Log warning if SIP is disabled and CLI version is < 2.15.1 (#2261)

* PR Checks: use `macos-12` runners for CLI v. < 2.15.1 Prior to CLI v2.15.1, MacOS ARM runners were not supported by the build tracer. "macos-latest" is now an ARM runner, so we run these tests on the old CLIs on Intel runners instead. * Log a warning if SIP is disabled and CLI is < 2.15.1 * Add changenote for SIP-disabled support on old CLI versions * Set up Python 3.11 for all MacOS checks
2024-04-25 15:20:13 -07:00 · 2024-04-25 15:20:13 -07:00 · ac2f82a1ff
commit ac2f82a1ff
parent 0ad7791640
74 changed files with 251 additions and 136 deletions
--- a/src/analyze.ts
+++ b/src/analyze.ts
@ -303,7 +303,7 @@ export async function runQueries(
      }

      if (
-        !(await util.codeQlVersionAbove(
+        !(await util.codeQlVersionAtLeast(
          codeql,
          CODEQL_VERSION_ANALYSIS_SUMMARY_V2,
        ))
--- a/src/codeql.ts
+++ b/src/codeql.ts
@ -597,7 +597,7 @@ export async function getCodeQLForCmd(
      }

      if (
-        await util.codeQlVersionAbove(
+        await util.codeQlVersionAtLeast(
          this,
          CODEQL_VERSION_LANGUAGE_BASELINE_CONFIG,
        )
@ -608,7 +608,7 @@ export async function getCodeQLForCmd(
      if (await isSublanguageFileCoverageEnabled(config, this)) {
        extraArgs.push("--sublanguage-file-coverage");
      } else if (
-        await util.codeQlVersionAbove(
+        await util.codeQlVersionAtLeast(
          this,
          CODEQL_VERSION_SUBLANGUAGE_FILE_COVERAGE,
        )
@ -842,7 +842,7 @@ export async function getCodeQLForCmd(
        }),
      ];
      if (
-        await util.codeQlVersionAbove(
+        await util.codeQlVersionAtLeast(
          this,
          CODEQL_VERSION_FINE_GRAINED_PARALLELISM,
        )
@ -897,7 +897,7 @@ export async function getCodeQLForCmd(
      if (await isSublanguageFileCoverageEnabled(config, this)) {
        codeqlArgs.push("--sublanguage-file-coverage");
      } else if (
-        await util.codeQlVersionAbove(
+        await util.codeQlVersionAtLeast(
          this,
          CODEQL_VERSION_SUBLANGUAGE_FILE_COVERAGE,
        )
@ -910,7 +910,7 @@ export async function getCodeQLForCmd(
        codeqlArgs.push("--no-sarif-include-diagnostics");
      }
      if (
-        (await util.codeQlVersionAbove(
+        (await util.codeQlVersionAtLeast(
          this,
          CODEQL_VERSION_ANALYSIS_SUMMARY_V2,
        )) &&
@ -1144,7 +1144,7 @@ export async function getCodeQLForCmd(
  // CodeQL object is created.
  if (
    checkVersion &&
-    !(await util.codeQlVersionAbove(codeql, CODEQL_MINIMUM_VERSION))
+    !(await util.codeQlVersionAtLeast(codeql, CODEQL_MINIMUM_VERSION))
  ) {
    throw new util.ConfigurationError(
      `Expected a CodeQL CLI with version at least ${CODEQL_MINIMUM_VERSION} but got version ${
@ -1154,7 +1154,7 @@ export async function getCodeQLForCmd(
  } else if (
    checkVersion &&
    process.env[EnvVar.SUPPRESS_DEPRECATED_SOON_WARNING] !== "true" &&
-    !(await util.codeQlVersionAbove(codeql, CODEQL_NEXT_MINIMUM_VERSION))
+    !(await util.codeQlVersionAtLeast(codeql, CODEQL_NEXT_MINIMUM_VERSION))
  ) {
    const result = await codeql.getVersion();
    core.warning(
@ -1403,14 +1403,16 @@ export function getGeneratedCodeScanningConfigPath(config: Config): string {
 async function isDiagnosticsExportInvalidSarifFixed(
  codeql: CodeQL,
 ): Promise<boolean> {
-  return await util.codeQlVersionAbove(
+  return await util.codeQlVersionAtLeast(
    codeql,
    CODEQL_VERSION_DIAGNOSTICS_EXPORT_FIXED,
  );
 }

