Merge branch 'main' into rasmuswl/no-dep-inst-default

2024-01-04 15:28:16 +01:00 · 2024-01-04 15:28:16 +01:00 · ce9d281924
commit ce9d281924
parent dd207935b5 216127f34a
282 changed files with 6791 additions and 1563 deletions
--- a/lib/api-compatibility.json
+++ b/lib/api-compatibility.json
@ -1 +1 @@
-{ "maximumVersion": "3.12", "minimumVersion": "3.7" }
+{ "maximumVersion": "3.12", "minimumVersion": "3.8" }
--- a/lib/codeql.js
+++ b/lib/codeql.js
@ -23,7 +23,7 @@ var __importStar = (this && this.__importStar) || function (mod) {
    return result;
 };
 Object.defineProperty(exports, "__esModule", { value: true });
-exports.getGeneratedCodeScanningConfigPath = exports.getTrapCachingExtractorConfigArgsForLang = exports.getTrapCachingExtractorConfigArgs = exports.getExtraOptions = exports.getCodeQLForCmd = exports.getCodeQLForTesting = exports.getCachedCodeQL = exports.setCodeQL = exports.getCodeQL = exports.setupCodeQL = exports.CODEQL_VERSION_SUBLANGUAGE_FILE_COVERAGE = exports.CODEQL_VERSION_ANALYSIS_SUMMARY_V2 = exports.CODEQL_VERSION_LANGUAGE_ALIASING = exports.CODEQL_VERSION_LANGUAGE_BASELINE_CONFIG = exports.CODEQL_VERSION_RESOLVE_ENVIRONMENT = exports.CODEQL_VERSION_DIAGNOSTICS_EXPORT_FIXED = exports.CODEQL_VERSION_BETTER_NO_CODE_ERROR_MESSAGE = exports.CODEQL_VERSION_INIT_WITH_QLCONFIG = exports.CODEQL_VERSION_EXPORT_CODE_SCANNING_CONFIG = exports.CODEQL_VERSION_SECURITY_EXPERIMENTAL_SUITE = exports.CODEQL_VERSION_EXPORT_FAILED_SARIF = exports.CommandInvocationError = void 0;
+exports.getGeneratedCodeScanningConfigPath = exports.getTrapCachingExtractorConfigArgsForLang = exports.getTrapCachingExtractorConfigArgs = exports.getExtraOptions = exports.getCodeQLForCmd = exports.getCodeQLForTesting = exports.getCachedCodeQL = exports.setCodeQL = exports.getCodeQL = exports.setupCodeQL = exports.CODEQL_VERSION_SUBLANGUAGE_FILE_COVERAGE = exports.CODEQL_VERSION_ANALYSIS_SUMMARY_V2 = exports.CODEQL_VERSION_LANGUAGE_ALIASING = exports.CODEQL_VERSION_LANGUAGE_BASELINE_CONFIG = exports.CODEQL_VERSION_RESOLVE_ENVIRONMENT = exports.CODEQL_VERSION_DIAGNOSTICS_EXPORT_FIXED = exports.CODEQL_VERSION_BETTER_NO_CODE_ERROR_MESSAGE = exports.CODEQL_VERSION_INIT_WITH_QLCONFIG = exports.CODEQL_VERSION_EXPORT_CODE_SCANNING_CONFIG = exports.CODEQL_VERSION_SECURITY_EXPERIMENTAL_SUITE = exports.CommandInvocationError = void 0;
 const fs = __importStar(require("fs"));
 const path = __importStar(require("path"));
 const core = __importStar(require("@actions/core"));
@ -73,7 +73,7 @@ let cachedCodeQL = undefined;
 * The version flags below can be used to conditionally enable certain features
 * on versions newer than this.
 */
-const CODEQL_MINIMUM_VERSION = "2.10.5";
+const CODEQL_MINIMUM_VERSION = "2.11.6";
 /**
 * This version will shortly become the oldest version of CodeQL that the Action will run with.
 */
@ -92,13 +92,7 @@ const GHES_MOST_RECENT_DEPRECATION_DATE = "2023-11-08";
 * flag is older than the oldest supported version above, it may be removed.
 */
 /**
- * Versions 2.11.3+ of the CodeQL CLI support exporting a failed SARIF file via
- * `codeql database export-diagnostics` or `codeql diagnostics export`.
- */
-exports.CODEQL_VERSION_EXPORT_FAILED_SARIF = "2.11.3";
-const CODEQL_VERSION_FILE_BASELINE_INFORMATION = "2.11.3";
-/**
- * Versions 2.11.1+ of the CodeQL Bundle include a `security-experimental` built-in query suite for
+ * Versions 2.12.1+ of the CodeQL Bundle include a `security-experimental` built-in query suite for
 * each language.
