses: ./../action/.github/actions/check-sarif
with:
sarif-file: ${{ inputs.sarif-file }}
queries-run: ${{ inputs.queries-run}}

0
.github/setup-swift/action.yml → .github/actions/setup-swift/action.yml vendored
View file

14
.github/actions/update-bundle/action.yml vendored Normal file
View file

@ -0,0 +1,14 @@
name: Update default CodeQL bundle
description: Updates 'src/defaults.json' to point to a new CodeQL bundle release.
runs:
using: composite
steps:
- name: Install ts-node
shell: bash
run: npm install -g ts-node
- name: Run update script
working-directory: ${{ github.action_path }}
shell: bash
run: ts-node ./index.ts

69
.github/actions/update-bundle/index.ts vendored Normal file
View file

@ -0,0 +1,69 @@
import * as fs from 'fs';
import * as github from '@actions/github';
interface BundleInfo {
bundleVersion: string;
cliVersion: string;
}
interface Defaults {
bundleVersion: string;
cliVersion: string;
priorBundleVersion: string;
priorCliVersion: string;
}
const CODEQL_BUNDLE_PREFIX = 'codeql-bundle-';
function getCodeQLCliVersionForRelease(release): string {
// We do not currently tag CodeQL bundles based on the CLI version they contain.
// Instead, we use a marker file `cli-version-<version>.txt` to record the CLI version.
// This marker file is uploaded as a release asset for all new CodeQL bundles.
const cliVersionsFromMarkerFiles = release.assets
.map((asset) => asset.name.match(/cli-version-(.*)\.txt/)?.[1])
.filter((v) => v)
.map((v) => v as string);
if (cliVersionsFromMarkerFiles.length > 1) {
throw new Error(
`Release ${release.tag_name} has multiple CLI version marker files.`
);
} else if (cliVersionsFromMarkerFiles.length === 0) {
throw new Error(
`Failed to find the CodeQL CLI version for release ${release.tag_name}.`
);
}
return cliVersionsFromMarkerFiles[0];
}
async function getBundleInfoFromRelease(release): Promise<BundleInfo> {
return {
bundleVersion: release.tag_name.substring(CODEQL_BUNDLE_PREFIX.length),
cliVersion: getCodeQLCliVersionForRelease(release)
};
}
async function getNewDefaults(currentDefaults: Defaults): Promise<Defaults> {
const release = github.context.payload.release;
console.log('Updating default bundle as a result of the following release: ' +
`${JSON.stringify(release)}.`)
const bundleInfo = await getBundleInfoFromRelease(release);
return {
bundleVersion: bundleInfo.bundleVersion,
cliVersion: bundleInfo.cliVersion,
priorBundleVersion: currentDefaults.bundleVersion,
priorCliVersion: currentDefaults.cliVersion
};
}
async function main() {
const previousDefaults: Defaults = JSON.parse(fs.readFileSync('../../../src/defaults.json', 'utf8'));
const newDefaults = await getNewDefaults(previousDefaults);
// Update the source file in the repository. Calling workflows should subsequently rebuild
// the Action to update `lib/defaults.json`.
fs.writeFileSync('../../../src/defaults.json', JSON.stringify(newDefaults, null, 2) + "\n");
}
// Ideally, we'd await main() here, but that doesn't work well with `ts-node`.
// So instead we rely on the fact that Node won't exit until the event loop is empty.
main();

2
.github/dependabot.yml vendored
View file

@ -16,6 +16,6 @@ updates:
schedule:
interval: weekly
- package-ecosystem: github-actions
directory: "/.github/setup-swift/" # All subdirectories outside of "/.github/workflows" must be explicitly included.
directory: "/.github/actions/setup-swift/" # All subdirectories outside of "/.github/workflows" must be explicitly included.
schedule:
interval: weekly

2
.github/workflows/__analyze-ref-input.yml generated vendored
View file

@ -69,7 +69,7 @@ jobs:
uses: actions/checkout@v3
- name: Prepare test
id: prepare-test
uses: ./.github/prepare-test
uses: ./.github/actions/prepare-test
with:
version: ${{ matrix.version }}
- name: Set up Go

2
.github/workflows/__autobuild-action.yml generated vendored
View file

@ -39,7 +39,7 @@ jobs:
uses: actions/checkout@v3
- name: Prepare test
id: prepare-test
uses: ./.github/prepare-test
uses: ./.github/actions/prepare-test
with:
version: ${{ matrix.version }}
- uses: ./../action/init

2
.github/workflows/__config-export.yml generated vendored
View file

@ -45,7 +45,7 @@ jobs:
uses: actions/checkout@v3
- name: Prepare test
id: prepare-test
uses: ./.github/prepare-test
uses: ./.github/actions/prepare-test
with:
version: ${{ matrix.version }}
- uses: ./../action/init

8
.github/workflows/__diagnostics-export.yml generated vendored
View file

@ -25,6 +25,12 @@ jobs:
strategy:
matrix:
include:
- os: ubuntu-latest
version: stable-20230317
- os: macos-latest
version: stable-20230317
- os: windows-latest
version: stable-20230317
- os: ubuntu-latest
version: latest
- os: macos-latest
@ -45,7 +51,7 @@ jobs:
uses: actions/checkout@v3
- name: Prepare test
id: prepare-test
uses: ./.github/prepare-test
uses: ./.github/actions/prepare-test
with:
version: ${{ matrix.version }}
- uses: ./../action/init

4
.github/workflows/__export-file-baseline-information.yml generated vendored
View file

@ -39,7 +39,7 @@ jobs:
uses: actions/checkout@v3
- name: Prepare test
id: prepare-test
uses: ./.github/prepare-test
uses: ./.github/actions/prepare-test
with:
version: ${{ matrix.version }}
- uses: ./../action/init
@ -49,7 +49,7 @@ jobs:
tools: ${{ steps.prepare-test.outputs.tools-url }}
env:
CODEQL_FILE_BASELINE_INFORMATION: true
- uses: ./../action/.github/setup-swift
- uses: ./../action/.github/actions/setup-swift
with:
codeql-path: ${{steps.init.outputs.codeql-path}}
- name: Build code

2
.github/workflows/__extractor-ram-threads.yml generated vendored
View file

@ -35,7 +35,7 @@ jobs:
uses: actions/checkout@v3
- name: Prepare test
id: prepare-test
uses: ./.github/prepare-test
uses: ./.github/actions/prepare-test
with:
version: ${{ matrix.version }}
- uses: ./../action/init

2
.github/workflows/__go-custom-queries.yml generated vendored
View file

@ -69,7 +69,7 @@ jobs:
uses: actions/checkout@v3
- name: Prepare test
id: prepare-test
uses: ./.github/prepare-test
uses: ./.github/actions/prepare-test
with:
version: ${{ matrix.version }}
- name: Set up Go

2
.github/workflows/__go-tracing-autobuilder.yml generated vendored
View file

@ -57,7 +57,7 @@ jobs:
uses: actions/checkout@v3
- name: Prepare test
id: prepare-test
uses: ./.github/prepare-test
uses: ./.github/actions/prepare-test
with:
version: ${{ matrix.version }}
- name: Set up Go

2
.github/workflows/__go-tracing-custom-build-steps.yml generated vendored
View file

@ -57,7 +57,7 @@ jobs:
uses: actions/checkout@v3
- name: Prepare test
id: prepare-test
uses: ./.github/prepare-test
uses: ./.github/actions/prepare-test
with:
version: ${{ matrix.version }}
- name: Set up Go

2
.github/workflows/__go-tracing-legacy-workflow.yml generated vendored
View file

@ -57,7 +57,7 @@ jobs:
uses: actions/checkout@v3
- name: Prepare test
id: prepare-test
uses: ./.github/prepare-test
uses: ./.github/actions/prepare-test
with:
version: ${{ matrix.version }}
- name: Set up Go

10
.github/workflows/__init-with-registries.yml generated vendored
View file

@ -51,7 +51,7 @@ jobs:
uses: actions/checkout@v3
- name: Prepare test
id: prepare-test
uses: ./.github/prepare-test
uses: ./.github/actions/prepare-test
with:
version: ${{ matrix.version }}
- name: Init with registries
@ -69,8 +69,8 @@ jobs:
- name: Verify packages installed
shell: bash
run: |
PRIVATE_PACK="$HOME/.codeql/packages/dsp-testing/private-pack"
CODEQL_PACK1="$HOME/.codeql/packages/dsp-testing/codeql-pack1"
PRIVATE_PACK="$HOME/.codeql/packages/codeql-testing/private-pack"
CODEQL_PACK1="$HOME/.codeql/packages/codeql-testing/codeql-pack1"
if [[ -d $PRIVATE_PACK ]]
then
@ -117,5 +117,9 @@ jobs:
cat $QLCONFIG_PATH
exit 1
fi
permissions:
contents: read
packages: read
env:
CODEQL_ACTION_TEST_MODE: true

2
.github/workflows/__javascript-source-root.yml generated vendored
View file

@ -39,7 +39,7 @@ jobs:
uses: actions/checkout@v3
- name: Prepare test
id: prepare-test
uses: ./.github/prepare-test
uses: ./.github/actions/prepare-test
with:
version: ${{ matrix.version }}
- name: Move codeql-action

4
.github/workflows/__ml-powered-queries.yml generated vendored
View file

@ -57,7 +57,7 @@ jobs:
uses: actions/checkout@v3
- name: Prepare test
id: prepare-test
uses: ./.github/prepare-test
uses: ./.github/actions/prepare-test
with:
version: ${{ matrix.version }}
- name: Set up Go
@ -85,7 +85,7 @@ jobs:
retention-days: 7
- name: Check sarif
uses: ./../action/.github/check-sarif
uses: ./../action/.github/actions/check-sarif
# Running on Windows requires CodeQL CLI 2.9.0+.
if: "!(matrix.version == 'stable-20220120' && runner.os == 'Windows')"
with:

4
.github/workflows/__multi-language-autodetect.yml generated vendored
View file

@ -57,7 +57,7 @@ jobs:
uses: actions/checkout@v3
- name: Prepare test
id: prepare-test
uses: ./.github/prepare-test
uses: ./.github/actions/prepare-test
with:
version: ${{ matrix.version }}
- name: Set up Go
@ -71,7 +71,7 @@ jobs:
db-location: ${{ runner.temp }}/customDbLocation
tools: ${{ steps.prepare-test.outputs.tools-url }}
- uses: ./../action/.github/setup-swift
- uses: ./../action/.github/actions/setup-swift
with:
codeql-path: ${{steps.init.outputs.codeql-path}}