 async function getLanguageAliasingArguments(codeql: CodeQL): Promise<string[]> {
-  if (await util.codeQlVersionAbove(codeql, CODEQL_VERSION_LANGUAGE_ALIASING)) {
+  if (
+    await util.codeQlVersionAtLeast(codeql, CODEQL_VERSION_LANGUAGE_ALIASING)
+  ) {
    return ["--extractor-include-aliases"];
  }
  return [];
@ -1424,7 +1426,7 @@ async function isSublanguageFileCoverageEnabled(
    // Sub-language file coverage is first supported in GHES 3.12.
    (config.gitHubVersion.type !== util.GitHubVariant.GHES ||
      semver.gte(config.gitHubVersion.version, "3.12.0")) &&
-    (await util.codeQlVersionAbove(
+    (await util.codeQlVersionAtLeast(
      codeql,
      CODEQL_VERSION_SUBLANGUAGE_FILE_COVERAGE,
    ))
@ -1435,7 +1437,7 @@ async function getCodeScanningQueryHelpArguments(
  codeql: CodeQL,
 ): Promise<string[]> {
  if (
-    await util.codeQlVersionAbove(codeql, CODEQL_VERSION_INCLUDE_QUERY_HELP)
+    await util.codeQlVersionAtLeast(codeql, CODEQL_VERSION_INCLUDE_QUERY_HELP)
  ) {
    return ["--sarif-include-query-help=always"];
  }
--- a/src/config-utils.ts
+++ b/src/config-utils.ts
@ -13,7 +13,7 @@ import { Logger } from "./logging";
 import { RepositoryNwo } from "./repository";
 import { downloadTrapCaches } from "./trap-caching";
 import {
-  codeQlVersionAbove,
+  codeQlVersionAtLeast,
  GitHubVersion,
  prettyPrintPack,
  ConfigurationError,
@ -359,7 +359,7 @@ export async function getLanguages(
 export async function getLanguageAliases(
  codeql: CodeQL,
 ): Promise<{ [alias: string]: string } | undefined> {
-  if (await codeQlVersionAbove(codeql, CODEQL_VERSION_LANGUAGE_ALIASING)) {
+  if (await codeQlVersionAtLeast(codeql, CODEQL_VERSION_LANGUAGE_ALIASING)) {
    return (await codeql.betterResolveLanguages()).aliases;
  }
  return undefined;
--- a/src/feature-flags.ts
+++ b/src/feature-flags.ts
@ -200,7 +200,7 @@ export class Features implements FeatureEnablement {
    // Never use this feature if the CLI version explicitly can't support it.
    const minimumVersion = featureConfig[feature].minimumVersion;
    if (codeql && minimumVersion) {
-      if (!(await util.codeQlVersionAbove(codeql, minimumVersion))) {
+      if (!(await util.codeQlVersionAtLeast(codeql, minimumVersion))) {
        this.logger.debug(
          `Feature ${feature} is disabled because the CodeQL CLI version is older than the minimum ` +
            `version ${minimumVersion}.`,
--- a/src/init-action.ts
+++ b/src/init-action.ts
@ -24,7 +24,13 @@ import {
 } from "./diagnostics";
 import { EnvVar } from "./environment";
 import { Feature, Features } from "./feature-flags";
-import { checkInstallPython311, initCodeQL, initConfig, runInit } from "./init";
+import {
+  checkInstallPython311,
+  initCodeQL,
+  initConfig,
+  isSipEnabled,
+  runInit,
+} from "./init";
 import { Language } from "./languages";
 import { getActionsLogger, Logger } from "./logging";
 import { parseRepositoryNwo } from "./repository";
@ -42,7 +48,7 @@ import {
  checkDiskUsage,
  checkForTimeout,
  checkGitHubVersionInRange,
-  codeQlVersionAbove,
+  codeQlVersionAtLeast,
  DEFAULT_DEBUG_ARTIFACT_NAME,
  DEFAULT_DEBUG_DATABASE_NAME,
  getMemoryFlagValue,
@ -426,8 +432,8 @@ async function run() {
    const kotlinLimitVar =
      "CODEQL_EXTRACTOR_KOTLIN_OVERRIDE_MAXIMUM_VERSION_LIMIT";
    if (
-      (await codeQlVersionAbove(codeql, "2.13.4")) &&
-      !(await codeQlVersionAbove(codeql, "2.14.4"))
+      (await codeQlVersionAtLeast(codeql, "2.13.4")) &&
+      !(await codeQlVersionAtLeast(codeql, "2.14.4"))
    ) {
      core.exportVariable(kotlinLimitVar, "1.9.20");
    }
@ -435,8 +441,8 @@ async function run() {
    if (
      config.languages.includes(Language.java) &&
      // Java Lombok support is enabled by default for >= 2.14.4
-      (await codeQlVersionAbove(codeql, "2.14.0")) &&
-      !(await codeQlVersionAbove(codeql, "2.14.4"))
+      (await codeQlVersionAtLeast(codeql, "2.14.0")) &&
+      !(await codeQlVersionAtLeast(codeql, "2.14.4"))
    ) {
      const envVar = "CODEQL_EXTRACTOR_JAVA_RUN_ANNOTATION_PROCESSORS";
      if (process.env[envVar]) {
@ -467,19 +473,32 @@ async function run() {
      }
    }