 */
 exports.CODEQL_VERSION_SECURITY_EXPERIMENTAL_SUITE = "2.12.1";
@ -503,6 +497,7 @@ async function getCodeQLForCmd(cmd, checkVersion) {
                addSnippetsFlag,
                "--print-diagnostics-summary",
                "--print-metrics-summary",
+                "--sarif-add-baseline-file-info",
                "--sarif-add-query-help",
                "--sarif-group-rules-by-pack",
                ...(await getCodeScanningConfigExportArguments(config, this)),
@ -511,9 +506,6 @@ async function getCodeQLForCmd(cmd, checkVersion) {
            if (automationDetailsId !== undefined) {
                codeqlArgs.push("--sarif-category", automationDetailsId);
            }
-            if (await util.codeQlVersionAbove(this, CODEQL_VERSION_FILE_BASELINE_INFORMATION)) {
-                codeqlArgs.push("--sarif-add-baseline-file-info");
-            }
            if (await isSublanguageFileCoverageEnabled(config, this)) {
                codeqlArgs.push("--sublanguage-file-coverage");
            }
--- a/lib/codeql.js.map
+++ b/lib/codeql.js.map
--- a/lib/codeql.test.js
+++ b/lib/codeql.test.js
@ -604,24 +604,6 @@ const injectedConfigMacro = ava_1.default.macro({
        t.false(hasQlconfigArg, "should NOT have injected a qlconfig");
    });
 });
-(0, ava_1.default)("databaseInterpretResults() sets --sarif-add-baseline-file-info for 2.11.3", async (t) => {
-    const runnerConstructorStub = stubToolRunnerConstructor();
-    const codeqlObject = await codeql.getCodeQLForTesting();
-    sinon.stub(codeqlObject, "getVersion").resolves((0, testing_utils_1.makeVersionInfo)("2.11.3"));
-    // safeWhich throws because of the test CodeQL object.
-    sinon.stub(safeWhich, "safeWhich").resolves("");
-    await codeqlObject.databaseInterpretResults("", [], "", "", "", "-v", "", stubConfig, (0, testing_utils_1.createFeatures)([]), (0, logging_1.getRunnerLogger)(true));
-    t.true(runnerConstructorStub.firstCall.args[1].includes("--sarif-add-baseline-file-info"), "--sarif-add-baseline-file-info should be present, but it is absent");
-});
-(0, ava_1.default)("databaseInterpretResults() does not set --sarif-add-baseline-file-info for 2.11.2", async (t) => {
-    const runnerConstructorStub = stubToolRunnerConstructor();
-    const codeqlObject = await codeql.getCodeQLForTesting();
-    sinon.stub(codeqlObject, "getVersion").resolves((0, testing_utils_1.makeVersionInfo)("2.11.2"));
-    // safeWhich throws because of the test CodeQL object.
-    sinon.stub(safeWhich, "safeWhich").resolves("");
-    await codeqlObject.databaseInterpretResults("", [], "", "", "", "-v", "", stubConfig, (0, testing_utils_1.createFeatures)([]), (0, logging_1.getRunnerLogger)(true));
-    t.false(runnerConstructorStub.firstCall.args[1].includes("--sarif-add-baseline-file-info"), "--sarif-add-baseline-file-info must be absent, but it is present");
-});
 const NEW_ANALYSIS_SUMMARY_TEST_CASES = [
    {
        codeqlVersion: "2.15.0",
--- a/lib/codeql.test.js.map
+++ b/lib/codeql.test.js.map
--- a/lib/defaults.json
+++ b/lib/defaults.json
@ -1,6 +1,6 @@
 {
-    "bundleVersion": "codeql-bundle-v2.15.4",
-    "cliVersion": "2.15.4",
-    "priorBundleVersion": "codeql-bundle-v2.15.3",
-    "priorCliVersion": "2.15.3"
+    "bundleVersion": "codeql-bundle-v2.15.5",
+    "cliVersion": "2.15.5",
+    "priorBundleVersion": "codeql-bundle-v2.15.4",
+    "priorCliVersion": "2.15.4"
 }
--- a/lib/feature-flags.js
+++ b/lib/feature-flags.js
@ -76,7 +76,7 @@ exports.featureConfig = {
    },
    [Feature.CliConfigFileEnabled]: {
        envVar: "CODEQL_PASS_CONFIG_TO_CLI",
-        minimumVersion: "2.11.6",
+        minimumVersion: undefined,
        defaultValue: true,
    },
    [Feature.EvaluatorFineGrainedParallelismEnabled]: {
--- a/lib/feature-flags.js.map
+++ b/lib/feature-flags.js.map
--- a/lib/init-action-post-helper.js
+++ b/lib/init-action-post-helper.js
@ -49,10 +49,6 @@ async function maybeUploadFailedSarif(config, repositoryNwo, features, logger) {
    if (!config.codeQLCmd) {
        return { upload_failed_run_skipped_because: "CodeQL command not found" };
    }
-    const codeql = await (0, codeql_1.getCodeQL)(config.codeQLCmd);