6
.github/workflows/__packaging-codescanning-config-inputs-js.yml generated vendored
View file

@ -51,13 +51,13 @@ jobs:
uses: actions/checkout@v3
- name: Prepare test
id: prepare-test
uses: ./.github/prepare-test
uses: ./.github/actions/prepare-test
with:
version: ${{ matrix.version }}
- uses: ./../action/init
with:
config-file: .github/codeql/codeql-config-packaging3.yml
packs: +dsp-testing/codeql-pack1@1.0.0
packs: +codeql-testing/codeql-pack1@1.0.0
languages: javascript
tools: ${{ steps.prepare-test.outputs.tools-url }}
- name: Build code
@ -69,7 +69,7 @@ jobs:
upload-database: false
- name: Check results
uses: ./../action/.github/check-sarif
uses: ./../action/.github/actions/check-sarif
with:
sarif-file: ${{ runner.temp }}/results/javascript.sarif
queries-run: javascript/example/empty-or-one-block,javascript/example/empty-or-one-block,javascript/example/other-query-block,javascript/example/two-block

6
.github/workflows/__packaging-config-inputs-js.yml generated vendored
View file

@ -51,13 +51,13 @@ jobs:
uses: actions/checkout@v3
- name: Prepare test
id: prepare-test
uses: ./.github/prepare-test
uses: ./.github/actions/prepare-test
with:
version: ${{ matrix.version }}
- uses: ./../action/init
with:
config-file: .github/codeql/codeql-config-packaging3.yml
packs: +dsp-testing/codeql-pack1@1.0.0
packs: +codeql-testing/codeql-pack1@1.0.0
languages: javascript
tools: ${{ steps.prepare-test.outputs.tools-url }}
- name: Build code
@ -69,7 +69,7 @@ jobs:
upload-database: false
- name: Check results
uses: ./../action/.github/check-sarif
uses: ./../action/.github/actions/check-sarif
with:
sarif-file: ${{ runner.temp }}/results/javascript.sarif
queries-run: javascript/example/empty-or-one-block,javascript/example/empty-or-one-block,javascript/example/other-query-block,javascript/example/two-block

4
.github/workflows/__packaging-config-js.yml generated vendored
View file

@ -51,7 +51,7 @@ jobs:
uses: actions/checkout@v3
- name: Prepare test
id: prepare-test
uses: ./.github/prepare-test
uses: ./.github/actions/prepare-test
with:
version: ${{ matrix.version }}
- uses: ./../action/init
@ -68,7 +68,7 @@ jobs:
upload-database: false
- name: Check results
uses: ./../action/.github/check-sarif
uses: ./../action/.github/actions/check-sarif
with:
sarif-file: ${{ runner.temp }}/results/javascript.sarif
queries-run: javascript/example/empty-or-one-block,javascript/example/empty-or-one-block,javascript/example/other-query-block,javascript/example/two-block

6
.github/workflows/__packaging-inputs-js.yml generated vendored
View file

@ -51,14 +51,14 @@ jobs:
uses: actions/checkout@v3
- name: Prepare test
id: prepare-test
uses: ./.github/prepare-test
uses: ./.github/actions/prepare-test
with:
version: ${{ matrix.version }}
- uses: ./../action/init
with:
config-file: .github/codeql/codeql-config-packaging2.yml
languages: javascript
packs: dsp-testing/codeql-pack1@1.0.0, dsp-testing/codeql-pack2, dsp-testing/codeql-pack3:other-query.ql
packs: codeql-testing/codeql-pack1@1.0.0, codeql-testing/codeql-pack2, codeql-testing/codeql-pack3:other-query.ql
tools: ${{ steps.prepare-test.outputs.tools-url }}
- name: Build code
shell: bash
@ -68,7 +68,7 @@ jobs:
output: ${{ runner.temp }}/results
- name: Check results
uses: ./../action/.github/check-sarif
uses: ./../action/.github/actions/check-sarif
with:
sarif-file: ${{ runner.temp }}/results/javascript.sarif
queries-run: javascript/example/empty-or-one-block,javascript/example/empty-or-one-block,javascript/example/other-query-block,javascript/example/two-block

2
.github/workflows/__remote-config.yml generated vendored
View file

@ -69,7 +69,7 @@ jobs:
uses: actions/checkout@v3
- name: Prepare test
id: prepare-test
uses: ./.github/prepare-test
uses: ./.github/actions/prepare-test
with:
version: ${{ matrix.version }}
- name: Set up Go

2
.github/workflows/__rubocop-multi-language.yml generated vendored
View file

@ -35,7 +35,7 @@ jobs:
uses: actions/checkout@v3
- name: Prepare test
id: prepare-test
uses: ./.github/prepare-test
uses: ./.github/actions/prepare-test
with:
version: ${{ matrix.version }}
- name: Set up Ruby

2
.github/workflows/__ruby.yml generated vendored
View file

@ -45,7 +45,7 @@ jobs:
uses: actions/checkout@v3
- name: Prepare test
id: prepare-test
uses: ./.github/prepare-test
uses: ./.github/actions/prepare-test
with:
version: ${{ matrix.version }}
- uses: ./../action/init

4
.github/workflows/__split-workflow.yml generated vendored
View file

@ -45,13 +45,13 @@ jobs:
uses: actions/checkout@v3
- name: Prepare test
id: prepare-test
uses: ./.github/prepare-test
uses: ./.github/actions/prepare-test
with:
version: ${{ matrix.version }}
- uses: ./../action/init
with:
config-file: .github/codeql/codeql-config-packaging3.yml
packs: +dsp-testing/codeql-pack1@1.0.0
packs: +codeql-testing/codeql-pack1@1.0.0
languages: javascript
tools: ${{ steps.prepare-test.outputs.tools-url }}
- name: Build code

2
.github/workflows/__submit-sarif-failure.yml generated vendored
View file

@ -39,7 +39,7 @@ jobs:
uses: actions/checkout@v3
- name: Prepare test
id: prepare-test
uses: ./.github/prepare-test
uses: ./.github/actions/prepare-test
with:
version: ${{ matrix.version }}
- uses: actions/checkout@v3

72
.github/workflows/__swift-autobuild.yml generated vendored
View file

@ -1,72 +0,0 @@
# Warning: This file is generated automatically, and should not be modified.
# Instead, please modify the template in the pr-checks directory and run:
# pip install ruamel.yaml && python3 sync.py
# to regenerate this file.
name: PR Check - Swift analysis using autobuild
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
GO111MODULE: auto
CODEQL_EXTRACTOR_JAVA_AGENT_DISABLE_KOTLIN: 'true'
on:
push:
branches:
- main
- releases/v2
pull_request:
types:
- opened
- synchronize
- reopened
- ready_for_review
workflow_dispatch: {}
jobs:
swift-autobuild:
strategy:
matrix:
include:
- os: macos-latest
version: latest
- os: macos-latest
version: cached
- os: macos-latest
version: nightly-latest
name: Swift analysis using autobuild
timeout-minutes: 45
runs-on: ${{ matrix.os }}
steps:
- name: Check out repository
uses: actions/checkout@v3
- name: Prepare test
id: prepare-test
uses: ./.github/prepare-test
with:
version: ${{ matrix.version }}
- uses: ./../action/init
id: init
with:
languages: swift
tools: ${{ steps.prepare-test.outputs.tools-url }}
- uses: ./../action/.github/setup-swift
with:
codeql-path: ${{steps.init.outputs.codeql-path}}
- name: Check working directory
shell: bash
run: pwd
- uses: ./../action/autobuild
timeout-minutes: 10
- uses: ./../action/analyze
id: analysis
with:
upload-database: false
- name: Check database
shell: bash
run: |
SWIFT_DB="${{ fromJson(steps.analysis.outputs.db-locations).swift }}"
if [[ ! -d "$SWIFT_DB" ]]; then
echo "Did not create a database for Swift."
exit 1
fi
env:
CODEQL_ENABLE_EXPERIMENTAL_FEATURES_SWIFT: 'true' # Remove when Swift is GA.
CODEQL_ACTION_TEST_MODE: true

4
.github/workflows/__swift-custom-build.yml generated vendored
View file

@ -45,7 +45,7 @@ jobs:
uses: actions/checkout@v3
- name: Prepare test
id: prepare-test
uses: ./.github/prepare-test
uses: ./.github/actions/prepare-test
with:
version: ${{ matrix.version }}
- uses: ./../action/init
@ -53,7 +53,7 @@ jobs:
with:
languages: swift
tools: ${{ steps.prepare-test.outputs.tools-url }}
- uses: ./../action/.github/setup-swift
- uses: ./../action/.github/actions/setup-swift
with:
codeql-path: ${{steps.init.outputs.codeql-path}}
- name: Check working directory

2
.github/workflows/__test-autobuild-working-dir.yml generated vendored
View file

@ -35,7 +35,7 @@ jobs:
uses: actions/checkout@v3
- name: Prepare test
id: prepare-test
uses: ./.github/prepare-test
uses: ./.github/actions/prepare-test
with:
version: ${{ matrix.version }}
- name: Test setup

2
.github/workflows/__test-local-codeql.yml generated vendored
View file

@ -35,7 +35,7 @@ jobs:
uses: actions/checkout@v3
- name: Prepare test
id: prepare-test
uses: ./.github/prepare-test
uses: ./.github/actions/prepare-test
with:
version: ${{ matrix.version }}
- name: Fetch a CodeQL bundle

2
.github/workflows/__test-proxy.yml generated vendored
View file

@ -35,7 +35,7 @@ jobs:
uses: actions/checkout@v3
- name: Prepare test
id: prepare-test
uses: ./.github/prepare-test
uses: ./.github/actions/prepare-test
with:
version: ${{ matrix.version }}
- uses: ./../action/init

2
.github/workflows/__unset-environment.yml generated vendored
View file

@ -45,7 +45,7 @@ jobs:
uses: actions/checkout@v3
- name: Prepare test
id: prepare-test
uses: ./.github/prepare-test
uses: ./.github/actions/prepare-test
with:
version: ${{ matrix.version }}
- name: Set up Go

