robojerk/codeql-action

Merge main into wait-for-processing-2.

Browse source
This commit is contained in:
Chris Gavin 2022-04-14 08:48:39 +01:00
commit e7869d541b
No known key found for this signature in database
GPG key ID: 07F950B80C27E4DA
92 changed files with 1144 additions and 410 deletions
Download patch file Download diff file Expand all files Collapse all files

3
.github/workflows/__analyze-ref-input.yml generated vendored
View file

@ -12,6 +12,7 @@ on:
branches:
- main
- v1
- v2
pull_request:
types:
- opened
@ -69,7 +70,7 @@ jobs:
runs-on: ${{ matrix.os }}
steps:
- name: Check out repository
uses: actions/checkout@v2
uses: actions/checkout@v3
- name: Prepare test
id: prepare-test
uses: ./.github/prepare-test

5
.github/workflows/__debug-artifacts.yml generated vendored
View file

@ -12,6 +12,7 @@ on:
branches:
- main
- v1
- v2
pull_request:
types:
- opened
@ -53,7 +54,7 @@ jobs:
runs-on: ${{ matrix.os }}
steps:
- name: Check out repository
uses: actions/checkout@v2
uses: actions/checkout@v3
- name: Prepare test
id: prepare-test
uses: ./.github/prepare-test
@ -70,7 +71,7 @@ jobs:
run: ./build.sh
- uses: ./../action/analyze
id: analysis
- uses: actions/download-artifact@v2
- uses: actions/download-artifact@v3
with:
name: my-debug-artifacts-${{ matrix.os }}-${{ matrix.version }}
- shell: bash

3
.github/workflows/__extractor-ram-threads.yml generated vendored
View file

@ -12,6 +12,7 @@ on:
branches:
- main
- v1
- v2
pull_request:
types:
- opened
@ -31,7 +32,7 @@ jobs:
runs-on: ${{ matrix.os }}
steps:
- name: Check out repository
uses: actions/checkout@v2
uses: actions/checkout@v3
- name: Prepare test
id: prepare-test
uses: ./.github/prepare-test

5
.github/workflows/__go-custom-queries.yml generated vendored
View file

@ -12,6 +12,7 @@ on:
branches:
- main
- v1
- v2
pull_request:
types:
- opened
@ -69,13 +70,13 @@ jobs:
runs-on: ${{ matrix.os }}
steps:
- name: Check out repository
uses: actions/checkout@v2
uses: actions/checkout@v3
- name: Prepare test
id: prepare-test
uses: ./.github/prepare-test
with:
version: ${{ matrix.version }}
- uses: actions/setup-go@v2
- uses: actions/setup-go@v3
with:
go-version: ^1.13.1
- uses: ./../action/init

5
.github/workflows/__go-custom-tracing-autobuild.yml generated vendored
View file

@ -12,6 +12,7 @@ on:
branches:
- main
- v1
- v2
pull_request:
types:
- opened
@ -53,13 +54,13 @@ jobs:
runs-on: ${{ matrix.os }}
steps:
- name: Check out repository
uses: actions/checkout@v2
uses: actions/checkout@v3
- name: Prepare test
id: prepare-test
uses: ./.github/prepare-test
with:
version: ${{ matrix.version }}
- uses: actions/setup-go@v2
- uses: actions/setup-go@v3
with:
go-version: ^1.13.1
- uses: ./../action/init

5
.github/workflows/__go-custom-tracing.yml generated vendored
View file

@ -12,6 +12,7 @@ on:
branches:
- main
- v1
- v2
pull_request:
types:
- opened
@ -69,13 +70,13 @@ jobs:
runs-on: ${{ matrix.os }}
steps:
- name: Check out repository
uses: actions/checkout@v2
uses: actions/checkout@v3
- name: Prepare test
id: prepare-test
uses: ./.github/prepare-test
with:
version: ${{ matrix.version }}
- uses: actions/setup-go@v2
- uses: actions/setup-go@v3
with:
go-version: ^1.13.1
- uses: ./../action/init

3
.github/workflows/__javascript-source-root.yml generated vendored
View file

@ -12,6 +12,7 @@ on:
branches:
- main
- v1
- v2
pull_request:
types:
- opened
@ -35,7 +36,7 @@ jobs:
runs-on: ${{ matrix.os }}
steps:
- name: Check out repository
uses: actions/checkout@v2
uses: actions/checkout@v3
- name: Prepare test
id: prepare-test
uses: ./.github/prepare-test

119
.github/workflows/__ml-powered-queries.yml generated vendored Normal file
View file

@ -0,0 +1,119 @@
# Warning: This file is generated automatically, and should not be modified.
# Instead, please modify the template in the pr-checks directory and run:
# pip install ruamel.yaml && python3 sync.py
# to regenerate this file.
name: PR Check - ML-powered queries
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
GO111MODULE: auto
on:
push:
branches:
- main
- v1
- v2
pull_request:
types:
- opened
- synchronize
- reopened
- ready_for_review
workflow_dispatch: {}
jobs:
ml-powered-queries:
strategy:
matrix:
include:
- os: ubuntu-latest
version: stable-20220120
- os: macos-latest
version: stable-20220120
- os: windows-latest
version: stable-20220120
- os: ubuntu-latest
version: cached
- os: macos-latest
version: cached
- os: windows-latest
version: cached
- os: ubuntu-latest
version: latest
- os: macos-latest
version: latest
- os: windows-latest
version: latest
- os: ubuntu-latest
version: nightly-latest
- os: macos-latest
version: nightly-latest
- os: windows-latest
version: nightly-latest
name: ML-powered queries
timeout-minutes: 45
runs-on: ${{ matrix.os }}
steps:
- name: Check out repository
uses: actions/checkout@v3
- name: Prepare test
id: prepare-test
uses: ./.github/prepare-test
with:
version: ${{ matrix.version }}
- uses: ./../action/init
with:
languages: javascript
queries: security-extended
source-root: ./../action/tests/ml-powered-queries-repo
tools: ${{ steps.prepare-test.outputs.tools-url }}
- uses: ./../action/analyze
with:
output: ${{ runner.temp }}/results
upload-database: false
env:
TEST_MODE: true
- name: Upload SARIF
uses: actions/upload-artifact@v3
with:
name: ml-powered-queries-${{ matrix.os }}-${{ matrix.version }}.sarif.json
path: ${{ runner.temp }}/results/javascript.sarif
retention-days: 7
- name: Check results
env:
IS_WINDOWS: ${{ matrix.os == 'windows-latest' }}
shell: bash
run: |
cd "$RUNNER_TEMP/results"
# We should run at least the ML-powered queries in `expected_rules`.
expected_rules="js/ml-powered/nosql-injection js/ml-powered/path-injection js/ml-powered/sql-injection js/ml-powered/xss"
for rule in ${expected_rules}; do
found_rule=$(jq --arg rule "${rule}" '[.runs[0].tool.extensions[].rules | select(. != null) |
flatten | .[].id] | any(. == $rule)' javascript.sarif)
echo "Did find rule '${rule}': ${found_rule}"
if [[ "${found_rule}" != "true" && "${IS_WINDOWS}" != "true" ]]; then
echo "Expected SARIF output to contain rule '${rule}', but found no such rule."
exit 1
elif [[ "${found_rule}" == "true" && "${IS_WINDOWS}" == "true" ]]; then
echo "Found rule '${rule}' in the SARIF output which shouldn't have been part of the analysis."
exit 1
fi
done
# We should have at least one alert from an ML-powered query.
num_alerts=$(jq '[.runs[0].results[] |
select(.properties.score != null and (.rule.id | startswith("js/ml-powered/")))] | length' \
javascript.sarif)
echo "Found ${num_alerts} alerts from ML-powered queries.";
if [[ "${num_alerts}" -eq 0 && "${IS_WINDOWS}" != "true" ]]; then
echo "Expected to find at least one alert from an ML-powered query but found ${num_alerts}."
exit 1
elif [[ "${num_alerts}" -ne 0 && "${IS_WINDOWS}" == "true" ]]; then
echo "Expected not to find any alerts from an ML-powered query but found ${num_alerts}."
exit 1
fi
env:
INTERNAL_CODEQL_ACTION_DEBUG_LOC: true

