robojerk/codeql-action

Introduce a feature-flag to enable/disable lua-based tracing.

Browse source 
This allows us to gradually roll out (or even roll back)
Lua-based tracing in case problems occur.
This commit is contained in:
Cornelius Riemenschneider 2022-05-05 10:53:35 +02:00 committed by GitHub
parent e655565390
commit 9e9a8428c3
18 changed files with 98 additions and 59 deletions
Download patch file Download diff file Expand all files Collapse all files

25
src/codeql.ts
View file

@ -12,6 +12,7 @@ import * as api from "./api-client";
import { Config } from "./config-utils";
import * as defaults from "./defaults.json"; // Referenced from codeql-action-sync-tool!
import { errorMatchers } from "./error-matcher";
import { FeatureFlags, FeatureFlag } from "./feature-flags";
import { isTracedLanguage, Language } from "./languages";
import { Logger } from "./logging";
import * as toolcache from "./toolcache";
@ -83,7 +84,8 @@ export interface CodeQL {
config: Config,
sourceRoot: string,
processName: string | undefined,
processLevel: number | undefined
processLevel: number | undefined,
featureFlags: FeatureFlags
): Promise<void>;
/**
* Runs the autobuilder for the given language.
@ -220,6 +222,7 @@ const CODEQL_VERSION_SARIF_GROUP = "2.5.3";
export const CODEQL_VERSION_COUNTS_LINES = "2.6.2";
const CODEQL_VERSION_CUSTOM_QUERY_HELP = "2.7.1";
export const CODEQL_VERSION_ML_POWERED_QUERIES = "2.7.5";
const CODEQL_VERSION_LUA_TRACER_CONFIG = "2.9.2";
/**
* This variable controls using the new style of tracing from the CodeQL
@ -726,7 +729,8 @@ async function getCodeQLForCmd(
config: Config,
sourceRoot: string,
processName: string | undefined,
processLevel: number | undefined
processLevel: number | undefined,
featureFlags: FeatureFlags
) {
const extraArgs = config.languages.map(
(language) => `--language=${language}`
@ -741,6 +745,15 @@ async function getCodeQLForCmd(
// because that always passes in a process name.
extraArgs.push(`--trace-process-level=${processLevel || 3}`);
}
if (
await util.codeQlVersionAbove(this, CODEQL_VERSION_LUA_TRACER_CONFIG)
) {
if (await featureFlags.getValue(FeatureFlag.LuaTracerConfigEnabled)) {
extraArgs.push("--internal-use-lua-tracing");
} else {
extraArgs.push("--no-internal-use-lua-tracing");
}
}
}
await runTool(cmd, [
"database",
@ -1091,10 +1104,10 @@ export function getExtraOptions(
paths.length === 0
? asExtraOptions(options, pathInfo)
: getExtraOptions(
options?.[paths[0]],
paths?.slice(1),
pathInfo.concat(paths[0])
);
options?.[paths[0]],
paths?.slice(1),
pathInfo.concat(paths[0])
);
return all.concat(specific);
}

24
src/feature-flags.test.ts
View file

@ -31,12 +31,12 @@ const ALL_FEATURE_FLAGS_DISABLED_VARIANTS: Array<{
description: string;
gitHubVersion: util.GitHubVersion;
}> = [
{
description: "GHES",
gitHubVersion: { type: GitHubVariant.GHES, version: "3.0.0" },
},
{ description: "GHAE", gitHubVersion: { type: GitHubVariant.GHAE } },
];
{
description: "GHES",
gitHubVersion: { type: GitHubVariant.GHES, version: "3.0.0" },
},
{ description: "GHAE", gitHubVersion: { type: GitHubVariant.GHAE } },
];
for (const variant of ALL_FEATURE_FLAGS_DISABLED_VARIANTS) {
test(`All feature flags are disabled if running against ${variant.description}`, async (t) => {
@ -60,7 +60,7 @@ for (const variant of ALL_FEATURE_FLAGS_DISABLED_VARIANTS) {
(v: LoggedMessage) =>
v.type === "debug" &&
v.message ===
"Not running against github.com. Disabling all feature flags."
"Not running against github.com. Disabling all feature flags."
) !== undefined
);
});
@ -91,7 +91,7 @@ test("Feature flags are disabled if they're not returned in API response", async
(v: LoggedMessage) =>
v.type === "debug" &&
v.message ===
`Feature flag '${featureFlag}' undefined in API response, considering it disabled.`
`Feature flag '${featureFlag}' undefined in API response, considering it disabled.`
) !== undefined
);
}
@ -121,7 +121,10 @@ test("Feature flags exception is propagated if the API request errors", async (t
});
});
const FEATURE_FLAGS = ["ml_powered_queries_enabled"];
const FEATURE_FLAGS = [
"ml_powered_queries_enabled",
"lua_tracer_config_enabled",
];
for (const featureFlag of FEATURE_FLAGS) {
test(`Feature flag '${featureFlag}' is enabled if enabled in the API response`, async (t) => {
@ -146,6 +149,9 @@ for (const featureFlag of FEATURE_FLAGS) {
ml_powered_queries_enabled: await featureFlags.getValue(
FeatureFlag.MlPoweredQueriesEnabled
),
lua_tracer_config_enabled: await featureFlags.getValue(
FeatureFlag.LuaTracerConfigEnabled
),
};
t.deepEqual(actualFeatureFlags, expectedFeatureFlags);