2
.github/workflows/__upload-ref-sha-input.yml generated vendored
View file

@ -69,7 +69,7 @@ jobs:
uses: actions/checkout@v3
- name: Prepare test
id: prepare-test
uses: ./.github/prepare-test
uses: ./.github/actions/prepare-test
with:
version: ${{ matrix.version }}
- name: Set up Go

2
.github/workflows/__with-checkout-path.yml generated vendored
View file

@ -69,7 +69,7 @@ jobs:
uses: actions/checkout@v3
- name: Prepare test
id: prepare-test
uses: ./.github/prepare-test
uses: ./.github/actions/prepare-test
with:
version: ${{ matrix.version }}
- name: Set up Go

44
.github/workflows/codescanning-config-cli.yml vendored
View file

@ -47,12 +47,12 @@ jobs:
uses: actions/checkout@v3
- name: Prepare test
id: prepare-test
uses: ./.github/prepare-test
uses: ./.github/actions/prepare-test
with:
version: ${{ matrix.version }}
- name: Empty file
uses: ./../action/.github/check-codescanning-config
uses: ./../action/.github/actions/check-codescanning-config
with:
expected-config-file-contents: "{}"
languages: javascript
@ -60,31 +60,31 @@ jobs:
- name: Packs from input
if: success() || failure()
uses: ./../action/.github/check-codescanning-config
uses: ./../action/.github/actions/check-codescanning-config
with:
expected-config-file-contents: |
{
"packs": ["dsp-testing/codeql-pack1@1.0.0", "dsp-testing/codeql-pack2" ]
"packs": ["codeql-testing/codeql-pack1@1.0.0", "codeql-testing/codeql-pack2" ]
}
languages: javascript
packs: dsp-testing/codeql-pack1@1.0.0, dsp-testing/codeql-pack2
packs: codeql-testing/codeql-pack1@1.0.0, codeql-testing/codeql-pack2
tools: ${{ steps.prepare-test.outputs.tools-url }}
- name: Packs from input with +
if: success() || failure()
uses: ./../action/.github/check-codescanning-config
uses: ./../action/.github/actions/check-codescanning-config
with:
expected-config-file-contents: |
{
"packs": ["dsp-testing/codeql-pack1@1.0.0", "dsp-testing/codeql-pack2" ]
"packs": ["codeql-testing/codeql-pack1@1.0.0", "codeql-testing/codeql-pack2" ]
}
languages: javascript
packs: + dsp-testing/codeql-pack1@1.0.0, dsp-testing/codeql-pack2
packs: + codeql-testing/codeql-pack1@1.0.0, codeql-testing/codeql-pack2
tools: ${{ steps.prepare-test.outputs.tools-url }}
- name: Queries from input
if: success() || failure()
uses: ./../action/.github/check-codescanning-config
uses: ./../action/.github/actions/check-codescanning-config
with:
expected-config-file-contents: |
{
@ -96,7 +96,7 @@ jobs:
- name: Queries from input with +
if: success() || failure()
uses: ./../action/.github/check-codescanning-config
uses: ./../action/.github/actions/check-codescanning-config
with:
expected-config-file-contents: |
{
@ -108,27 +108,27 @@ jobs:
- name: Queries and packs from input with +
if: success() || failure()
uses: ./../action/.github/check-codescanning-config
uses: ./../action/.github/actions/check-codescanning-config
with:
expected-config-file-contents: |
{
"queries": [{ "uses": "./codeql-qlpacks/complex-javascript-qlpack/show_ifs.ql" }],
"packs": ["dsp-testing/codeql-pack1@1.0.0", "dsp-testing/codeql-pack2" ]
"packs": ["codeql-testing/codeql-pack1@1.0.0", "codeql-testing/codeql-pack2" ]
}
languages: javascript
queries: + ./codeql-qlpacks/complex-javascript-qlpack/show_ifs.ql
packs: + dsp-testing/codeql-pack1@1.0.0, dsp-testing/codeql-pack2
packs: + codeql-testing/codeql-pack1@1.0.0, codeql-testing/codeql-pack2
tools: ${{ steps.prepare-test.outputs.tools-url }}
- name: Queries and packs from config
if: success() || failure()
uses: ./../action/.github/check-codescanning-config
uses: ./../action/.github/actions/check-codescanning-config
with:
expected-config-file-contents: |
{
"queries": [{ "uses": "./codeql-qlpacks/complex-javascript-qlpack/foo2/show_ifs.ql" }],
"packs": {
"javascript": ["dsp-testing/codeql-pack1@1.0.0", "dsp-testing/codeql-pack2" ]
"javascript": ["codeql-testing/codeql-pack1@1.0.0", "codeql-testing/codeql-pack2" ]
}
}
languages: javascript
@ -137,7 +137,7 @@ jobs:
- name: Queries and packs from config overriden by input
if: success() || failure()
uses: ./../action/.github/check-codescanning-config
uses: ./../action/.github/actions/check-codescanning-config
with:
expected-config-file-contents: |
{
@ -152,7 +152,7 @@ jobs:
- name: Queries and packs from config merging with input
if: success() || failure()
uses: ./../action/.github/check-codescanning-config
uses: ./../action/.github/actions/check-codescanning-config
with:
expected-config-file-contents: |
{
@ -161,7 +161,7 @@ jobs:
{ "uses": "./codeql-qlpacks/complex-javascript-qlpack/show_ifs.ql" }
],
"packs": {
"javascript": ["dsp-testing/codeql-pack1@1.0.0", "dsp-testing/codeql-pack2", "codeql/javascript-queries" ]
"javascript": ["codeql-testing/codeql-pack1@1.0.0", "codeql-testing/codeql-pack2", "codeql/javascript-queries" ]
}
}
languages: javascript
@ -172,12 +172,12 @@ jobs:
- name: Multi-language packs from config
if: success() || failure()
uses: ./../action/.github/check-codescanning-config
uses: ./../action/.github/actions/check-codescanning-config
with:
expected-config-file-contents: |
{
"packs": {
"javascript": ["dsp-testing/codeql-pack1@1.0.0", "dsp-testing/codeql-pack2" ],
"javascript": ["codeql-testing/codeql-pack1@1.0.0", "codeql-testing/codeql-pack2" ],
"ruby": ["codeql/ruby-queries"]
},
"queries": [
@ -190,7 +190,7 @@ jobs:
- name: Other config properties
if: success() || failure()
uses: ./../action/.github/check-codescanning-config
uses: ./../action/.github/actions/check-codescanning-config
with:
expected-config-file-contents: |
{
@ -209,7 +209,7 @@ jobs:
if: success() || failure()
env:
CODEQL_PASS_CONFIG_TO_CLI: false
uses: ./../action/.github/check-codescanning-config
uses: ./../action/.github/actions/check-codescanning-config
with:
expected-config-file-contents: ""
languages: javascript

2
.github/workflows/debug-artifacts-failure.yml vendored
View file

@ -36,7 +36,7 @@ jobs:
uses: actions/checkout@v3
- name: Prepare test
id: prepare-test
uses: ./.github/prepare-test
uses: ./.github/actions/prepare-test
with:
version: latest
- uses: actions/setup-go@v4

2
.github/workflows/debug-artifacts.yml vendored
View file

@ -56,7 +56,7 @@ jobs:
uses: actions/checkout@v3
- name: Prepare test
id: prepare-test
uses: ./.github/prepare-test
uses: ./.github/actions/prepare-test
with:
version: ${{ matrix.version }}
- uses: actions/setup-go@v4

4
.github/workflows/expected-queries-runs.yml vendored
View file

@ -25,7 +25,7 @@ jobs:
uses: actions/checkout@v3
- name: Prepare test
id: prepare-test
uses: ./.github/prepare-test
uses: ./.github/actions/prepare-test
with:
version: latest
- uses: ./../action/init
@ -39,7 +39,7 @@ jobs:
upload: never
- name: Check Sarif
uses: ./../action/.github/check-sarif
uses: ./../action/.github/actions/check-sarif
with:
sarif-file: ${{ runner.temp }}/results/javascript.sarif
queries-run: js/incomplete-hostname-regexp,js/path-injection

8
.github/workflows/query-filters.yml vendored
View file

@ -23,12 +23,12 @@ jobs:
uses: actions/checkout@v3
- name: Prepare test
id: prepare-test
uses: ./.github/prepare-test
uses: ./.github/actions/prepare-test
with:
version: latest
- name: Check SARIF for default queries with Single include, Single exclude
uses: ./../action/.github/query-filter-test
uses: ./../action/.github/actions/query-filter-test
with:
sarif-file: ${{ runner.temp }}/results/javascript.sarif
queries-run: js/zipslip
@ -37,7 +37,7 @@ jobs:
tools: ${{ steps.prepare-test.outputs.tools-url }}
- name: Check SARIF for query packs with Single include, Single exclude
uses: ./../action/.github/query-filter-test
uses: ./../action/.github/actions/query-filter-test
with:
sarif-file: ${{ runner.temp }}/results/javascript.sarif
queries-run: js/zipslip,javascript/example/empty-or-one-block
@ -46,7 +46,7 @@ jobs:
tools: ${{ steps.prepare-test.outputs.tools-url }}
- name: Check SARIF for query packs and local queries with Single include, Single exclude
uses: ./../action/.github/query-filter-test
uses: ./../action/.github/actions/query-filter-test
with:
sarif-file: ${{ runner.temp }}/results/javascript.sarif
queries-run: js/zipslip,javascript/example/empty-or-one-block,inrepo-javascript-querypack/show-ifs