-    if (!(await (0, util_1.codeQlVersionAbove)(codeql, codeql_1.CODEQL_VERSION_EXPORT_FAILED_SARIF))) {
-        return { upload_failed_run_skipped_because: "Unsupported by CodeQL CLI" };
-    }
    const workflow = await (0, workflow_1.getWorkflow)(logger);
    const jobName = (0, util_1.getRequiredEnvParam)("GITHUB_JOB");
    const matrix = (0, util_1.parseMatrixInput)(actionsUtil.getRequiredInput("matrix"));
@ -64,6 +60,7 @@ async function maybeUploadFailedSarif(config, repositoryNwo, features, logger) {
    const category = (0, workflow_1.getCategoryInputOrThrow)(workflow, jobName, matrix);
    const checkoutPath = (0, workflow_1.getCheckoutPathInputOrThrow)(workflow, jobName, matrix);
    const databasePath = config.dbLocation;
+    const codeql = await (0, codeql_1.getCodeQL)(config.codeQLCmd);
    const sarifFile = "../codeql-failed-run.sarif";
    // If there is no database or the feature flag is off, we run 'export diagnostics'
    if (databasePath === undefined ||
--- a/lib/init-action-post-helper.js.map
+++ b/lib/init-action-post-helper.js.map
--- a/lib/upload-lib.js
+++ b/lib/upload-lib.js
@ -26,10 +26,9 @@ var __importDefault = (this && this.__importDefault) || function (mod) {
    return (mod && mod.__esModule) ? mod : { "default": mod };
 };
 Object.defineProperty(exports, "__esModule", { value: true });
-exports.pruneInvalidResults = exports.validateUniqueCategory = exports.waitForProcessing = exports.buildPayload = exports.validateSarifFileSchema = exports.uploadFromActions = exports.findSarifFilesInDir = exports.populateRunAutomationDetails = void 0;
+exports.validateUniqueCategory = exports.waitForProcessing = exports.buildPayload = exports.validateSarifFileSchema = exports.uploadFromActions = exports.findSarifFilesInDir = exports.populateRunAutomationDetails = void 0;
 const fs = __importStar(require("fs"));
 const path = __importStar(require("path"));
-const process_1 = require("process");
 const zlib_1 = __importDefault(require("zlib"));
 const core = __importStar(require("@actions/core"));
 const file_url_1 = __importDefault(require("file-url"));
@ -264,8 +263,6 @@ async function uploadFiles(sarifFiles, repositoryNwo, commitOid, ref, analysisKe
    let sarif = combineSarifFiles(sarifFiles);
    sarif = await fingerprints.addFingerprints(sarif, sourceRoot, logger);
    sarif = populateRunAutomationDetails(sarif, category, analysisKey, environment);
-    if (process_1.env["CODEQL_DISABLE_SARIF_PRUNING"] !== "true")
-        sarif = pruneInvalidResults(sarif, logger);
    const toolNames = util.getToolNames(sarif);
    validateUniqueCategory(sarif);
    const sarifPayload = JSON.stringify(sarif);
@ -432,37 +429,6 @@ exports.validateUniqueCategory = validateUniqueCategory;
 function sanitize(str) {
    return (str ?? "_").replace(/[^a-zA-Z0-9_]/g, "_").toLocaleUpperCase();
 }
-function pruneInvalidResults(sarif, logger) {
-    let pruned = 0;
-    const newRuns = [];
-    for (const run of sarif.runs || []) {
-        if (run.tool?.driver?.name === "CodeQL" &&
-            run.tool?.driver?.semanticVersion === "2.11.2") {
-            // Version 2.11.2 of the CodeQL CLI had many false positives in the
-            // rb/weak-cryptographic-algorithm query which we prune here. The
-            // issue is tracked in https://github.com/github/codeql/issues/11107.
-            const newResults = [];
-            for (const result of run.results || []) {
-                if (result.ruleId === "rb/weak-cryptographic-algorithm" &&
-                    (result.message?.text?.includes(" MD5 ") ||
-                        result.message?.text?.includes(" SHA1 "))) {
-                    pruned += 1;
-                    continue;
-                }
-                newResults.push(result);
-            }
-            newRuns.push({ ...run, results: newResults });
-        }
-        else {
-            newRuns.push(run);
-        }
-    }
-    if (pruned > 0) {
-        logger.info(`Pruned ${pruned} results believed to be invalid from SARIF file.`);
-    }
-    return { ...sarif, runs: newRuns };
-}
-exports.pruneInvalidResults = pruneInvalidResults;
 /**
 * An error that occurred due to an invalid SARIF upload request.
