robojerk/codeql-action

Merge branch 'main' into henrymercer/use-codeql-2.11.3

Browse source
This commit is contained in:
Henry Mercer 2022-11-11 09:56:50 +00:00 committed by GitHub
commit 9452b6b864
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
27 changed files with 365 additions and 27 deletions
Download patch file Download diff file Expand all files Collapse all files

2
src/analyze-action.ts
View file

@ -27,6 +27,7 @@ import { getTotalCacheSize, uploadTrapCaches } from "./trap-caching";
import * as upload_lib from "./upload-lib";
import { UploadResult } from "./upload-lib";
import * as util from "./util";
import { checkForTimeout } from "./util";
// eslint-disable-next-line import/no-commonjs
const pkg = require("../package.json");
@ -402,6 +403,7 @@ async function runWrapper() {
core.setFailed(`analyze action failed: ${error}`);
console.log(error);
}
await checkForTimeout();
}
void runWrapper();

3
src/analyze.ts
View file

@ -389,7 +389,8 @@ export async function runQueries(
addSnippetsFlag,
threadsFlag,
enableDebugLogging ? "-vv" : "-v",
automationDetailsId
automationDetailsId,
featureEnablement
);
}

72
src/codeql.test.ts
View file

@ -445,7 +445,16 @@ test("databaseInterpretResults() does not set --sarif-add-query-help for 2.7.0",
const runnerConstructorStub = stubToolRunnerConstructor();
const codeqlObject = await codeql.getCodeQLForTesting();
sinon.stub(codeqlObject, "getVersion").resolves("2.7.0");
await codeqlObject.databaseInterpretResults("", [], "", "", "", "-v", "");
await codeqlObject.databaseInterpretResults(
"",
[],
"",
"",
"",
"-v",
"",
createFeatures([])
);
t.false(
runnerConstructorStub.firstCall.args[1].includes("--sarif-add-query-help"),
"--sarif-add-query-help should be absent, but it is present"
@ -456,7 +465,16 @@ test("databaseInterpretResults() sets --sarif-add-query-help for 2.7.1", async (
const runnerConstructorStub = stubToolRunnerConstructor();
const codeqlObject = await codeql.getCodeQLForTesting();
sinon.stub(codeqlObject, "getVersion").resolves("2.7.1");
await codeqlObject.databaseInterpretResults("", [], "", "", "", "-v", "");
await codeqlObject.databaseInterpretResults(
"",
[],
"",
"",
"",
"-v",
"",
createFeatures([])
);
t.true(
runnerConstructorStub.firstCall.args[1].includes("--sarif-add-query-help"),
"--sarif-add-query-help should be present, but it is absent"
@ -846,6 +864,56 @@ test("does not use injected config", async (t: ExecutionContext<unknown>) => {
}
});
test("databaseInterpretResults() sets --sarif-add-baseline-file-info when feature enabled", async (t) => {
const runnerConstructorStub = stubToolRunnerConstructor();
const codeqlObject = await codeql.getCodeQLForTesting();
// We need to set a CodeQL version such that running `databaseInterpretResults` does not crash.
// The version of CodeQL is checked separately to determine feature enablement, and does not
// otherwise impact this test, so set it to 0.0.0.
sinon.stub(codeqlObject, "getVersion").resolves("0.0.0");
await codeqlObject.databaseInterpretResults(
"",
[],
"",
"",
"",
"-v",
"",
createFeatures([Feature.FileBaselineInformationEnabled])
);
t.true(
runnerConstructorStub.firstCall.args[1].includes(
"--sarif-add-baseline-file-info"
),
"--sarif-add-baseline-file-info should be present, but it is absent"
);
});
test("databaseInterpretResults() does not set --sarif-add-baseline-file-info if feature disabled", async (t) => {
const runnerConstructorStub = stubToolRunnerConstructor();
const codeqlObject = await codeql.getCodeQLForTesting();
// We need to set a CodeQL version such that running `databaseInterpretResults` does not crash.
// The version of CodeQL is checked upstream to determine feature enablement, so it does not
// affect this test.
sinon.stub(codeqlObject, "getVersion").resolves("0.0.0");
await codeqlObject.databaseInterpretResults(
"",
[],
"",
"",
"",
"-v",
"",
createFeatures([])
);
t.false(
runnerConstructorStub.firstCall.args[1].includes(
"--sarif-add-baseline-file-info"
),
"--sarif-add-baseline-file-info must be absent, but it is present"
);
});
export function stubToolRunnerConstructor(): sinon.SinonStub<
any[],
toolrunner.ToolRunner

14
src/codeql.ts
View file

@ -173,7 +173,8 @@ export interface CodeQL {
addSnippetsFlag: string,
threadsFlag: string,
verbosityFlag: string | undefined,
automationDetailsId: string | undefined
automationDetailsId: string | undefined,
featureEnablement: FeatureEnablement
): Promise<string>;
/**
* Run 'codeql database print-baseline'.
@ -1066,7 +1067,8 @@ async function getCodeQLForCmd(
addSnippetsFlag: string,
threadsFlag: string,
verbosityFlag: string,
automationDetailsId: string | undefined
automationDetailsId: string | undefined,
featureEnablement: FeatureEnablement
): Promise<string> {
const codeqlArgs = [
"database",
@ -1092,6 +1094,14 @@ async function getCodeQLForCmd(
) {
codeqlArgs.push("--sarif-category", automationDetailsId);
}
if (
await featureEnablement.getValue(
Feature.FileBaselineInformationEnabled,
this
)
) {
codeqlArgs.push("--sarif-add-baseline-file-info");
}
codeqlArgs.push(databasePath);
if (querySuitePaths) {
codeqlArgs.push(...querySuitePaths);