82
.github/workflows/update-bundle.yml vendored Normal file
View file

@ -0,0 +1,82 @@
name: Update default CodeQL bundle
on:
release:
types: [prereleased]
jobs:
update-bundle:
if: startsWith(github.event.release.tag_name, 'codeql-bundle-')
runs-on: ubuntu-latest
steps:
- name: Dump environment
run: env
- name: Dump GitHub context
env:
GITHUB_CONTEXT: '${{ toJson(github) }}'
run: echo "$GITHUB_CONTEXT"
- uses: actions/checkout@v3
- name: Update git config
run: |
git config --global user.email "github-actions@github.com"
git config --global user.name "github-actions[bot]"
- name: Update bundle
uses: ./.github/actions/update-bundle
- name: Rebuild Action
run: npm run build
- name: Commit and push changes
env:
RELEASE_TAG: "${{ github.event.release.tag_name }}"
run: |
git checkout -b "update-bundle/$RELEASE_TAG"
git commit -am "Update default bundle to $RELEASE_TAG"
git push --set-upstream origin "update-bundle/$RELEASE_TAG"
- name: Open pull request
env:
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
run: |
cli_version=$(jq -r '.cliVersion' src/defaults.json)
pr_url=$(gh pr create \
--title "Update default bundle to $cli_version" \
--body "This pull request updates the default CodeQL bundle, as used with \`tools: latest\` and on GHES, to $cli_version." \
--assignee "$GITHUB_ACTOR" \
--draft \
)
echo "CLI_VERSION=$cli_version" | tee -a "$GITHUB_ENV"
echo "PR_URL=$pr_url" | tee -a "$GITHUB_ENV"
- name: Create changelog note
shell: python
run: |
import os
import re
# Get the PR number from the PR URL.
pr_number = os.environ['PR_URL'].split('/')[-1]
changelog_note = f"- Update default CodeQL bundle version to {os.environ['CLI_VERSION']}. [#{pr_number}]({os.environ['PR_URL']})"
# If the "[UNRELEASED]" section starts with "no user facing changes", remove that line.
# Use perl to avoid having to escape the newline character.
with open('CHANGELOG.md', 'r') as f:
changelog = f.read()
changelog = changelog.replace('## [UNRELEASED]\n\nNo user facing changes.', '## [UNRELEASED]\n')
# Add the changelog note to the bottom of the "[UNRELEASED]" section.
changelog = re.sub(r'\n## (\d+\.\d+\.\d+)', f'{changelog_note}\n\n## \\1', changelog, count=1)
with open('CHANGELOG.md', 'w') as f:
f.write(changelog)
- name: Push changelog note
run: |
git commit -am "Add changelog note"
git push

4
CHANGELOG.md
View file

@ -1,5 +1,9 @@
# CodeQL Action Changelog
## 2.2.10 - 05 Apr 2023
- Update default CodeQL bundle version to 2.12.6. [#1629](https://github.com/github/codeql-action/pull/1629)
## 2.2.9 - 27 Mar 2023
- Customers post-processing the SARIF output of the `analyze` Action before uploading it to Code Scanning will benefit from an improved debugging experience. [#1598](https://github.com/github/codeql-action/pull/1598)

35
lib/codeql.js generated
View file

@ -23,7 +23,7 @@ var __importStar = (this && this.__importStar) || function (mod) {
return result;
};
Object.defineProperty(exports, "__esModule", { value: true });
exports.enrichEnvironment = exports.getExtraOptions = exports.getCodeQLForCmd = exports.getCodeQLForTesting = exports.getCachedCodeQL = exports.setCodeQL = exports.getCodeQL = exports.setupCodeQL = exports.CODEQL_VERSION_INIT_WITH_QLCONFIG = exports.CODEQL_VERSION_SECURITY_EXPERIMENTAL_SUITE = exports.CODEQL_VERSION_BETTER_RESOLVE_LANGUAGES = exports.CODEQL_VERSION_ML_POWERED_QUERIES_WINDOWS = exports.CODEQL_VERSION_TRACING_GLIBC_2_34 = exports.CODEQL_VERSION_NEW_TRACING = exports.CODEQL_VERSION_GHES_PACK_DOWNLOAD = exports.CommandInvocationError = void 0;
exports.enrichEnvironment = exports.getExtraOptions = exports.getCodeQLForCmd = exports.getCodeQLForTesting = exports.getCachedCodeQL = exports.setCodeQL = exports.getCodeQL = exports.setupCodeQL = exports.CODEQL_VERSION_DUPLICATE_NOTIFICATIONS_FIXED = exports.CODEQL_VERSION_INIT_WITH_QLCONFIG = exports.CODEQL_VERSION_SECURITY_EXPERIMENTAL_SUITE = exports.CODEQL_VERSION_BETTER_RESOLVE_LANGUAGES = exports.CODEQL_VERSION_ML_POWERED_QUERIES_WINDOWS = exports.CODEQL_VERSION_TRACING_GLIBC_2_34 = exports.CODEQL_VERSION_NEW_TRACING = exports.CODEQL_VERSION_GHES_PACK_DOWNLOAD = exports.CommandInvocationError = void 0;
const fs = __importStar(require("fs"));
const path = __importStar(require("path"));
const core = __importStar(require("@actions/core"));
@ -106,6 +106,11 @@ exports.CODEQL_VERSION_SECURITY_EXPERIMENTAL_SUITE = "2.12.1";
* Versions 2.12.4+ of the CodeQL CLI support the `--qlconfig-file` flag in calls to `database init`.
*/
exports.CODEQL_VERSION_INIT_WITH_QLCONFIG = "2.12.4";
/**
* Versions 2.12.6+ of the CodeQL CLI fix a bug where duplicate notification objects could be produced,
* leading to an invalid SARIF output.
*/
exports.CODEQL_VERSION_DUPLICATE_NOTIFICATIONS_FIXED = "2.12.6";
/**
* Set up CodeQL CLI access.
*
@ -509,7 +514,9 @@ async function getCodeQLForCmd(cmd, checkVersion) {
},
async databaseInterpretResults(databasePath, querySuitePaths, sarifFile, addSnippetsFlag, threadsFlag, verbosityFlag, automationDetailsId, config, features, logger) {
const shouldExportDiagnostics = await features.getValue(feature_flags_1.Feature.ExportDiagnosticsEnabled, this);
const codeqlOutputFile = shouldExportDiagnostics
const shouldWorkaroundInvalidNotifications = shouldExportDiagnostics &&
!(await util.codeQlVersionAbove(this, exports.CODEQL_VERSION_DUPLICATE_NOTIFICATIONS_FIXED));
const codeqlOutputFile = shouldWorkaroundInvalidNotifications
? path.join(config.tempDir, "codeql-intermediate-results.sarif")
: sarifFile;
const codeqlArgs = [
@ -537,16 +544,17 @@ async function getCodeQLForCmd(cmd, checkVersion) {
if (shouldExportDiagnostics) {
codeqlArgs.push("--sarif-include-diagnostics");
}
else if (await util.codeQlVersionAbove(this, "2.12.4")) {
codeqlArgs.push("--no-sarif-include-diagnostics");
}
codeqlArgs.push(databasePath);
if (querySuitePaths) {
codeqlArgs.push(...querySuitePaths);
}
// capture stdout, which contains analysis summaries
const returnState = await (0, toolrunner_error_catcher_1.toolrunnerErrorCatcher)(cmd, codeqlArgs, error_matcher_1.errorMatchers);
if (shouldExportDiagnostics) {
let sarif = JSON.parse(fs.readFileSync(codeqlOutputFile, "utf8"));
sarif = util.fixInvalidNotifications(sarif, logger);
fs.writeFileSync(sarifFile, JSON.stringify(sarif));
if (shouldWorkaroundInvalidNotifications) {
util.fixInvalidNotificationsInFile(codeqlOutputFile, sarifFile, logger);
}
return returnState.stdout;
},
@ -625,14 +633,17 @@ async function getCodeQLForCmd(cmd, checkVersion) {
await new toolrunner.ToolRunner(cmd, args).exec();
},
async databaseExportDiagnostics(databasePath, sarifFile, automationDetailsId, tempDir, logger) {
const intermediateSarifFile = path.join(tempDir, "codeql-intermediate-results.sarif");
const shouldWorkaroundInvalidNotifications = !(await util.codeQlVersionAbove(this, exports.CODEQL_VERSION_DUPLICATE_NOTIFICATIONS_FIXED));
const codeqlOutputFile = shouldWorkaroundInvalidNotifications
? path.join(tempDir, "codeql-intermediate-results.sarif")
: sarifFile;
const args = [
"database",
"export-diagnostics",
`${databasePath}`,
"--db-cluster",
"--format=sarif-latest",
`--output=${intermediateSarifFile}`,
`--output=${codeqlOutputFile}`,
"--sarif-include-diagnostics",
"-vvv",
...getExtraOptionsFromEnv(["diagnostics", "export"]),
@ -641,10 +652,10 @@ async function getCodeQLForCmd(cmd, checkVersion) {
args.push("--sarif-category", automationDetailsId);
}
await new toolrunner.ToolRunner(cmd, args).exec();
// Fix invalid notifications in the SARIF file output by CodeQL.
let sarif = JSON.parse(fs.readFileSync(intermediateSarifFile, "utf8"));
sarif = util.fixInvalidNotifications(sarif, logger);
fs.writeFileSync(sarifFile, JSON.stringify(sarif));
if (shouldWorkaroundInvalidNotifications) {
// Fix invalid notifications in the SARIF file output by CodeQL.
util.fixInvalidNotificationsInFile(codeqlOutputFile, sarifFile, logger);
}
},
async diagnosticsExport(sarifFile, automationDetailsId, config, features) {
const args = [

2
lib/codeql.js.map
View file

File diff suppressed because one or more lines are too long

4
lib/codeql.test.js generated
View file

@ -382,11 +382,11 @@ for (const isBundleVersionInUrl of [true, false]) {
tagName: "codeql-bundle-20230203",
});
mockDownloadApi({
repo: "dsp-testing/codeql-cli-nightlies",
repo: "codeql-testing/codeql-cli-nightlies",
platformSpecific: false,
tagName: "codeql-bundle-20230203",
});
const result = await codeql.setupCodeQL("https://github.com/dsp-testing/codeql-cli-nightlies/releases/download/codeql-bundle-20230203/codeql-bundle.tar.gz", sampleApiDetails, tmpDir, util.GitHubVariant.DOTCOM, SAMPLE_DEFAULT_CLI_VERSION, (0, logging_1.getRunnerLogger)(true), false);
const result = await codeql.setupCodeQL("https://github.com/codeql-testing/codeql-cli-nightlies/releases/download/codeql-bundle-20230203/codeql-bundle.tar.gz", sampleApiDetails, tmpDir, util.GitHubVariant.DOTCOM, SAMPLE_DEFAULT_CLI_VERSION, (0, logging_1.getRunnerLogger)(true), false);
t.is(result.toolsVersion, "0.0.0-20230203");
t.is(result.toolsSource, init_1.ToolsSource.Download);
t.true(Number.isInteger(result.toolsDownloadDurationMs));