3
.github/workflows/__multi-language-autodetect.yml generated vendored
View file

@ -12,6 +12,7 @@ on:
branches:
- main
- v1
- v2
pull_request:
types:
- opened
@ -53,7 +54,7 @@ jobs:
runs-on: ${{ matrix.os }}
steps:
- name: Check out repository
uses: actions/checkout@v2
uses: actions/checkout@v3
- name: Prepare test
id: prepare-test
uses: ./.github/prepare-test

3
.github/workflows/__packaging-config-inputs-js.yml generated vendored
View file

@ -12,6 +12,7 @@ on:
branches:
- main
- v1
- v2
pull_request:
types:
- opened
@ -33,7 +34,7 @@ jobs:
runs-on: ${{ matrix.os }}
steps:
- name: Check out repository
uses: actions/checkout@v2
uses: actions/checkout@v3
- name: Prepare test
id: prepare-test
uses: ./.github/prepare-test

3
.github/workflows/__packaging-config-js.yml generated vendored
View file

@ -12,6 +12,7 @@ on:
branches:
- main
- v1
- v2
pull_request:
types:
- opened
@ -33,7 +34,7 @@ jobs:
runs-on: ${{ matrix.os }}
steps:
- name: Check out repository
uses: actions/checkout@v2
uses: actions/checkout@v3
- name: Prepare test
id: prepare-test
uses: ./.github/prepare-test

3
.github/workflows/__packaging-inputs-js.yml generated vendored
View file

@ -12,6 +12,7 @@ on:
branches:
- main
- v1
- v2
pull_request:
types:
- opened
@ -33,7 +34,7 @@ jobs:
runs-on: ${{ matrix.os }}
steps:
- name: Check out repository
uses: actions/checkout@v2
uses: actions/checkout@v3
- name: Prepare test
id: prepare-test
uses: ./.github/prepare-test

3
.github/workflows/__remote-config.yml generated vendored
View file

@ -12,6 +12,7 @@ on:
branches:
- main
- v1
- v2
pull_request:
types:
- opened
@ -69,7 +70,7 @@ jobs:
runs-on: ${{ matrix.os }}
steps:
- name: Check out repository
uses: actions/checkout@v2
uses: actions/checkout@v3
- name: Prepare test
id: prepare-test
uses: ./.github/prepare-test

3
.github/workflows/__rubocop-multi-language.yml generated vendored
View file

@ -12,6 +12,7 @@ on:
branches:
- main
- v1
- v2
pull_request:
types:
- opened
@ -41,7 +42,7 @@ jobs:
runs-on: ${{ matrix.os }}
steps:
- name: Check out repository
uses: actions/checkout@v2
uses: actions/checkout@v3
- name: Prepare test
id: prepare-test
uses: ./.github/prepare-test

3
.github/workflows/__split-workflow.yml generated vendored
View file

@ -12,6 +12,7 @@ on:
branches:
- main
- v1
- v2
pull_request:
types:
- opened
@ -33,7 +34,7 @@ jobs:
runs-on: ${{ matrix.os }}
steps:
- name: Check out repository
uses: actions/checkout@v2
uses: actions/checkout@v3
- name: Prepare test
id: prepare-test
uses: ./.github/prepare-test

67
.github/workflows/__test-autobuild-working-dir.yml generated vendored Normal file
View file

@ -0,0 +1,67 @@
# Warning: This file is generated automatically, and should not be modified.
# Instead, please modify the template in the pr-checks directory and run:
# pip install ruamel.yaml && python3 sync.py
# to regenerate this file.
name: PR Check - Autobuild working directory
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
GO111MODULE: auto
on:
push:
branches:
- main
- v1
- v2
pull_request:
types:
- opened
- synchronize
- reopened
- ready_for_review
workflow_dispatch: {}
jobs:
test-autobuild-working-dir:
strategy:
matrix:
include:
- os: ubuntu-latest
version: latest
name: Autobuild working directory
timeout-minutes: 45
runs-on: ${{ matrix.os }}
steps:
- name: Check out repository
uses: actions/checkout@v3
- name: Prepare test
id: prepare-test
uses: ./.github/prepare-test
with:
version: ${{ matrix.version }}
- name: Test setup
shell: bash
run: |
# Make sure that Gradle build succeeds in autobuild-dir ...
cp -a ../action/tests/java-repo autobuild-dir
# ... and fails if attempted in the current directory
echo > build.gradle
- uses: ./../action/init
with:
languages: java
tools: ${{ steps.prepare-test.outputs.tools-url }}
- uses: ./../action/autobuild
with:
working-directory: autobuild-dir
- uses: ./../action/analyze
env:
TEST_MODE: true
- name: Check database
shell: bash
run: |
cd "$RUNNER_TEMP/codeql_databases"
if [[ ! -d java ]]; then
echo "Did not find a Java database"
exit 1
fi
env:
INTERNAL_CODEQL_ACTION_DEBUG_LOC: true