+    // For CLI versions <2.15.1, build tracing caused errors in MacOS ARM machines with
+    // System Integrity Protection (SIP) disabled.
+    if (
+      !(await codeQlVersionAtLeast(codeql, "2.15.1")) &&
+      process.platform === "darwin" &&
+      (process.arch === "arm" || process.arch === "arm64") &&
+      !(await isSipEnabled(logger))
+    ) {
+      logger.warning(
+        "CodeQL versions 2.15.0 and lower are not supported on MacOS ARM machines with System Integrity Protection (SIP) disabled.",
+      );
+    }
+
    // From 2.16.0 the default for the python extractor is to not perform any
    // dependency extraction. For versions before that, you needed to set this flag to
    // enable this behavior (supported since 2.13.1).

-    if (await codeQlVersionAbove(codeql, "2.17.1")) {
+    if (await codeQlVersionAtLeast(codeql, "2.17.1")) {
      // disabled by default, no warning
-    } else if (await codeQlVersionAbove(codeql, "2.16.0")) {
+    } else if (await codeQlVersionAtLeast(codeql, "2.16.0")) {
      // disabled by default, prints warning if environment variable is not set
      core.exportVariable(
        "CODEQL_EXTRACTOR_PYTHON_DISABLE_LIBRARY_EXTRACTION",
        "true",
      );
-    } else if (await codeQlVersionAbove(codeql, "2.13.1")) {
+    } else if (await codeQlVersionAtLeast(codeql, "2.13.1")) {
      core.exportVariable(
        "CODEQL_EXTRACTOR_PYTHON_DISABLE_LIBRARY_EXTRACTION",
        "true",
--- a/src/init.ts
+++ b/src/init.ts
@ -1,6 +1,7 @@
 import * as fs from "fs";
 import * as path from "path";

+import * as exec from "@actions/exec/lib/exec";
 import * as toolrunner from "@actions/exec/lib/toolrunner";
 import * as safeWhich from "@chrisgavin/safe-which";

@ -140,3 +141,33 @@ export async function checkInstallPython311(
    ]).exec();
  }
 }
+
+// For MacOS runners: runs `csrutil status` to determine whether System
+// Integrity Protection is enabled.
+export async function isSipEnabled(logger): Promise<boolean | undefined> {
+  try {
+    const sipStatusOutput = await exec.getExecOutput("csrutil status");
+    if (sipStatusOutput.exitCode === 0) {
+      if (
+        sipStatusOutput.stdout.includes(
+          "System Integrity Protection status: enabled.",
+        )
+      ) {
+        return true;
+      }
+      if (
+        sipStatusOutput.stdout.includes(
+          "System Integrity Protection status: disabled.",
+        )
+      ) {
+        return false;
+      }
+    }
+    return undefined;
+  } catch (e) {
+    logger.warning(
+      `Failed to determine if System Integrity Protection was enabled: ${e}`,
+    );
+    return undefined;
+  }
+}
--- a/src/resolve-environment.ts
+++ b/src/resolve-environment.ts
@ -23,7 +23,7 @@ export async function runResolveBuildEnvironment(
  // If the CodeQL CLI version in use supports language aliasing, give the CLI the raw language
  // input. Otherwise, parse the language input and give the CLI the parsed language.
  if (
-    !(await util.codeQlVersionAbove(codeql, CODEQL_VERSION_LANGUAGE_ALIASING))
+    !(await util.codeQlVersionAtLeast(codeql, CODEQL_VERSION_LANGUAGE_ALIASING))
  ) {
    const parsedLanguage = parseLanguage(languageInput)?.toString();
    if (parsedLanguage === undefined) {
@ -39,7 +39,10 @@ export async function runResolveBuildEnvironment(
  // If the CodeQL version in use does not support the `resolve build-environment`
  // command, just return an empty configuration. Otherwise invoke the CLI.
  if (
-    !(await util.codeQlVersionAbove(codeql, CODEQL_VERSION_RESOLVE_ENVIRONMENT))
+    !(await util.codeQlVersionAtLeast(
+      codeql,
+      CODEQL_VERSION_RESOLVE_ENVIRONMENT,
+    ))
  ) {
    logger.warning(
      "Unsupported CodeQL CLI version for `resolve build-environment` command, " +
--- a/src/util.ts
+++ b/src/util.ts
@ -682,7 +682,7 @@ export function getCachedCodeQlVersion(): undefined | VersionInfo {
  return cachedCodeQlVersion;
 }

-export async function codeQlVersionAbove(
+export async function codeQlVersionAtLeast(
  codeql: CodeQL,
  requiredVersion: string,
 ): Promise<boolean> {