2
lib/codeql.test.js.map
View file

File diff suppressed because one or more lines are too long

10
lib/config-utils.test.js generated
View file

@ -1134,7 +1134,7 @@ const calculateAugmentationErrorMacro = ava_1.default.macro({
{
// no slash
url: "http://ghcr.io",
packages: ["codeql/*", "dsp-testing/*"],
packages: ["codeql/*", "codeql-testing/*"],
token: "not-a-token",
},
{
@ -1200,7 +1200,7 @@ const calculateAugmentationErrorMacro = ava_1.default.macro({
const registriesInput = yaml.dump([
{
url: "http://ghcr.io",
packages: ["codeql/*", "dsp-testing/*"],
packages: ["codeql/*", "codeql-testing/*"],
token: "not-a-token",
},
{
@ -1227,7 +1227,7 @@ const calculateAugmentationErrorMacro = ava_1.default.macro({
const registriesInput = yaml.dump([
{
// missing url property
packages: ["codeql/*", "dsp-testing/*"],
packages: ["codeql/*", "codeql-testing/*"],
token: "not-a-token",
},
{
@ -1252,7 +1252,7 @@ const calculateAugmentationErrorMacro = ava_1.default.macro({
{
// no slash
url: "http://ghcr.io",
packages: ["codeql/*", "dsp-testing/*"],
packages: ["codeql/*", "codeql-testing/*"],
token: "not-a-token",
},
]);
@ -1283,7 +1283,7 @@ const calculateAugmentationErrorMacro = ava_1.default.macro({
const registriesInput = yaml.dump([
{
url: "http://ghcr.io",
packages: ["codeql/*", "dsp-testing/*"],
packages: ["codeql/*", "codeql-testing/*"],
token: "not-a-token",
},
]);

2
lib/config-utils.test.js.map
View file

File diff suppressed because one or more lines are too long

8
lib/defaults.json
View file

@ -1,6 +1,6 @@
{
"bundleVersion": "codeql-bundle-20230317",
"cliVersion": "2.12.5",
"priorBundleVersion": "codeql-bundle-20230304",
"priorCliVersion": "2.12.4"
"bundleVersion": "codeql-bundle-20230403",
"cliVersion": "2.12.6",
"priorBundleVersion": "codeql-bundle-20230317",
"priorCliVersion": "2.12.5"
}

6
lib/feature-flags.js generated
View file

@ -55,12 +55,12 @@ exports.featureConfig = {
[Feature.ExportCodeScanningConfigEnabled]: {
envVar: "CODEQL_ACTION_EXPORT_CODE_SCANNING_CONFIG",
minimumVersion: "2.12.3",
defaultValue: false,
defaultValue: true,
},
[Feature.ExportDiagnosticsEnabled]: {
envVar: "CODEQL_ACTION_EXPORT_DIAGNOSTICS",
minimumVersion: "2.12.4",
defaultValue: false,
defaultValue: true,
},
[Feature.MlPoweredQueriesEnabled]: {
envVar: "CODEQL_ML_POWERED_QUERIES",
@ -70,7 +70,7 @@ exports.featureConfig = {
[Feature.UploadFailedSarifEnabled]: {
envVar: "CODEQL_ACTION_UPLOAD_FAILED_SARIF",
minimumVersion: "2.11.3",
defaultValue: false,
defaultValue: true,
},
};
exports.FEATURE_FLAGS_FILE_NAME = "cached-feature-flags.json";

2
lib/feature-flags.js.map
View file

File diff suppressed because one or more lines are too long

19
lib/util.js generated
View file

@ -26,7 +26,7 @@ var __importDefault = (this && this.__importDefault) || function (mod) {
return (mod && mod.__esModule) ? mod : { "default": mod };
};
Object.defineProperty(exports, "__esModule", { value: true });
exports.fixInvalidNotifications = exports.parseMatrixInput = exports.isHostedRunner = exports.checkForTimeout = exports.withTimeout = exports.tryGetFolderBytes = exports.listFolder = exports.doesDirectoryExist = exports.logCodeScanningConfigInCli = exports.useCodeScanningConfigInCli = exports.isInTestMode = exports.getMlPoweredJsQueriesStatus = exports.getMlPoweredJsQueriesPack = exports.ML_POWERED_JS_QUERIES_PACK_NAME = exports.supportExpectDiscardedCache = exports.isGoodVersion = exports.delay = exports.bundleDb = exports.codeQlVersionAbove = exports.getCachedCodeQlVersion = exports.cacheCodeQlVersion = exports.isHTTPError = exports.UserError = exports.HTTPError = exports.getRequiredEnvParam = exports.initializeEnvironment = exports.assertNever = exports.apiVersionInRange = exports.DisallowedAPIVersionReason = exports.checkGitHubVersionInRange = exports.getGitHubVersion = exports.GitHubVariant = exports.parseGitHubUrl = exports.getCodeQLDatabasePath = exports.getThreadsFlag = exports.getThreadsFlagValue = exports.getAddSnippetsFlag = exports.getMemoryFlag = exports.getMemoryFlagValue = exports.withTmpDir = exports.getToolNames = exports.getExtraOptionsEnvParam = exports.DEFAULT_DEBUG_DATABASE_NAME = exports.DEFAULT_DEBUG_ARTIFACT_NAME = exports.GITHUB_DOTCOM_URL = void 0;
exports.fixInvalidNotificationsInFile = exports.fixInvalidNotifications = exports.parseMatrixInput = exports.isHostedRunner = exports.checkForTimeout = exports.withTimeout = exports.tryGetFolderBytes = exports.listFolder = exports.doesDirectoryExist = exports.logCodeScanningConfigInCli = exports.useCodeScanningConfigInCli = exports.isInTestMode = exports.getMlPoweredJsQueriesStatus = exports.getMlPoweredJsQueriesPack = exports.ML_POWERED_JS_QUERIES_PACK_NAME = exports.supportExpectDiscardedCache = exports.isGoodVersion = exports.delay = exports.bundleDb = exports.codeQlVersionAbove = exports.getCachedCodeQlVersion = exports.cacheCodeQlVersion = exports.isHTTPError = exports.UserError = exports.HTTPError = exports.getRequiredEnvParam = exports.initializeEnvironment = exports.assertNever = exports.apiVersionInRange = exports.DisallowedAPIVersionReason = exports.checkGitHubVersionInRange = exports.getGitHubVersion = exports.GitHubVariant = exports.parseGitHubUrl = exports.getCodeQLDatabasePath = exports.getThreadsFlag = exports.getThreadsFlagValue = exports.getAddSnippetsFlag = exports.getMemoryFlag = exports.getMemoryFlagValue = exports.withTmpDir = exports.getToolNames = exports.getExtraOptionsEnvParam = exports.DEFAULT_DEBUG_DATABASE_NAME = exports.DEFAULT_DEBUG_ARTIFACT_NAME = exports.GITHUB_DOTCOM_URL = void 0;
const fs = __importStar(require("fs"));
const os = __importStar(require("os"));
const path = __importStar(require("path"));
@ -676,7 +676,7 @@ function fixInvalidNotifications(sarif, logger) {
`${shared_environment_1.CODEQL_ACTION_DISABLE_DUPLICATE_LOCATION_FIX} environment variable.`);
return sarif;
}
if (!(sarif.runs instanceof Array)) {
if (!Array.isArray(sarif.runs)) {
return sarif;
}
// Ensure that the array of locations for each SARIF notification contains unique locations.
@ -687,19 +687,19 @@ function fixInvalidNotifications(sarif, logger) {
...sarif,
runs: sarif.runs.map((run) => {
if (run.tool?.driver?.name !== "CodeQL" ||
!(run.invocations instanceof Array)) {
!Array.isArray(run.invocations)) {
return run;
}
return {
...run,
invocations: run.invocations.map((invocation) => {
if (!(invocation.toolExecutionNotifications instanceof Array)) {
if (!Array.isArray(invocation.toolExecutionNotifications)) {
return invocation;
}
return {
...invocation,
toolExecutionNotifications: invocation.toolExecutionNotifications.map((notification) => {
if (!(notification.locations instanceof Array)) {
if (!Array.isArray(notification.locations)) {
return notification;
}
const newLocations = removeDuplicateLocations(notification.locations);
@ -719,7 +719,16 @@ function fixInvalidNotifications(sarif, logger) {
logger.info(`Removed ${numDuplicateLocationsRemoved} duplicate locations from SARIF notification ` +
"objects.");
}
else {
logger.debug("No duplicate locations found in SARIF notification objects.");
}
return newSarif;
}
exports.fixInvalidNotifications = fixInvalidNotifications;
function fixInvalidNotificationsInFile(inputPath, outputPath, logger) {
let sarif = JSON.parse(fs.readFileSync(inputPath, "utf8"));
sarif = fixInvalidNotifications(sarif, logger);
fs.writeFileSync(outputPath, JSON.stringify(sarif));
}
exports.fixInvalidNotificationsInFile = fixInvalidNotificationsInFile;
//# sourceMappingURL=util.js.map

2
lib/util.js.map
View file

File diff suppressed because one or more lines are too long

6
lib/util.test.js generated
View file

@ -363,7 +363,11 @@ const stubLocation = {
const messages = [];
const result = util.fixInvalidNotifications(createMockSarifWithNotification([stubLocation]), (0, testing_utils_1.getRecordingLogger)(messages));
t.deepEqual(result, createMockSarifWithNotification([stubLocation]));
t.is(messages.length, 0);
t.is(messages.length, 1);
t.deepEqual(messages[0], {
type: "debug",
message: "No duplicate locations found in SARIF notification objects.",
});
});
(0, ava_1.default)("fixInvalidNotifications removes duplicate locations", (t) => {
const messages = [];

2
lib/util.test.js.map
View file

File diff suppressed because one or more lines are too long

15
lib/workflow.js generated
View file

@ -84,8 +84,6 @@ function toCodedErrors(errors) {
exports.WorkflowErrors = toCodedErrors({
MismatchedBranches: `Please make sure that every branch in on.pull_request is also in on.push so that Code Scanning can compare pull requests against the state of the base branch.`,
MissingPushHook: `Please specify an on.push hook so that Code Scanning can compare pull requests against the state of the base branch.`,
PathsSpecified: `Using on.push.paths can prevent Code Scanning annotating new alerts in your pull requests.`,
PathsIgnoreSpecified: `Using on.push.paths-ignore can prevent Code Scanning annotating new alerts in your pull requests.`,
CheckoutWrongHead: `git checkout HEAD^2 is no longer necessary. Please remove this step as Code Scanning recommends analyzing the merge commit for best results.`,
});
function getWorkflowErrors(doc) {
@ -130,19 +128,6 @@ function getWorkflowErrors(doc) {
if (!hasPush && hasPullRequest) {
missingPush = true;
}
if (hasPush && hasPullRequest) {
const paths = doc.on.push?.paths;
// if you specify paths or paths-ignore you can end up with commits that have no baseline
// if they didn't change any files
// currently we cannot go back through the history and find the most recent baseline
if (Array.isArray(paths) && paths.length > 0) {
errors.push(exports.WorkflowErrors.PathsSpecified);
}
const pathsIgnore = doc.on.push?.["paths-ignore"];
if (Array.isArray(pathsIgnore) && pathsIgnore.length > 0) {
errors.push(exports.WorkflowErrors.PathsIgnoreSpecified);
}
}
// if doc.on.pull_request is null that means 'all branches'
// if doc.on.pull_request is undefined that means 'off'
// we only want to check for mismatched branches if pull_request is on.