3
.github/workflows/__test-local-codeql.yml generated vendored
View file

@ -12,6 +12,7 @@ on:
branches:
- main
- v1
- v2
pull_request:
types:
- opened
@ -31,7 +32,7 @@ jobs:
runs-on: ${{ matrix.os }}
steps:
- name: Check out repository
uses: actions/checkout@v2
uses: actions/checkout@v3
- name: Prepare test
id: prepare-test
uses: ./.github/prepare-test

3
.github/workflows/__test-proxy.yml generated vendored
View file

@ -12,6 +12,7 @@ on:
branches:
- main
- v1
- v2
pull_request:
types:
- opened
@ -31,7 +32,7 @@ jobs:
runs-on: ${{ matrix.os }}
steps:
- name: Check out repository
uses: actions/checkout@v2
uses: actions/checkout@v3
- name: Prepare test
id: prepare-test
uses: ./.github/prepare-test

3
.github/workflows/__test-ruby.yml generated vendored
View file

@ -12,6 +12,7 @@ on:
branches:
- main
- v1
- v2
pull_request:
types:
- opened
@ -41,7 +42,7 @@ jobs:
runs-on: ${{ matrix.os }}
steps:
- name: Check out repository
uses: actions/checkout@v2
uses: actions/checkout@v3
- name: Prepare test
id: prepare-test
uses: ./.github/prepare-test

3
.github/workflows/__unset-environment.yml generated vendored
View file

@ -12,6 +12,7 @@ on:
branches:
- main
- v1
- v2
pull_request:
types:
- opened
@ -41,7 +42,7 @@ jobs:
runs-on: ${{ matrix.os }}
steps:
- name: Check out repository
uses: actions/checkout@v2
uses: actions/checkout@v3
- name: Prepare test
id: prepare-test
uses: ./.github/prepare-test

3
.github/workflows/__upload-ref-sha-input.yml generated vendored
View file

@ -12,6 +12,7 @@ on:
branches:
- main
- v1
- v2
pull_request:
types:
- opened
@ -69,7 +70,7 @@ jobs:
runs-on: ${{ matrix.os }}
steps:
- name: Check out repository
uses: actions/checkout@v2
uses: actions/checkout@v3
- name: Prepare test
id: prepare-test
uses: ./.github/prepare-test

5
.github/workflows/__with-checkout-path.yml generated vendored
View file

@ -12,6 +12,7 @@ on:
branches:
- main
- v1
- v2
pull_request:
types:
- opened
@ -69,13 +70,13 @@ jobs:
runs-on: ${{ matrix.os }}
steps:
- name: Check out repository
uses: actions/checkout@v2
uses: actions/checkout@v3
- name: Prepare test
id: prepare-test
uses: ./.github/prepare-test
with:
version: ${{ matrix.version }}
- uses: actions/checkout@v2
- uses: actions/checkout@v3
with:
ref: 474bbf07f9247ffe1856c6a0f94aeeb10e7afee6
path: x/y/z/some-path

2
.github/workflows/check-expected-release-files.yml vendored
View file

@ -15,7 +15,7 @@ jobs:
steps:
- name: Checkout CodeQL Action
uses: actions/checkout@v2
uses: actions/checkout@v3
- name: Check Expected Release Files
run: |
bundle_version="$(cat "./src/defaults.json" | jq -r ".bundleVersion")"

8
.github/workflows/codeql.yml vendored
View file

@ -2,9 +2,9 @@ name: "CodeQL action"
on:
push:
branches: [main, v1]
branches: [main, v1, v2]
pull_request:
branches: [main, v1]
branches: [main, v1, v2]
# Run checks on reopened draft PRs to support triggering PR checks on draft PRs that were opened
# by other workflows.
types: [opened, synchronize, reopened, ready_for_review]
@ -20,7 +20,7 @@ jobs:
security-events: write
steps:
- uses: actions/checkout@v2
- uses: actions/checkout@v3
- name: Init with default CodeQL bundle from the VM image
id: init-default
uses: ./init
@ -75,7 +75,7 @@ jobs:
security-events: write
steps:
- uses: actions/checkout@v2
- uses: actions/checkout@v3
- uses: ./init
id: init
with:

4
.github/workflows/post-release-mergeback.yml vendored
View file

@ -34,8 +34,8 @@ jobs:
GITHUB_CONTEXT: '${{ toJson(github) }}'
run: echo "$GITHUB_CONTEXT"
- uses: actions/checkout@v2
- uses: actions/setup-node@v2
- uses: actions/checkout@v3
- uses: actions/setup-node@v3
- name: Update git config
run: |