21
src/config-utils.test.ts
View file

@ -2059,6 +2059,27 @@ test(
"security-and-quality",
"~0.3.0"
);
// Test that ML-powered queries are run on all platforms running `security-extended` on CodeQL
// CLI 2.11.3+.
test(
mlPoweredQueriesMacro,
"2.11.3",
true,
undefined,
"security-extended",
"~0.4.0"
);
// Test that ML-powered queries are run on all platforms running `security-and-quality` on CodeQL
// CLI 2.11.3+.
test(
mlPoweredQueriesMacro,
"2.11.3",
true,
undefined,
"security-and-quality",
"~0.4.0"
);
const calculateAugmentationMacro = test.macro({
exec: async (

5
src/feature-flags.ts
View file

@ -11,6 +11,7 @@ export interface FeatureEnablement {
export enum Feature {
BypassToolcacheEnabled = "bypass_toolcache_enabled",
CliConfigFileEnabled = "cli_config_file_enabled",
FileBaselineInformationEnabled = "file_baseline_information_enabled",
GolangExtractionReconciliationEnabled = "golang_extraction_reconciliation_enabled",
MlPoweredQueriesEnabled = "ml_powered_queries_enabled",
TrapCachingEnabled = "trap_caching_enabled",
@ -28,6 +29,10 @@ export const featureConfig: Record<
envVar: "CODEQL_PASS_CONFIG_TO_CLI",
minimumVersion: "2.11.1",
},
[Feature.FileBaselineInformationEnabled]: {
envVar: "CODEQL_FILE_BASELINE_INFORMATION",
minimumVersion: "2.11.3",
},
[Feature.GolangExtractionReconciliationEnabled]: {
envVar: "CODEQL_GOLANG_EXTRACTION_RECONCILIATION",
minimumVersion: undefined,

4
src/init-action-post-helper.ts
View file

@ -13,8 +13,8 @@ export async function run(
const config = await getConfig(actionsUtil.getTemporaryDirectory(), logger);
if (config === undefined) {
throw new Error(
"Config file could not be found at expected location. Did the 'init' action fail to start?"
logger.warning(
"Debugging artifacts are unavailable since the 'init' Action failed before it could produce any."
);
}

40
src/util.ts
View file

@ -672,7 +672,9 @@ export async function getMlPoweredJsQueriesPack(
codeQL: CodeQL
): Promise<string> {
let version;
if (await codeQlVersionAbove(codeQL, "2.9.3")) {
if (await codeQlVersionAbove(codeQL, "2.11.3")) {
version = "~0.4.0";
} else if (await codeQlVersionAbove(codeQL, "2.9.3")) {
version = `~0.3.0`;
} else if (await codeQlVersionAbove(codeQL, "2.8.4")) {
version = `~0.2.0`;
@ -856,13 +858,22 @@ export async function tryGetFolderBytes(
}
}
let hadTimeout = false;
/**
* Run a promise for a given amount of time, and if it doesn't resolve within
* that time, call the provided callback and then return undefined.
* that time, call the provided callback and then return undefined. Due to the
* limitation outlined below, using this helper function is not recommended
* unless there is no other option for adding a timeout (e.g. the code that
* would need the timeout added is an external library).
*
* Important: This does NOT cancel the original promise, so that promise will
* continue in the background even after the timeout has expired. If the
* original promise hangs, then this will prevent the process terminating.
* If a timeout has occurred then the global hadTimeout variable will get set
* to true, and the caller is responsible for forcing the process to exit
* if this is the case by calling the `checkForTimeout` function at the end
* of execution.
*
* @param timeoutMs The timeout in milliseconds.
* @param promise The promise to run.
@ -882,7 +893,14 @@ export async function withTimeout<T>(
};
const timeout: Promise<undefined> = new Promise((resolve) => {
setTimeout(() => {
if (!finished) onTimeout();
if (!finished) {
// Workaround: While the promise racing below will allow the main code
// to continue, the process won't normally exit until the asynchronous
// task in the background has finished. We set this variable to force
// an exit at the end of our code when `checkForTimeout` is called.
hadTimeout = true;
onTimeout();
}
resolve(undefined);
}, timeoutMs);
});
@ -890,6 +908,22 @@ export async function withTimeout<T>(
return await Promise.race([mainTask(), timeout]);
}
/**
* Check if the global hadTimeout variable has been set, and if so then
* exit the process to ensure any background tasks that are still running
* are killed. This should be called at the end of execution if the
* `withTimeout` function has been used.
*/
export async function checkForTimeout() {
if (hadTimeout === true) {
core.info(
"A timeout occurred, force exiting the process after 30 seconds to prevent hanging."
);
await delay(30_000);
process.exit();
}
}
/**
* This function implements a heuristic to determine whether the
* runner we are on is hosted by GitHub. It does this by checking