2
lib/workflow.js.map
View file

File diff suppressed because one or more lines are too long

15
lib/workflow.test.js generated
View file

@ -58,15 +58,6 @@ function errorCodes(actual, expected) {
});
t.deepEqual(...errorCodes(errors, []));
});
(0, ava_1.default)("getWorkflowErrors() when on.push should not have a path", (t) => {
const errors = (0, workflow_1.getWorkflowErrors)({
on: {
push: { branches: ["main"], paths: ["test/*"] },
pull_request: { branches: ["main"] },
},
});
t.deepEqual(...errorCodes(errors, [workflow_1.WorkflowErrors.PathsSpecified]));
});
(0, ava_1.default)("getWorkflowErrors() when on.push is a correct object", (t) => {
const errors = (0, workflow_1.getWorkflowErrors)({
on: { push: { branches: ["main"] }, pull_request: { branches: ["main"] } },
@ -227,7 +218,7 @@ function errorCodes(actual, expected) {
(0, ava_1.default)("formatWorkflowErrors() when there are multiple errors", (t) => {
const message = (0, workflow_1.formatWorkflowErrors)([
workflow_1.WorkflowErrors.CheckoutWrongHead,
workflow_1.WorkflowErrors.PathsSpecified,
workflow_1.WorkflowErrors.MismatchedBranches,
]);
t.true(message.startsWith("2 issues were detected with this workflow:"));
});
@ -238,9 +229,9 @@ function errorCodes(actual, expected) {
(0, ava_1.default)("formatWorkflowCause()", (t) => {
const message = (0, workflow_1.formatWorkflowCause)([
workflow_1.WorkflowErrors.CheckoutWrongHead,
workflow_1.WorkflowErrors.PathsSpecified,
workflow_1.WorkflowErrors.MismatchedBranches,
]);
t.deepEqual(message, "CheckoutWrongHead,PathsSpecified");
t.deepEqual(message, "CheckoutWrongHead,MismatchedBranches");
t.deepEqual((0, workflow_1.formatWorkflowCause)([]), undefined);
});
(0, ava_1.default)("patternIsSuperset()", (t) => {

2
lib/workflow.test.js.map
View file

File diff suppressed because one or more lines are too long

2
node_modules/.package-lock.json generated vendored
View file

@ -1,6 +1,6 @@
{
"name": "codeql",
"version": "2.2.9",
"version": "2.2.10",
"lockfileVersion": 3,
"requires": true,
"packages": {

4
package-lock.json generated
View file

@ -1,12 +1,12 @@
{
"name": "codeql",
"version": "2.2.9",
"version": "2.2.10",
"lockfileVersion": 3,
"requires": true,
"packages": {
"": {
"name": "codeql",
"version": "2.2.9",
"version": "2.2.10",
"license": "MIT",
"dependencies": {
"@actions/artifact": "^1.1.0",

2
package.json
View file

@ -1,6 +1,6 @@
{
"name": "codeql",
"version": "2.2.9",
"version": "2.2.10",
"private": true,
"description": "CodeQL action",
"scripts": {

4
pr-checks/checks/diagnostics-export.yml
View file

@ -1,6 +1,8 @@
name: "Diagnostic export"
description: "Tests that manually added diagnostics are correctly exported to SARIF."
versions: ["latest", "nightly-latest"]
# Test on 2.12.5 (which requires a workaround in the Action), the latest release, and the latest
# nightly.
versions: ["stable-20230317", "latest", "nightly-latest"]
env:
CODEQL_ACTION_EXPORT_DIAGNOSTICS: true
steps:

2
pr-checks/checks/export-file-baseline-information.yml
View file

@ -11,7 +11,7 @@ steps:
tools: ${{ steps.prepare-test.outputs.tools-url }}
env:
CODEQL_FILE_BASELINE_INFORMATION: true
- uses: ./../action/.github/setup-swift
- uses: ./../action/.github/actions/setup-swift
with:
codeql-path: ${{steps.init.outputs.codeql-path}}
- name: Build code

8
pr-checks/checks/init-with-registries.yml
View file

@ -11,6 +11,10 @@ versions: [
"nightly-latest",
]
permissions:
contents: read
packages: read
steps:
- name: Init with registries
uses: ./../action/init
@ -27,8 +31,8 @@ steps:
- name: Verify packages installed
shell: bash
run: |
PRIVATE_PACK="$HOME/.codeql/packages/dsp-testing/private-pack"
CODEQL_PACK1="$HOME/.codeql/packages/dsp-testing/codeql-pack1"
PRIVATE_PACK="$HOME/.codeql/packages/codeql-testing/private-pack"
CODEQL_PACK1="$HOME/.codeql/packages/codeql-testing/codeql-pack1"
if [[ -d $PRIVATE_PACK ]]
then

2
pr-checks/checks/ml-powered-queries.yml
View file

@ -28,7 +28,7 @@ steps:
retention-days: 7
- name: Check sarif
uses: ./../action/.github/check-sarif
uses: ./../action/.github/actions/check-sarif
# Running on Windows requires CodeQL CLI 2.9.0+.
if: "!(matrix.version == 'stable-20220120' && runner.os == 'Windows')"
with:

2
pr-checks/checks/multi-language-autodetect.yml
View file

@ -10,7 +10,7 @@ steps:
db-location: "${{ runner.temp }}/customDbLocation"
tools: ${{ steps.prepare-test.outputs.tools-url }}
- uses: ./../action/.github/setup-swift
- uses: ./../action/.github/actions/setup-swift
with:
codeql-path: ${{steps.init.outputs.codeql-path}}

4
pr-checks/checks/packaging-codescanning-config-inputs-js.yml
View file

@ -9,7 +9,7 @@ steps:
- uses: ./../action/init
with:
config-file: ".github/codeql/codeql-config-packaging3.yml"
packs: +dsp-testing/codeql-pack1@1.0.0
packs: +codeql-testing/codeql-pack1@1.0.0
languages: javascript
tools: ${{ steps.prepare-test.outputs.tools-url }}
- name: Build code
@ -21,7 +21,7 @@ steps:
upload-database: false
- name: Check results
uses: ./../action/.github/check-sarif
uses: ./../action/.github/actions/check-sarif
with:
sarif-file: ${{ runner.temp }}/results/javascript.sarif
queries-run: javascript/example/empty-or-one-block,javascript/example/empty-or-one-block,javascript/example/other-query-block,javascript/example/two-block

4
pr-checks/checks/packaging-config-inputs-js.yml
View file

@ -5,7 +5,7 @@ steps:
- uses: ./../action/init
with:
config-file: ".github/codeql/codeql-config-packaging3.yml"
packs: +dsp-testing/codeql-pack1@1.0.0
packs: +codeql-testing/codeql-pack1@1.0.0
languages: javascript
tools: ${{ steps.prepare-test.outputs.tools-url }}
- name: Build code
@ -17,7 +17,7 @@ steps:
upload-database: false
- name: Check results
uses: ./../action/.github/check-sarif
uses: ./../action/.github/actions/check-sarif
with:
sarif-file: ${{ runner.temp }}/results/javascript.sarif
queries-run: javascript/example/empty-or-one-block,javascript/example/empty-or-one-block,javascript/example/other-query-block,javascript/example/two-block

2
pr-checks/checks/packaging-config-js.yml
View file

@ -16,7 +16,7 @@ steps:
upload-database: false
- name: Check results
uses: ./../action/.github/check-sarif
uses: ./../action/.github/actions/check-sarif
with:
sarif-file: ${{ runner.temp }}/results/javascript.sarif
queries-run: javascript/example/empty-or-one-block,javascript/example/empty-or-one-block,javascript/example/other-query-block,javascript/example/two-block

4
pr-checks/checks/packaging-inputs-js.yml
View file

@ -6,7 +6,7 @@ steps:
with:
config-file: ".github/codeql/codeql-config-packaging2.yml"
languages: javascript
packs: dsp-testing/codeql-pack1@1.0.0, dsp-testing/codeql-pack2, dsp-testing/codeql-pack3:other-query.ql
packs: codeql-testing/codeql-pack1@1.0.0, codeql-testing/codeql-pack2, codeql-testing/codeql-pack3:other-query.ql
tools: ${{ steps.prepare-test.outputs.tools-url }}
- name: Build code
shell: bash
@ -16,7 +16,7 @@ steps:
output: "${{ runner.temp }}/results"
- name: Check results
uses: ./../action/.github/check-sarif
uses: ./../action/.github/actions/check-sarif
with:
sarif-file: ${{ runner.temp }}/results/javascript.sarif
queries-run: javascript/example/empty-or-one-block,javascript/example/empty-or-one-block,javascript/example/other-query-block,javascript/example/two-block