50
.github/workflows/pr-checks.yml vendored
View file

@ -2,7 +2,7 @@ name: PR Checks (Basic Checks and Runner)
on:
push:
branches: [main, v1]
branches: [main, v1, v2]
pull_request:
# Run checks on reopened draft PRs to support triggering PR checks on draft PRs that were opened
# by other workflows.
@ -16,7 +16,7 @@ jobs:
timeout-minutes: 45
steps:
- uses: actions/checkout@v2
- uses: actions/checkout@v3
- name: Run Lint
run: npm run-script lint
@ -30,7 +30,7 @@ jobs:
node-types-version: [12.12, current]
steps:
- uses: actions/checkout@v2
- uses: actions/checkout@v3
- name: Update version of @types/node
if: matrix.node-types-version != 'current'
@ -46,11 +46,13 @@ jobs:
# `npm install` on Linux.
npm install
git config --global user.email "github-actions@github.com"
git config --global user.name "github-actions[bot]"
# The period in `git add --all .` ensures that we stage deleted files too.
git add --all .
git commit -m "Use @types/node=${NODE_TYPES_VERSION}"
if [ ! -z "$(git status --porcelain)" ]; then
git config --global user.email "github-actions@github.com"
git config --global user.name "github-actions[bot]"
# The period in `git add --all .` ensures that we stage deleted files too.
git add --all .
git commit -m "Use @types/node=${NODE_TYPES_VERSION}"
fi
- name: Check generated JS
run: .github/workflows/script/check-js.sh
@ -61,7 +63,7 @@ jobs:
timeout-minutes: 45
steps:
- uses: actions/checkout@v2
- uses: actions/checkout@v3
- name: Check node modules up to date
run: .github/workflows/script/check-node-modules.sh
@ -71,9 +73,9 @@ jobs:
timeout-minutes: 45
steps:
- uses: actions/checkout@v2
- uses: actions/checkout@v3
- name: Set up Python
uses: actions/setup-python@v2
uses: actions/setup-python@v3
with:
python-version: 3.8
- name: Install dependencies
@ -93,7 +95,7 @@ jobs:
timeout-minutes: 45
steps:
- uses: actions/checkout@v2
- uses: actions/checkout@v3
- name: npm run-script test
run: npm run-script test
@ -104,7 +106,7 @@ jobs:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v2
- uses: actions/checkout@v3
- name: Build runner
run: |
@ -133,7 +135,7 @@ jobs:
runs-on: windows-latest
steps:
- uses: actions/checkout@v2
- uses: actions/checkout@v3
- name: Build runner
run: |
@ -158,7 +160,7 @@ jobs:
runs-on: macos-latest
steps:
- uses: actions/checkout@v2
- uses: actions/checkout@v3
- name: Build runner
run: |
@ -183,7 +185,7 @@ jobs:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v2
- uses: actions/checkout@v3
- name: Move codeql-action
shell: bash
@ -223,7 +225,7 @@ jobs:
runs-on: windows-2019
steps:
- uses: actions/checkout@v2
- uses: actions/checkout@v3
- name: Move codeql-action
shell: bash
@ -251,7 +253,7 @@ jobs:
& $Env:CODEQL_RUNNER dotnet build /p:UseSharedCompilation=false
- name: Upload tracer logs
uses: actions/upload-artifact@v2
uses: actions/upload-artifact@v3
with:
name: tracer-logs
path: ./codeql-runner/compound-build-tracer.log
@ -269,7 +271,7 @@ jobs:
runs-on: macos-latest
steps:
- uses: actions/checkout@v2
- uses: actions/checkout@v3
- name: Move codeql-action
shell: bash
@ -308,7 +310,7 @@ jobs:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v2
- uses: actions/checkout@v3
- name: Move codeql-action
shell: bash
@ -347,7 +349,7 @@ jobs:
runs-on: windows-2019
steps:
- uses: actions/checkout@v2
- uses: actions/checkout@v3
- name: Move codeql-action
shell: bash
@ -385,7 +387,7 @@ jobs:
timeout-minutes: 45
steps:
- uses: actions/checkout@v2
- uses: actions/checkout@v3
- name: Move codeql-action
shell: bash
@ -425,7 +427,7 @@ jobs:
if: ${{ github.event_name != 'pull_request' || github.event.pull_request.base.repo.id == github.event.pull_request.head.repo.id }}
steps:
- uses: actions/checkout@v2
- uses: actions/checkout@v3
- name: Build runner
run: |
@ -446,7 +448,7 @@ jobs:
timeout-minutes: 45
steps:
- uses: actions/checkout@v2
- uses: actions/checkout@v3
- name: Build runner
run: |

10
.github/workflows/python-deps.yml vendored
View file

@ -2,7 +2,7 @@ name: Test Python Package Installation on Linux and Mac
on:
push:
branches: [main, v1]
branches: [main, v1, v2]
pull_request:
# Run checks on reopened draft PRs to support triggering PR checks on draft PRs that were opened
# by other workflows.
@ -25,7 +25,7 @@ jobs:
steps:
# Checks-out your repository under $GITHUB_WORKSPACE, so your job can access it
- uses: actions/checkout@v2
- uses: actions/checkout@v3
- name: Initialize CodeQL
uses: ./init
@ -71,7 +71,7 @@ jobs:
steps:
# Checks-out your repository under $GITHUB_WORKSPACE, so your job can access it
- uses: actions/checkout@v2
- uses: actions/checkout@v3
- name: Initialize CodeQL
uses: ./init
@ -122,9 +122,9 @@ jobs:
steps:
# Checks-out your repository under $GITHUB_WORKSPACE, so your job can access it
- uses: actions/checkout@v2
- uses: actions/checkout@v3
- uses: actions/setup-python@v2
- uses: actions/setup-python@v3
with:
python-version: ${{ matrix.python_version }}

55
.github/workflows/release-runner.yml vendored
View file

@ -1,55 +0,0 @@
name: Release runner
on:
workflow_dispatch:
inputs:
bundle-tag:
description: 'Tag of the bundle release (e.g., "codeql-bundle-20200826")'
required: false
jobs:
release-runner:
timeout-minutes: 45
runs-on: ubuntu-latest
env:
RELEASE_TAG: "${{ github.event.inputs.bundle-tag }}"
strategy:
matrix:
extension: ["linux", "macos", "win.exe"]
steps:
- uses: actions/checkout@v2
- name: Build runner
run: |
cd runner
npm install
npm run build-runner
- uses: actions/upload-artifact@v2
with:
name: codeql-runner-${{matrix.extension}}
path: runner/dist/codeql-runner-${{matrix.extension}}
- name: Resolve Upload URL for the release
if: ${{ github.event.inputs.bundle-tag != null }}
id: save_url
run: |
UPLOAD_URL=$(curl -sS \
"https://api.github.com/repos/${GITHUB_REPOSITORY}/releases/tags/${RELEASE_TAG}" \
-H "Accept: application/json" \
-H "Authorization: Bearer ${{ secrets.GITHUB_TOKEN }}" | jq .upload_url | sed s/\"//g)
echo ${UPLOAD_URL}
echo "::set-output name=upload_url::${UPLOAD_URL}"
- name: Upload Platform Package
if: ${{ github.event.inputs.bundle-tag != null }}
uses: actions/upload-release-asset@v1
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
with:
upload_url: ${{ steps.save_url.outputs.upload_url }}
asset_path: runner/dist/codeql-runner-${{matrix.extension}}
asset_name: codeql-runner-${{matrix.extension}}
asset_content_type: application/octet-stream