 */
--- a/lib/upload-lib.js.map
+++ b/lib/upload-lib.js.map
--- a/lib/upload-lib.test.js
+++ b/lib/upload-lib.test.js
@ -32,7 +32,6 @@ const ava_1 = __importDefault(require("ava"));
 const logging_1 = require("./logging");
 const testing_utils_1 = require("./testing-utils");
 const uploadLib = __importStar(require("./upload-lib"));
-const upload_lib_1 = require("./upload-lib");
 const util_1 = require("./util");
 (0, testing_utils_1.setupTests)(ava_1.default);
 ava_1.default.beforeEach(() => {
@ -184,55 +183,6 @@ ava_1.default.beforeEach(() => {
    t.throws(() => uploadLib.validateUniqueCategory(sarif1));
    t.throws(() => uploadLib.validateUniqueCategory(sarif2));
 });
-(0, ava_1.default)("pruneInvalidResults", (t) => {
-    const loggedMessages = [];
-    const mockLogger = {
-        info: (message) => {
-            loggedMessages.push(message);
-        },
-    };
-    const sarif = {
-        runs: [
-            {
-                tool: otherTool,
-                results: [resultWithBadMessage1, resultWithGoodMessage],
-            },
-            {
-                tool: affectedCodeQLVersion,
-                results: [
-                    resultWithOtherRuleId,
-                    resultWithBadMessage1,
-                    resultWithBadMessage2,
-                    resultWithGoodMessage,
-                ],
-            },
-            {
-                tool: unaffectedCodeQLVersion,
-                results: [resultWithBadMessage1, resultWithGoodMessage],
-            },
-        ],
-    };
-    const result = (0, upload_lib_1.pruneInvalidResults)(sarif, mockLogger);
-    const expected = {
-        runs: [
-            {
-                tool: otherTool,
-                results: [resultWithBadMessage1, resultWithGoodMessage],
-            },
-            {
-                tool: affectedCodeQLVersion,
-                results: [resultWithOtherRuleId, resultWithGoodMessage],
-            },
-            {
-                tool: unaffectedCodeQLVersion,
-                results: [resultWithBadMessage1, resultWithGoodMessage],
-            },
-        ],
-    };
-    t.deepEqual(result, expected);
-    t.deepEqual(loggedMessages.length, 1);
-    t.assert(loggedMessages[0].includes("Pruned 2 results"));
-});
 (0, ava_1.default)("accept results with invalid artifactLocation.uri value", (t) => {
    const loggedMessages = [];
    const mockLogger = {
@ -245,56 +195,6 @@ ava_1.default.beforeEach(() => {
    t.deepEqual(loggedMessages.length, 1);
    t.deepEqual(loggedMessages[0], "Warning: 'not a valid URI' is not a valid URI in 'instance.runs[0].results[0].locations[0].physicalLocation.artifactLocation.uri'.");
 });
-const affectedCodeQLVersion = {
-    driver: {
-        name: "CodeQL",
-        semanticVersion: "2.11.2",
-    },
-};
-const unaffectedCodeQLVersion = {
-    driver: {
-        name: "CodeQL",
-        semanticVersion: "2.11.3",
-    },
-};
-const otherTool = {
-    driver: {
-        name: "Some other tool",
-        semanticVersion: "2.11.2",
-    },
-};
-const resultWithOtherRuleId = {
-    ruleId: "doNotPrune",
-    message: {
-        text: "should not be pruned even though it says MD5 in it",
-    },
-    locations: [],
-    partialFingerprints: {},
-};
-const resultWithGoodMessage = {
-    ruleId: "rb/weak-cryptographic-algorithm",
-    message: {
-        text: "should not be pruned SHA128 is not a FP",
-    },
-    locations: [],
-    partialFingerprints: {},
-};
-const resultWithBadMessage1 = {
-    ruleId: "rb/weak-cryptographic-algorithm",
-    message: {
-        text: "should be pruned MD5 is a FP",
-    },
-    locations: [],
-    partialFingerprints: {},
-};
-const resultWithBadMessage2 = {
-    ruleId: "rb/weak-cryptographic-algorithm",
-    message: {
-        text: "should be pruned SHA1 is a FP",
-    },
-    locations: [],
-    partialFingerprints: {},
-};
 function createMockSarif(id, tool) {
    return {
        runs: [
--- a/lib/upload-lib.test.js.map
+++ b/lib/upload-lib.test.js.map