2
pr-checks/checks/split-workflow.yml
View file

@ -6,7 +6,7 @@ steps:
- uses: ./../action/init
with:
config-file: ".github/codeql/codeql-config-packaging3.yml"
packs: +dsp-testing/codeql-pack1@1.0.0
packs: +codeql-testing/codeql-pack1@1.0.0
languages: javascript
tools: ${{ steps.prepare-test.outputs.tools-url }}
- name: Build code

33
pr-checks/checks/swift-autobuild.yml
View file

@ -1,33 +0,0 @@
name: "Swift analysis using autobuild"
description: "Tests creation of a Swift database using autobuild"
versions: ["latest", "cached", "nightly-latest"]
# Swift autobuilder is only supported on MacOS for private beta
operatingSystems: ["macos"]
env:
CODEQL_ENABLE_EXPERIMENTAL_FEATURES_SWIFT: "true" # Remove when Swift is GA.
steps:
- uses: ./../action/init
id: init
with:
languages: swift
tools: ${{ steps.prepare-test.outputs.tools-url }}
- uses: ./../action/.github/setup-swift
with:
codeql-path: ${{steps.init.outputs.codeql-path}}
- name: Check working directory
shell: bash
run: pwd
- uses: ./../action/autobuild
timeout-minutes: 10
- uses: ./../action/analyze
id: analysis
with:
upload-database: false
- name: Check database
shell: bash
run: |
SWIFT_DB="${{ fromJson(steps.analysis.outputs.db-locations).swift }}"
if [[ ! -d "$SWIFT_DB" ]]; then
echo "Did not create a database for Swift."
exit 1
fi

2
pr-checks/checks/swift-custom-build.yml
View file

@ -11,7 +11,7 @@ steps:
with:
languages: swift
tools: ${{ steps.prepare-test.outputs.tools-url }}
- uses: ./../action/.github/setup-swift
- uses: ./../action/.github/actions/setup-swift
with:
codeql-path: ${{steps.init.outputs.codeql-path}}
- name: Check working directory

6
pr-checks/sync.py
View file

@ -79,7 +79,7 @@ for file in os.listdir('checks'):
{
'name': 'Prepare test',
'id': 'prepare-test',
'uses': './.github/prepare-test',
'uses': './.github/actions/prepare-test',
'with': {
'version': '${{ matrix.version }}'
}
@ -107,8 +107,10 @@ for file in os.listdir('checks'):
'name': checkSpecification['name'],
'timeout-minutes': 45,
'runs-on': '${{ matrix.os }}',
'steps': steps
'steps': steps,
}
if 'permissions' in checkSpecification:
checkJob['permissions'] = checkSpecification['permissions']
for key in ["env", "container", "services"]:
if key in checkSpecification:

4
src/codeql.test.ts
View file

@ -554,13 +554,13 @@ test("bundle URL from another repo is cached as 0.0.0-bundleVersion", async (t)
tagName: "codeql-bundle-20230203",
});
mockDownloadApi({
repo: "dsp-testing/codeql-cli-nightlies",
repo: "codeql-testing/codeql-cli-nightlies",
platformSpecific: false,
tagName: "codeql-bundle-20230203",
});
const result = await codeql.setupCodeQL(
"https://github.com/dsp-testing/codeql-cli-nightlies/releases/download/codeql-bundle-20230203/codeql-bundle.tar.gz",
"https://github.com/codeql-testing/codeql-cli-nightlies/releases/download/codeql-bundle-20230203/codeql-bundle.tar.gz",
sampleApiDetails,
tmpDir,
util.GitHubVariant.DOTCOM,

48
src/codeql.ts
View file

@ -319,6 +319,12 @@ export const CODEQL_VERSION_SECURITY_EXPERIMENTAL_SUITE = "2.12.1";
*/
export const CODEQL_VERSION_INIT_WITH_QLCONFIG = "2.12.4";
/**
* Versions 2.12.6+ of the CodeQL CLI fix a bug where duplicate notification objects could be produced,
* leading to an invalid SARIF output.
*/
export const CODEQL_VERSION_DUPLICATE_NOTIFICATIONS_FIXED = "2.12.6";
/**
* Set up CodeQL CLI access.
*
@ -878,7 +884,13 @@ export async function getCodeQLForCmd(
Feature.ExportDiagnosticsEnabled,
this
);
const codeqlOutputFile = shouldExportDiagnostics
const shouldWorkaroundInvalidNotifications =
shouldExportDiagnostics &&
!(await util.codeQlVersionAbove(
this,
CODEQL_VERSION_DUPLICATE_NOTIFICATIONS_FIXED
));
const codeqlOutputFile = shouldWorkaroundInvalidNotifications
? path.join(config.tempDir, "codeql-intermediate-results.sarif")
: sarifFile;
const codeqlArgs = [
@ -910,6 +922,8 @@ export async function getCodeQLForCmd(
}
if (shouldExportDiagnostics) {
codeqlArgs.push("--sarif-include-diagnostics");
} else if (await util.codeQlVersionAbove(this, "2.12.4")) {
codeqlArgs.push("--no-sarif-include-diagnostics");
}
codeqlArgs.push(databasePath);
if (querySuitePaths) {
@ -922,12 +936,8 @@ export async function getCodeQLForCmd(
errorMatchers
);
if (shouldExportDiagnostics) {
let sarif = JSON.parse(
fs.readFileSync(codeqlOutputFile, "utf8")
) as util.SarifFile;
sarif = util.fixInvalidNotifications(sarif, logger);
fs.writeFileSync(sarifFile, JSON.stringify(sarif));
if (shouldWorkaroundInvalidNotifications) {
util.fixInvalidNotificationsInFile(codeqlOutputFile, sarifFile, logger);
}
return returnState.stdout;
@ -1029,17 +1039,21 @@ export async function getCodeQLForCmd(
tempDir: string,
logger: Logger
): Promise<void> {
const intermediateSarifFile = path.join(
tempDir,
"codeql-intermediate-results.sarif"
);
const shouldWorkaroundInvalidNotifications =
!(await util.codeQlVersionAbove(
this,
CODEQL_VERSION_DUPLICATE_NOTIFICATIONS_FIXED
));
const codeqlOutputFile = shouldWorkaroundInvalidNotifications
? path.join(tempDir, "codeql-intermediate-results.sarif")
: sarifFile;
const args = [
"database",
"export-diagnostics",
`${databasePath}`,
"--db-cluster", // Database is always a cluster for CodeQL versions that support diagnostics.
"--format=sarif-latest",
`--output=${intermediateSarifFile}`,
`--output=${codeqlOutputFile}`,
"--sarif-include-diagnostics", // ExportDiagnosticsEnabled is always true if this command is run.
"-vvv",
...getExtraOptionsFromEnv(["diagnostics", "export"]),
@ -1049,12 +1063,10 @@ export async function getCodeQLForCmd(
}
await new toolrunner.ToolRunner(cmd, args).exec();
// Fix invalid notifications in the SARIF file output by CodeQL.
let sarif = JSON.parse(
fs.readFileSync(intermediateSarifFile, "utf8")
) as util.SarifFile;
sarif = util.fixInvalidNotifications(sarif, logger);
fs.writeFileSync(sarifFile, JSON.stringify(sarif));
if (shouldWorkaroundInvalidNotifications) {
// Fix invalid notifications in the SARIF file output by CodeQL.
util.fixInvalidNotificationsInFile(codeqlOutputFile, sarifFile, logger);
}
},
async diagnosticsExport(
sarifFile: string,

10
src/config-utils.test.ts
View file

@ -2307,7 +2307,7 @@ test("downloadPacks-with-registries", async (t) => {
{
// no slash
url: "http://ghcr.io",
packages: ["codeql/*", "dsp-testing/*"],
packages: ["codeql/*", "codeql-testing/*"],
token: "not-a-token",
},
{
@ -2397,7 +2397,7 @@ test("downloadPacks-with-registries fails on 2.10.3", async (t) => {
const registriesInput = yaml.dump([
{
url: "http://ghcr.io",
packages: ["codeql/*", "dsp-testing/*"],
packages: ["codeql/*", "codeql-testing/*"],
token: "not-a-token",
},
{
@ -2439,7 +2439,7 @@ test("downloadPacks-with-registries fails with invalid registries block", async
const registriesInput = yaml.dump([
{
// missing url property
packages: ["codeql/*", "dsp-testing/*"],
packages: ["codeql/*", "codeql-testing/*"],
token: "not-a-token",
},
{
@ -2478,7 +2478,7 @@ test("no generateRegistries when CLI is too old", async (t) => {
{
// no slash
url: "http://ghcr.io",
packages: ["codeql/*", "dsp-testing/*"],
packages: ["codeql/*", "codeql-testing/*"],
token: "not-a-token",
},
]);
@ -2527,7 +2527,7 @@ test("generateRegistries prefers original CODEQL_REGISTRIES_AUTH", async (t) =>
const registriesInput = yaml.dump([
{
url: "http://ghcr.io",
packages: ["codeql/*", "dsp-testing/*"],
packages: ["codeql/*", "codeql-testing/*"],
token: "not-a-token",
},
]);

8
src/defaults.json
View file

@ -1,6 +1,6 @@
{
"bundleVersion": "codeql-bundle-20230317",
"cliVersion": "2.12.5",
"priorBundleVersion": "codeql-bundle-20230304",
"priorCliVersion": "2.12.4"
"bundleVersion": "codeql-bundle-20230403",
"cliVersion": "2.12.6",
"priorBundleVersion": "codeql-bundle-20230317",
"priorCliVersion": "2.12.5"
}

6
src/feature-flags.ts
View file

@ -62,12 +62,12 @@ export const featureConfig: Record<
[Feature.ExportCodeScanningConfigEnabled]: {
envVar: "CODEQL_ACTION_EXPORT_CODE_SCANNING_CONFIG",
minimumVersion: "2.12.3",
defaultValue: false,
defaultValue: true,
},
[Feature.ExportDiagnosticsEnabled]: {
envVar: "CODEQL_ACTION_EXPORT_DIAGNOSTICS",
minimumVersion: "2.12.4",
defaultValue: false,
defaultValue: true,
},
[Feature.MlPoweredQueriesEnabled]: {
@ -78,7 +78,7 @@ export const featureConfig: Record<
[Feature.UploadFailedSarifEnabled]: {
envVar: "CODEQL_ACTION_UPLOAD_FAILED_SARIF",
minimumVersion: "2.11.3",
defaultValue: false,
defaultValue: true,
},
};