74
.github/workflows/split.yml vendored
View file

@ -1,74 +0,0 @@
#
# Split the CodeQL Bundle into platform bundles
#
# Instructions:
# 1. Upload the new codeql-bundle (codeql-bundle.tar.gz) as an asset of the
# release (codeql-bundle-20200826)
# 2. Take note of the CLI Release used by the bundle (e.g., v2.2.5)
# 3. Manually launch this workflow file (via the Actions UI) specifying
# - The CLI Release (e.g., v2.2.5)
# - The release tag (e.g., codeql-bundle-20200826)
# 4. If everything succeeds you should see 3 new assets.
#
name: Split Bundle
on:
workflow_dispatch:
inputs:
cli-release:
description: 'CodeQL CLI Release (e.g., "v2.2.5")'
required: true
bundle-tag:
description: 'Tag of the bundle release (e.g., "codeql-bundle-20200826")'
required: true
jobs:
build:
runs-on: ubuntu-latest
timeout-minutes: 45
env:
CLI_RELEASE: "${{ github.event.inputs.cli-release }}"
RELEASE_TAG: "${{ github.event.inputs.bundle-tag }}"
strategy:
fail-fast: false
matrix:
platform: ["linux64", "osx64", "win64"]
steps:
- name: Resolve Upload URL for the release
id: save_url
run: |
UPLOAD_URL=$(curl -sS \
"https://api.github.com/repos/${GITHUB_REPOSITORY}/releases/tags/${RELEASE_TAG}" \
-H "Accept: application/json" \
-H "Authorization: Bearer ${{ secrets.GITHUB_TOKEN }}" | jq .upload_url | sed s/\"//g)
echo ${UPLOAD_URL}
echo "::set-output name=upload_url::${UPLOAD_URL}"
- name: Download CodeQL CLI and Bundle
run: |
wget --no-verbose "https://github.com/${GITHUB_REPOSITORY}/releases/download/${RELEASE_TAG}/codeql-bundle.tar.gz"
wget --no-verbose "https://github.com/github/codeql-cli-binaries/releases/download/${CLI_RELEASE}/codeql-${{matrix.platform}}.zip"
- name: Create Platform Package
# Replace the codeql-binaries with the platform specific ones
run: |
gunzip codeql-bundle.tar.gz
tar -f codeql-bundle.tar --delete codeql
unzip -q codeql-${{matrix.platform}}.zip
tar -f codeql-bundle.tar --append codeql
gzip codeql-bundle.tar
mv codeql-bundle.tar.gz codeql-bundle-${{matrix.platform}}.tar.gz
du -sh codeql-bundle-${{matrix.platform}}.tar.gz
- name: Upload Platform Package
uses: actions/upload-release-asset@v1
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
with:
upload_url: ${{ steps.save_url.outputs.upload_url }}
asset_path: ./codeql-bundle-${{matrix.platform}}.tar.gz
asset_name: codeql-bundle-${{matrix.platform}}.tar.gz
asset_content_type: application/tar+gzip

2
.github/workflows/update-dependencies.yml vendored
View file

@ -11,7 +11,7 @@ jobs:
if: contains(github.event.pull_request.labels.*.name, 'Update dependencies') && (github.event.pull_request.head.repo.full_name == 'github/codeql-action')
steps:
- name: Checkout repository
uses: actions/checkout@v2
uses: actions/checkout@v3
- name: Remove PR label
env:

8
.github/workflows/update-release-branch.yml vendored
View file

@ -23,13 +23,13 @@ jobs:
GITHUB_CONTEXT: '${{ toJson(github) }}'
run: echo "$GITHUB_CONTEXT"
- uses: actions/checkout@v2
- uses: actions/checkout@v3
with:
# Need full history so we calculate diffs
fetch-depth: 0
- name: Set up Python
uses: actions/setup-python@v2
uses: actions/setup-python@v3
with:
python-version: 3.8
@ -49,7 +49,7 @@ jobs:
python .github/update-release-branch.py \
--github-token ${{ secrets.GITHUB_TOKEN }} \
--repository-nwo ${{ github.repository }} \
--mode release-v2 \
--mode v2-release \
--conductor ${GITHUB_ACTOR}
- name: Update v1 release branch
@ -58,5 +58,5 @@ jobs:
python .github/update-release-branch.py \
--github-token ${{ secrets.GITHUB_TOKEN }} \
--repository-nwo ${{ github.repository }} \
--mode release-v1 \
--mode v1-release \
--conductor ${GITHUB_ACTOR}

6
.github/workflows/update-supported-enterprise-server-versions.yml vendored
View file

@ -13,13 +13,13 @@ jobs:
steps:
- name: Setup Python
uses: actions/setup-python@v2
uses: actions/setup-python@v3
with:
python-version: "3.7"
- name: Checkout CodeQL Action
uses: actions/checkout@v2
uses: actions/checkout@v3
- name: Checkout Enterprise Releases
uses: actions/checkout@v2
uses: actions/checkout@v3
with:
repository: github/enterprise-releases
ssh-key: ${{ secrets.ENTERPRISE_RELEASES_SSH_KEY }}

17
CHANGELOG.md
View file

@ -2,9 +2,23 @@
## [UNRELEASED]
- Add `working-directory` input to the `autobuild` action. [#1024](https://github.com/github/codeql-action/pull/1024)
- The `analyze` and `upload-sarif` actions will now wait up to 2 minutes for processing to complete after they have uploaded the results so they can report any processing errors that occurred. This behavior can be disabled by setting the `wait-for-processing` action input to `"false"`. [#1007](https://github.com/github/codeql-action/pull/1007)
## 2.1.8 - 08 Apr 2022
- Update default CodeQL bundle version to 2.8.5. [#1014](https://github.com/github/codeql-action/pull/1014)
- Fix error where the init action would fail due to a GitHub API request that was taking too long to complete [#1025](https://github.com/github/codeql-action/pull/1025)
## 2.1.7 - 05 Apr 2022
- A bug where additional queries specified in the workflow file would sometimes not be respected has been fixed. [#1018](https://github.com/github/codeql-action/pull/1018)
## 2.1.6 - 30 Mar 2022
- [v2+ only] The CodeQL Action now runs on Node.js v16. [#1000](https://github.com/github/codeql-action/pull/1000)
- Update default CodeQL bundle version to 2.8.4. [#990](https://github.com/github/codeql-action/pull/990)
- The `analyze` and `upload-sarif` actions will now wait up to 2 minutes for processing to complete after they have uploaded the results so they can report any processing errors that occurred. This behavior can be disabled by setting the `wait-for-processing` action input to `"false"`. [#1007](https://github.com/github/codeql-action/pull/1007)
- Fix a bug where an invalid `commit_oid` was being sent to code scanning when a custom checkout path was being used. [#956](https://github.com/github/codeql-action/pull/956)
## 1.1.5 - 15 Mar 2022
@ -22,7 +36,6 @@
## 1.1.3 - 23 Feb 2022
- Fix a bug where the CLR traces can continue tracing even after tracing should be stopped. [#938](https://github.com/github/codeql-action/pull/938)
- Fix a bug where an invalid `commit_oid` was being sent to code scanning when a custom checkout path was being used. [#956](https://github.com/github/codeql-action/pull/956)
## 1.1.2 - 17 Feb 2022

2
CODEOWNERS
View file

@ -1 +1,3 @@
**/* @github/codeql-action-reviewers
/python-setup/ @github/codeql-python @github/codeql-action-reviewers