9
src/feature-flags.ts
View file

@ -9,6 +9,7 @@ export interface FeatureFlags {
export enum FeatureFlag {
MlPoweredQueriesEnabled = "ml_powered_queries_enabled",
LuaTracerConfigEnabled = "lua_tracer_config_enabled",
}
/**
@ -27,7 +28,7 @@ export class GitHubFeatureFlags implements FeatureFlags {
private apiDetails: GitHubApiDetails,
private repositoryNwo: RepositoryNwo,
private logger: Logger
) {}
) { }
async getValue(flag: FeatureFlag): Promise<boolean> {
const response = (await this.getApiResponse())[flag];
@ -63,9 +64,9 @@ export class GitHubFeatureFlags implements FeatureFlags {
if (util.isHTTPError(e) && e.status === 403) {
this.logger.warning(
"This run of the CodeQL Action does not have permission to access Code Scanning API endpoints. " +
"As a result, it will not be opted into any experimental features. " +
"This could be because the Action is running on a pull request from a fork. If not, " +
`please ensure the Action has the 'security-events: write' permission. Details: ${e}`
"As a result, it will not be opted into any experimental features. " +
"This could be because the Action is running on a pull request from a fork. If not, " +
`please ensure the Action has the 'security-events: write' permission. Details: ${e}`
);
} else {
// Some feature flags, such as `ml_powered_queries_enabled` affect the produced alerts.

5
src/init-action.ts
View file

@ -240,7 +240,7 @@ async function run() {
core.exportVariable(
"CODEQL_RAM",
process.env["CODEQL_RAM"] ||
getMemoryFlagValue(getOptionalInput("ram")).toString()
getMemoryFlagValue(getOptionalInput("ram")).toString()
);
core.exportVariable(
"CODEQL_THREADS",
@ -257,7 +257,8 @@ async function run() {
config,
sourceRoot,
"Runner.Worker.exe",
undefined
undefined,
featureFlags
);
if (tracerConfig !== undefined) {
for (const [key, value] of Object.entries(tracerConfig.env)) {

12
src/init.ts
View file

@ -87,7 +87,8 @@ export async function runInit(
config: configUtils.Config,
sourceRoot: string,
processName: string | undefined,
processLevel: number | undefined
processLevel: number | undefined,
featureFlags: FeatureFlags
): Promise<TracerConfig | undefined> {
fs.mkdirSync(config.dbLocation, { recursive: true });
@ -98,7 +99,8 @@ export async function runInit(
config,
sourceRoot,
processName,
processLevel
processLevel,
featureFlags
);
} else {
for (const language of config.languages) {
@ -263,9 +265,9 @@ export async function installPythonDeps(codeql: CodeQL, logger: Logger) {
logger.endGroup();
logger.warning(
`An error occurred while trying to automatically install Python dependencies: ${e}\n` +
"Please make sure any necessary dependencies are installed before calling the codeql-action/analyze " +
"step, and add a 'setup-python-dependencies: false' argument to this step to disable our automatic " +
"dependency installation and avoid this warning."
"Please make sure any necessary dependencies are installed before calling the codeql-action/analyze " +
"step, and add a 'setup-python-dependencies: false' argument to this step to disable our automatic " +
"dependency installation and avoid this warning."
);
return;
}