6
src/util.test.ts
View file

@ -441,7 +441,11 @@ test("fixInvalidNotifications leaves notifications with unique locations alone",
getRecordingLogger(messages)
);
t.deepEqual(result, createMockSarifWithNotification([stubLocation]));
t.is(messages.length, 0);
t.is(messages.length, 1);
t.deepEqual(messages[0], {
type: "debug",
message: "No duplicate locations found in SARIF notification objects.",
});
});
test("fixInvalidNotifications removes duplicate locations", (t) => {

20
src/util.ts
View file

@ -823,7 +823,7 @@ export function fixInvalidNotifications(
);
return sarif;
}
if (!(sarif.runs instanceof Array)) {
if (!Array.isArray(sarif.runs)) {
return sarif;
}
@ -837,21 +837,21 @@ export function fixInvalidNotifications(
runs: sarif.runs.map((run) => {
if (
run.tool?.driver?.name !== "CodeQL" ||
!(run.invocations instanceof Array)
!Array.isArray(run.invocations)
) {
return run;
}
return {
...run,
invocations: run.invocations.map((invocation) => {
if (!(invocation.toolExecutionNotifications instanceof Array)) {
if (!Array.isArray(invocation.toolExecutionNotifications)) {
return invocation;
}
return {
...invocation,
toolExecutionNotifications:
invocation.toolExecutionNotifications.map((notification) => {
if (!(notification.locations instanceof Array)) {
if (!Array.isArray(notification.locations)) {
return notification;
}
const newLocations = removeDuplicateLocations(
@ -875,6 +875,18 @@ export function fixInvalidNotifications(
`Removed ${numDuplicateLocationsRemoved} duplicate locations from SARIF notification ` +
"objects."
);
} else {
logger.debug("No duplicate locations found in SARIF notification objects.");
}
return newSarif;
}
export function fixInvalidNotificationsInFile(
inputPath: string,
outputPath: string,
logger: Logger
): void {
let sarif = JSON.parse(fs.readFileSync(inputPath, "utf8")) as SarifFile;
sarif = fixInvalidNotifications(sarif, logger);
fs.writeFileSync(outputPath, JSON.stringify(sarif));
}

17
src/workflow.test.ts
View file

@ -56,17 +56,6 @@ test("getWorkflowErrors() when on.push is a valid superset", (t) => {
t.deepEqual(...errorCodes(errors, []));
});
test("getWorkflowErrors() when on.push should not have a path", (t) => {
const errors = getWorkflowErrors({
on: {
push: { branches: ["main"], paths: ["test/*"] },
pull_request: { branches: ["main"] },
},
});
t.deepEqual(...errorCodes(errors, [WorkflowErrors.PathsSpecified]));
});
test("getWorkflowErrors() when on.push is a correct object", (t) => {
const errors = getWorkflowErrors({
on: { push: { branches: ["main"] }, pull_request: { branches: ["main"] } },
@ -317,7 +306,7 @@ test("formatWorkflowErrors() when there is one error", (t) => {
test("formatWorkflowErrors() when there are multiple errors", (t) => {
const message = formatWorkflowErrors([
WorkflowErrors.CheckoutWrongHead,
WorkflowErrors.PathsSpecified,
WorkflowErrors.MismatchedBranches,
]);
t.true(message.startsWith("2 issues were detected with this workflow:"));
});
@ -331,10 +320,10 @@ test("formatWorkflowCause() with no errors", (t) => {
test("formatWorkflowCause()", (t) => {
const message = formatWorkflowCause([
WorkflowErrors.CheckoutWrongHead,
WorkflowErrors.PathsSpecified,
WorkflowErrors.MismatchedBranches,
]);
t.deepEqual(message, "CheckoutWrongHead,PathsSpecified");
t.deepEqual(message, "CheckoutWrongHead,MismatchedBranches");
t.deepEqual(formatWorkflowCause([]), undefined);
});

15
src/workflow.ts
View file

@ -108,8 +108,6 @@ function toCodedErrors(errors: {
export const WorkflowErrors = toCodedErrors({
MismatchedBranches: `Please make sure that every branch in on.pull_request is also in on.push so that Code Scanning can compare pull requests against the state of the base branch.`,
MissingPushHook: `Please specify an on.push hook so that Code Scanning can compare pull requests against the state of the base branch.`,
PathsSpecified: `Using on.push.paths can prevent Code Scanning annotating new alerts in your pull requests.`,
PathsIgnoreSpecified: `Using on.push.paths-ignore can prevent Code Scanning annotating new alerts in your pull requests.`,
CheckoutWrongHead: `git checkout HEAD^2 is no longer necessary. Please remove this step as Code Scanning recommends analyzing the merge commit for best results.`,
});
@ -162,19 +160,6 @@ export function getWorkflowErrors(doc: Workflow): CodedError[] {
if (!hasPush && hasPullRequest) {
missingPush = true;
}
if (hasPush && hasPullRequest) {
const paths = doc.on.push?.paths;
// if you specify paths or paths-ignore you can end up with commits that have no baseline
// if they didn't change any files
// currently we cannot go back through the history and find the most recent baseline
if (Array.isArray(paths) && paths.length > 0) {
errors.push(WorkflowErrors.PathsSpecified);
}
const pathsIgnore = doc.on.push?.["paths-ignore"];
if (Array.isArray(pathsIgnore) && pathsIgnore.length > 0) {
errors.push(WorkflowErrors.PathsIgnoreSpecified);
}
}
// if doc.on.pull_request is null that means 'all branches'
// if doc.on.pull_request is undefined that means 'off'

6
tests/multi-language-repo/.github/codeql/codeql-config-packaging.yml vendored
View file

@ -3,9 +3,9 @@ name: Pack testing in the CodeQL Action
disable-default-queries: true
packs:
javascript:
- dsp-testing/codeql-pack1@1.0.0
- dsp-testing/codeql-pack2
- dsp-testing/codeql-pack3:other-query.ql
- codeql-testing/codeql-pack1@1.0.0
- codeql-testing/codeql-pack2
- codeql-testing/codeql-pack3:other-query.ql
paths-ignore:
- tests

4
tests/multi-language-repo/.github/codeql/codeql-config-packaging3.yml vendored
View file

@ -3,8 +3,8 @@ name: Pack testing in the CodeQL Action
disable-default-queries: true
packs:
javascript:
- dsp-testing/codeql-pack2
- dsp-testing/codeql-pack3:other-query.ql
- codeql-testing/codeql-pack2
- codeql-testing/codeql-pack3:other-query.ql
paths-ignore:
- tests
- lib

2
tests/multi-language-repo/.github/codeql/codeql-config-query-filters2.yml vendored
View file

@ -5,7 +5,7 @@ disable-default-queries: true
packs:
javascript:
- codeql/javascript-queries
- dsp-testing/codeql-pack1@1.0.0
- codeql-testing/codeql-pack1@1.0.0
query-filters:
# This should run js/path-injection and js/zipslip

2
tests/multi-language-repo/.github/codeql/codeql-config-query-filters3.yml vendored
View file

@ -15,7 +15,7 @@ queries:
packs:
javascript:
- codeql/javascript-queries
- dsp-testing/codeql-pack1@1.0.0
- codeql-testing/codeql-pack1@1.0.0
query-filters:
# This should run js/path-injection and js/zipslip

4
tests/multi-language-repo/.github/codeql/codeql-config-registries.yml vendored
View file

@ -3,5 +3,5 @@ name: Pack testing in the CodeQL Action
disable-default-queries: true
packs:
javascript:
- dsp-testing/private-pack
- dsp-testing/codeql-pack1
- codeql-testing/private-pack
- codeql-testing/codeql-pack1

26
tests/multi-language-repo/.github/codeql/custom-queries.yml vendored
View file

@ -2,28 +2,28 @@ name: Use custom queries
disable-default-queries: true
queries:
queries:
# Query suites
- name: Select a query suite
- name: Select a query suite
uses: ./codeql-qlpacks/complex-python-qlpack/rootAndBar.qls
# QL pack subset
- name: Select a ql file
- name: Select a ql file
uses: ./codeql-qlpacks/complex-javascript-qlpack/show_ifs.ql
- name: Select a subfolder
uses: ./codeql-qlpacks/complex-javascript-qlpack/foo
- name: Select a folder with two subfolders
- name: Select a folder with two subfolders
uses: ./codeql-qlpacks/complex-javascript-qlpack/foo2
# Inrepo QL pack
- name: Select an inrepo ql pack
uses: ./codeql-qlpacks/csharp-qlpack
- name: Java queries
- name: Java queries
uses: ./codeql-qlpacks/java-qlpack
# External QL packs
- name: Go queries
uses: Anthophila/go-querypack@master
- name: Cpp queries
uses: Anthophila/cpp-querypack@second-branch
- name: JavaScript queries
uses: Anthophila/javascript-querypack/show_ifs2.ql@master
- name: Python queries
uses: Anthophila/python-querypack/show_ifs2.ql@second-branch
- name: Go queries
uses: codeql-testing/go-querypack@master
- name: Cpp queries
uses: codeql-testing/cpp-querypack@second-branch
- name: JavaScript queries
uses: codeql-testing/javascript-querypack/show_ifs2.ql@master
- name: Python queries
uses: codeql-testing/python-querypack/show_ifs2.ql@second-branch

4
tests/multi-language-repo/.github/codeql/multi-language-packs-config.yml vendored
View file

@ -1,7 +1,7 @@
packs:
javascript:
- dsp-testing/codeql-pack1@1.0.0
- dsp-testing/codeql-pack2
- codeql-testing/codeql-pack1@1.0.0
- codeql-testing/codeql-pack2
ruby:
- codeql/ruby-queries

4
tests/multi-language-repo/.github/codeql/queries-and-packs-config.yml vendored
View file

@ -1,7 +1,7 @@
packs:
javascript:
- dsp-testing/codeql-pack1@1.0.0
- dsp-testing/codeql-pack2
- codeql-testing/codeql-pack1@1.0.0
- codeql-testing/codeql-pack2
queries:
- uses: ./codeql-qlpacks/complex-javascript-qlpack/foo2/show_ifs.ql