20
README.md
View file

@ -52,11 +52,11 @@ jobs:
steps:
- name: Checkout repository
uses: actions/checkout@v2
uses: actions/checkout@v3
# Initializes the CodeQL tools for scanning.
- name: Initialize CodeQL
uses: github/codeql-action/init@v1
uses: github/codeql-action/init@v2
# Override language selection by uncommenting this and choosing your languages
# with:
# languages: go, javascript, csharp, python, cpp, java
@ -64,7 +64,7 @@ jobs:
# Autobuild attempts to build any compiled languages (C/C++, C#, or Java).
# If this step fails, then you should remove it and run the build manually (see below).
- name: Autobuild
uses: github/codeql-action/autobuild@v1
uses: github/codeql-action/autobuild@v2
# Command-line programs to run using the OS shell.
# 📚 https://git.io/JvXDl
@ -78,14 +78,14 @@ jobs:
# make release
- name: Perform CodeQL Analysis
uses: github/codeql-action/analyze@v1
uses: github/codeql-action/analyze@v2
```
If you prefer to integrate this within an existing CI workflow, it should end up looking something like this:
```yaml
- name: Initialize CodeQL
uses: github/codeql-action/init@v1
uses: github/codeql-action/init@v2
with:
languages: go, javascript
@ -95,7 +95,7 @@ If you prefer to integrate this within an existing CI workflow, it should end up
make release
- name: Perform CodeQL Analysis
uses: github/codeql-action/analyze@v1
uses: github/codeql-action/analyze@v2
```
### Configuration file
@ -103,7 +103,7 @@ If you prefer to integrate this within an existing CI workflow, it should end up
Use the `config-file` parameter of the `init` action to enable the configuration file. The value of `config-file` is the path to the configuration file you want to use. This example loads the configuration file `./.github/codeql/codeql-config.yml`.
```yaml
- uses: github/codeql-action/init@v1
- uses: github/codeql-action/init@v2
with:
config-file: ./.github/codeql/codeql-config.yml
```
@ -111,7 +111,7 @@ Use the `config-file` parameter of the `init` action to enable the configuration
The configuration file can be located in a different repository. This is useful if you want to share the same configuration across multiple repositories. If the configuration file is in a private repository you can also specify an `external-repository-token` option. This should be a personal access token that has read access to any repositories containing referenced config files and queries.
```yaml
- uses: github/codeql-action/init@v1
- uses: github/codeql-action/init@v2
with:
config-file: owner/repo/codeql-config.yml@branch
external-repository-token: ${{ secrets.EXTERNAL_REPOSITORY_TOKEN }}
@ -122,7 +122,7 @@ For information on how to write a configuration file, see "[Using a custom confi
If you only want to customise the queries used, you can specify them in your workflow instead of creating a config file, using the `queries` property of the `init` action:
```yaml
- uses: github/codeql-action/init@v1
- uses: github/codeql-action/init@v2
with:
queries: <local-or-remote-query>,<another-query>
```
@ -130,7 +130,7 @@ If you only want to customise the queries used, you can specify them in your wor
By default, this will override any queries specified in a config file. If you wish to use both sets of queries, prefix the list of queries in the workflow with `+`:
```yaml
- uses: github/codeql-action/init@v1
- uses: github/codeql-action/init@v2
with:
queries: +<local-or-remote-query>,<another-query>
```

8
autobuild/action.yml
View file

@ -6,6 +6,12 @@ inputs:
default: ${{ github.token }}
matrix:
default: ${{ toJson(matrix) }}
working-directory:
description: >-
Run the autobuilder using this path (relative to $GITHUB_WORKSPACE) as
working directory. If this input is not set, the autobuilder runs with
$GITHUB_WORKSPACE as its working directory.
required: false
runs:
using: 'node16'
main: '../lib/autobuild-action.js'
main: '../lib/autobuild-action.js'

4
lib/actions-util.js generated
View file

@ -357,7 +357,7 @@ async function getWorkflowPath() {
const repo = repo_nwo[1];
const run_id = Number((0, util_1.getRequiredEnvParam)("GITHUB_RUN_ID"));
const apiClient = api.getActionsApiClient();
const runsResponse = await apiClient.request("GET /repos/:owner/:repo/actions/runs/:run_id", {
const runsResponse = await apiClient.request("GET /repos/:owner/:repo/actions/runs/:run_id?exclude_pull_requests=true", {
owner,
repo,
run_id,
@ -455,7 +455,7 @@ async function getRef() {
return ref;
}
const head = await (0, exports.getCommitOid)(checkoutPath, "HEAD");
// in actions/checkout@v2 we can check if git rev-parse HEAD == GITHUB_SHA
// in actions/checkout@v2+ we can check if git rev-parse HEAD == GITHUB_SHA
// in actions/checkout@v1 this may not be true as it checks out the repository
// using GITHUB_REF. There is a subtle race condition where
// git rev-parse GITHUB_REF != GITHUB_SHA, so we must check

2
lib/actions-util.js.map
View file

File diff suppressed because one or more lines are too long

3
lib/analyze.js generated
View file

@ -133,8 +133,7 @@ async function runQueries(sarifFolder, memoryFlag, addSnippetsFlag, threadsFlag,
}
const codeql = await (0, codeql_1.getCodeQL)(config.codeQLCmd);
try {
if (hasPackWithCustomQueries &&
!(await util.codeQlVersionAbove(codeql, codeql_1.CODEQL_VERSION_CONFIG_FILES))) {
if (hasPackWithCustomQueries) {
logger.info("Performing analysis with custom CodeQL Packs.");
logger.startGroup(`Downloading custom packs for ${language}`);
const results = await codeql.packDownload(packsWithVersion);

2
lib/analyze.js.map
View file

File diff suppressed because one or more lines are too long

5
lib/autobuild-action.js generated
View file

@ -52,6 +52,11 @@ async function run() {
}
language = (0, autobuild_1.determineAutobuildLanguage)(config, logger);
if (language !== undefined) {
const workingDirectory = (0, actions_util_1.getOptionalInput)("working-directory");
if (workingDirectory) {
logger.info(`Changing autobuilder working directory to ${workingDirectory}`);
process.chdir(workingDirectory);
}
await (0, autobuild_1.runAutobuild)(language, config, logger);
}
}