43
src/runner.ts
View file

@ -180,14 +180,14 @@ program
.option(
"--ram <number>",
"The amount of memory in MB that can be used by CodeQL extractors. " +
"By default, CodeQL extractors will use most of the memory available in the system. " +
'This input also sets the amount of memory that can later be used by the "analyze" command.'
"By default, CodeQL extractors will use most of the memory available in the system. " +
'This input also sets the amount of memory that can later be used by the "analyze" command.'
)
.option(
"--threads <number>",
"The number of threads that can be used by CodeQL extractors. " +
"By default, CodeQL extractors will use all the hardware threads available in the system. " +
'This input also sets the number of threads that can later be used by the "analyze" command.'
"By default, CodeQL extractors will use all the hardware threads available in the system. " +
'This input also sets the number of threads that can later be used by the "analyze" command.'
)
.action(async (cmd: InitArgs) => {
const logger = getRunnerLogger(cmd.debug);
@ -271,7 +271,8 @@ program
config,
sourceRoot,
parseTraceProcessName(),
parseTraceProcessLevel()
parseTraceProcessLevel(),
createFeatureFlags([])
);
if (tracerConfig === undefined) {
return;
@ -309,9 +310,9 @@ program
logger.info(
`\nCodeQL environment output to "${jsonEnvFile}", "${batEnvFile}" and "${powershellEnvFile}". ` +
`Please export these variables to future processes so that CodeQL can monitor the build. ` +
`If using cmd/batch run "call ${batEnvFile}" ` +
`or if using PowerShell run "cat ${powershellEnvFile} | Invoke-Expression".`
`Please export these variables to future processes so that CodeQL can monitor the build. ` +
`If using cmd/batch run "call ${batEnvFile}" ` +
`or if using PowerShell run "cat ${powershellEnvFile} | Invoke-Expression".`
);
} else {
// Assume that anything that's not windows is using a unix-style shell
@ -327,8 +328,8 @@ program
logger.info(
`\nCodeQL environment output to "${jsonEnvFile}" and "${shEnvFile}". ` +
`Please export these variables to future processes so that CodeQL can monitor the build, ` +
`for example by running ". ${shEnvFile}".`
`Please export these variables to future processes so that CodeQL can monitor the build, ` +
`for example by running ". ${shEnvFile}".`
);
}
} catch (e) {
@ -363,7 +364,7 @@ program
if (config === undefined) {
throw new Error(
"Config file could not be found at expected location. " +
"Was the 'init' command run with the same '--temp-dir' argument as this command."
"Was the 'init' command run with the same '--temp-dir' argument as this command."
);
}
await enrichEnvironment(Mode.runner, await getCodeQL(config.codeQLCmd));
@ -374,9 +375,9 @@ program
if (language === undefined || !config.languages.includes(language)) {
throw new Error(
`"${cmd.language}" is not a recognised language. ` +
`Known languages in this project are ${config.languages.join(
", "
)}.`
`Known languages in this project are ${config.languages.join(
", "
)}.`
);
}
} else {
@ -440,9 +441,9 @@ program
.option(
"--ram <ram>",
"The amount of memory in MB that can be used by CodeQL for database finalization and query execution. " +
'By default, this command will use the same amount of memory as previously set in the "init" command. ' +
'If the "init" command also does not have an explicit "ram" flag, this command will use most of the ' +
"memory available in the system."
'By default, this command will use the same amount of memory as previously set in the "init" command. ' +
'If the "init" command also does not have an explicit "ram" flag, this command will use most of the ' +
"memory available in the system."
)
.option(
"--no-add-snippets",
@ -451,9 +452,9 @@ program
.option(
"--threads <threads>",
"The number of threads that can be used by CodeQL for database finalization and query execution. " +
'By default, this command will use the same number of threads as previously set in the "init" command. ' +
'If the "init" command also does not have an explicit "threads" flag, this command will use all the ' +
"hardware threads available in the system."
'By default, this command will use the same number of threads as previously set in the "init" command. ' +
'If the "init" command also does not have an explicit "threads" flag, this command will use all the ' +
"hardware threads available in the system."
)
.option(
"--temp-dir <dir>",
@ -471,7 +472,7 @@ program
if (config === undefined) {
throw new Error(
"Config file could not be found at expected location. " +
"Was the 'init' command run with the same '--temp-dir' argument as this command."
"Was the 'init' command run with the same '--temp-dir' argument as this command."
);
}
await enrichEnvironment(Mode.runner, await getCodeQL(config.codeQLCmd));