2
lib/autobuild-action.js.map
View file

@ -1 +1 @@
{"version":3,"file":"autobuild-action.js","sourceRoot":"","sources":["../src/autobuild-action.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;;;;;;;AAAA,oDAAsC;AAEtC,iDAMwB;AACxB,2CAAuE;AACvE,6DAA+C;AAE/C,uCAA6C;AAC7C,iCAAqD;AAErD,8CAA8C;AAC9C,MAAM,GAAG,GAAG,OAAO,CAAC,iBAAiB,CAAC,CAAC;AASvC,KAAK,UAAU,yBAAyB,CACtC,SAAe,EACf,YAAsB,EACtB,eAAwB,EACxB,KAAa;IAEb,IAAA,4BAAqB,EAAC,WAAI,CAAC,OAAO,EAAE,GAAG,CAAC,OAAO,CAAC,CAAC;IAEjD,MAAM,MAAM,GAAG,IAAA,+BAAgB,EAAC,KAAK,EAAE,eAAe,CAAC,CAAC;IACxD,MAAM,gBAAgB,GAAG,MAAM,IAAA,qCAAsB,EACnD,WAAW,EACX,MAAM,EACN,SAAS,EACT,KAAK,aAAL,KAAK,uBAAL,KAAK,CAAE,OAAO,EACd,KAAK,aAAL,KAAK,uBAAL,KAAK,CAAE,KAAK,CACb,CAAC;IACF,MAAM,YAAY,GAA0B;QAC1C,GAAG,gBAAgB;QACnB,mBAAmB,EAAE,YAAY,CAAC,IAAI,CAAC,GAAG,CAAC;QAC3C,iBAAiB,EAAE,eAAe;KACnC,CAAC;IACF,MAAM,IAAA,+BAAgB,EAAC,YAAY,CAAC,CAAC;AACvC,CAAC;AAED,KAAK,UAAU,GAAG;IAChB,MAAM,MAAM,GAAG,IAAA,0BAAgB,GAAE,CAAC;IAClC,MAAM,SAAS,GAAG,IAAI,IAAI,EAAE,CAAC;IAC7B,IAAI,QAAQ,GAAyB,SAAS,CAAC;IAC/C,IAAI;QACF,IACE,CAAC,CAAC,MAAM,IAAA,+BAAgB,EACtB,MAAM,IAAA,qCAAsB,EAAC,WAAW,EAAE,UAAU,EAAE,SAAS,CAAC,CACjE,CAAC,EACF;YACA,OAAO;SACR;QAED,MAAM,MAAM,GAAG,MAAM,YAAY,CAAC,SAAS,CACzC,IAAA,oCAAqB,GAAE,EACvB,MAAM,CACP,CAAC;QACF,IAAI,MAAM,KAAK,SAAS,EAAE;YACxB,MAAM,IAAI,KAAK,CACb,yFAAyF,CAC1F,CAAC;SACH;QACD,QAAQ,GAAG,IAAA,sCAA0B,EAAC,MAAM,EAAE,MAAM,CAAC,CAAC;QACtD,IAAI,QAAQ,KAAK,SAAS,EAAE;YAC1B,MAAM,IAAA,wBAAY,EAAC,QAAQ,EAAE,MAAM,EAAE,MAAM,CAAC,CAAC;SAC9C;KACF;IAAC,OAAO,KAAK,EAAE;QACd,IAAI,CAAC,SAAS,CACZ,mIACE,KAAK,YAAY,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,KAAK,CACvD,EAAE,CACH,CAAC;QACF,OAAO,CAAC,GAAG,CAAC,KAAK,CAAC,CAAC;QACnB,MAAM,yBAAyB,CAC7B,SAAS,EACT,QAAQ,CAAC,CAAC,CAAC,CAAC,QAAQ,CAAC,CAAC,CAAC,CAAC,EAAE,EAC1B,QAAQ,EACR,KAAK,YAAY,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,IAAI,KAAK,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC,CAC1D,CAAC;QACF,OAAO;KACR;IAED,MAAM,yBAAyB,CAAC,SAAS,EAAE,QAAQ,CAAC,CAAC,CAAC,CAAC,QAAQ,CAAC,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC;AACzE,CAAC;AAED,KAAK,UAAU,UAAU;IACvB,IAAI;QACF,MAAM,GAAG,EAAE,CAAC;KACb;IAAC,OAAO,KAAK,EAAE;QACd,IAAI,CAAC,SAAS,CAAC,4BAA4B,KAAK,EAAE,CAAC,CAAC;QACpD,OAAO,CAAC,GAAG,CAAC,KAAK,CAAC,CAAC;KACpB;AACH,CAAC;AAED,KAAK,UAAU,EAAE,CAAC"}
{"version":3,"file":"autobuild-action.js","sourceRoot":"","sources":["../src/autobuild-action.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;;;;;;;AAAA,oDAAsC;AAEtC,iDAOwB;AACxB,2CAAuE;AACvE,6DAA+C;AAE/C,uCAA6C;AAC7C,iCAAqD;AAErD,8CAA8C;AAC9C,MAAM,GAAG,GAAG,OAAO,CAAC,iBAAiB,CAAC,CAAC;AASvC,KAAK,UAAU,yBAAyB,CACtC,SAAe,EACf,YAAsB,EACtB,eAAwB,EACxB,KAAa;IAEb,IAAA,4BAAqB,EAAC,WAAI,CAAC,OAAO,EAAE,GAAG,CAAC,OAAO,CAAC,CAAC;IAEjD,MAAM,MAAM,GAAG,IAAA,+BAAgB,EAAC,KAAK,EAAE,eAAe,CAAC,CAAC;IACxD,MAAM,gBAAgB,GAAG,MAAM,IAAA,qCAAsB,EACnD,WAAW,EACX,MAAM,EACN,SAAS,EACT,KAAK,aAAL,KAAK,uBAAL,KAAK,CAAE,OAAO,EACd,KAAK,aAAL,KAAK,uBAAL,KAAK,CAAE,KAAK,CACb,CAAC;IACF,MAAM,YAAY,GAA0B;QAC1C,GAAG,gBAAgB;QACnB,mBAAmB,EAAE,YAAY,CAAC,IAAI,CAAC,GAAG,CAAC;QAC3C,iBAAiB,EAAE,eAAe;KACnC,CAAC;IACF,MAAM,IAAA,+BAAgB,EAAC,YAAY,CAAC,CAAC;AACvC,CAAC;AAED,KAAK,UAAU,GAAG;IAChB,MAAM,MAAM,GAAG,IAAA,0BAAgB,GAAE,CAAC;IAClC,MAAM,SAAS,GAAG,IAAI,IAAI,EAAE,CAAC;IAC7B,IAAI,QAAQ,GAAyB,SAAS,CAAC;IAC/C,IAAI;QACF,IACE,CAAC,CAAC,MAAM,IAAA,+BAAgB,EACtB,MAAM,IAAA,qCAAsB,EAAC,WAAW,EAAE,UAAU,EAAE,SAAS,CAAC,CACjE,CAAC,EACF;YACA,OAAO;SACR;QAED,MAAM,MAAM,GAAG,MAAM,YAAY,CAAC,SAAS,CACzC,IAAA,oCAAqB,GAAE,EACvB,MAAM,CACP,CAAC;QACF,IAAI,MAAM,KAAK,SAAS,EAAE;YACxB,MAAM,IAAI,KAAK,CACb,yFAAyF,CAC1F,CAAC;SACH;QACD,QAAQ,GAAG,IAAA,sCAA0B,EAAC,MAAM,EAAE,MAAM,CAAC,CAAC;QACtD,IAAI,QAAQ,KAAK,SAAS,EAAE;YAC1B,MAAM,gBAAgB,GAAG,IAAA,+BAAgB,EAAC,mBAAmB,CAAC,CAAC;YAC/D,IAAI,gBAAgB,EAAE;gBACpB,MAAM,CAAC,IAAI,CACT,6CAA6C,gBAAgB,EAAE,CAChE,CAAC;gBACF,OAAO,CAAC,KAAK,CAAC,gBAAgB,CAAC,CAAC;aACjC;YACD,MAAM,IAAA,wBAAY,EAAC,QAAQ,EAAE,MAAM,EAAE,MAAM,CAAC,CAAC;SAC9C;KACF;IAAC,OAAO,KAAK,EAAE;QACd,IAAI,CAAC,SAAS,CACZ,mIACE,KAAK,YAAY,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,KAAK,CACvD,EAAE,CACH,CAAC;QACF,OAAO,CAAC,GAAG,CAAC,KAAK,CAAC,CAAC;QACnB,MAAM,yBAAyB,CAC7B,SAAS,EACT,QAAQ,CAAC,CAAC,CAAC,CAAC,QAAQ,CAAC,CAAC,CAAC,CAAC,EAAE,EAC1B,QAAQ,EACR,KAAK,YAAY,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,IAAI,KAAK,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC,CAC1D,CAAC;QACF,OAAO;KACR;IAED,MAAM,yBAAyB,CAAC,SAAS,EAAE,QAAQ,CAAC,CAAC,CAAC,CAAC,QAAQ,CAAC,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC;AACzE,CAAC;AAED,KAAK,UAAU,UAAU;IACvB,IAAI;QACF,MAAM,GAAG,EAAE,CAAC;KACb;IAAC,OAAO,KAAK,EAAE;QACd,IAAI,CAAC,SAAS,CAAC,4BAA4B,KAAK,EAAE,CAAC,CAAC;QACpD,OAAO,CAAC,GAAG,CAAC,KAAK,CAAC,CAAC;KACpB;AACH,CAAC;AAED,KAAK,UAAU,EAAE,CAAC"}

35
lib/codeql.js generated
View file

@ -22,12 +22,11 @@ var __importDefault = (this && this.__importDefault) || function (mod) {
return (mod && mod.__esModule) ? mod : { "default": mod };
};
Object.defineProperty(exports, "__esModule", { value: true });
exports.getExtraOptions = exports.getCodeQLForTesting = exports.getCachedCodeQL = exports.setCodeQL = exports.getCodeQL = exports.convertToSemVer = exports.getCodeQLURLVersion = exports.setupCodeQL = exports.getCodeQLActionRepository = exports.CODEQL_VERSION_NEW_TRACING = exports.CODEQL_VERSION_ML_POWERED_QUERIES = exports.CODEQL_VERSION_CONFIG_FILES = exports.CODEQL_VERSION_COUNTS_LINES = exports.CommandInvocationError = void 0;
exports.getExtraOptions = exports.getCodeQLForTesting = exports.getCachedCodeQL = exports.setCodeQL = exports.getCodeQL = exports.convertToSemVer = exports.getCodeQLURLVersion = exports.setupCodeQL = exports.getCodeQLActionRepository = exports.CODEQL_VERSION_NEW_TRACING = exports.CODEQL_VERSION_ML_POWERED_QUERIES = exports.CODEQL_VERSION_COUNTS_LINES = exports.CommandInvocationError = void 0;
const fs = __importStar(require("fs"));
const path = __importStar(require("path"));
const toolrunner = __importStar(require("@actions/exec/lib/toolrunner"));
const fast_deep_equal_1 = __importDefault(require("fast-deep-equal"));
const yaml = __importStar(require("js-yaml"));
const query_string_1 = __importDefault(require("query-string"));
const semver = __importStar(require("semver"));
const actions_util_1 = require("./actions-util");
@ -76,7 +75,6 @@ const CODEQL_VERSION_GROUP_RULES = "2.5.5";
const CODEQL_VERSION_SARIF_GROUP = "2.5.3";
exports.CODEQL_VERSION_COUNTS_LINES = "2.6.2";
const CODEQL_VERSION_CUSTOM_QUERY_HELP = "2.7.1";
exports.CODEQL_VERSION_CONFIG_FILES = "2.8.2"; // Versions before 2.8.2 weren't tolerant to unknown properties
exports.CODEQL_VERSION_ML_POWERED_QUERIES = "2.7.5";
/**
* This variable controls using the new style of tracing from the CodeQL
@ -468,29 +466,6 @@ async function getCodeQLForCmd(cmd, checkVersion) {
extraArgs.push(`--trace-process-level=${processLevel || 3}`);
}
}
if (await util.codeQlVersionAbove(codeql, exports.CODEQL_VERSION_CONFIG_FILES)) {
const configLocation = path.resolve(config.tempDir, "user-config.yaml");
const augmentedConfig = config.originalUserInput;
if (config.injectedMlQueries) {
// We need to inject the ML queries into the original user input before
// we pass this on to the CLI, to make sure these get run.
let packString = util_1.ML_POWERED_JS_QUERIES_PACK.packName;
if (util_1.ML_POWERED_JS_QUERIES_PACK.version)
packString = `${packString}@${util_1.ML_POWERED_JS_QUERIES_PACK.version}`;
if (augmentedConfig.packs === undefined)
augmentedConfig.packs = [];
if (Array.isArray(augmentedConfig.packs)) {
augmentedConfig.packs.push(packString);
}
else {
if (!augmentedConfig.packs.javascript)
augmentedConfig.packs["javascript"] = [];
augmentedConfig.packs["javascript"].push(packString);
}
}
fs.writeFileSync(configLocation, yaml.dump(augmentedConfig));
extraArgs.push(`--codescanning-config=${configLocation}`);
}
await runTool(cmd, [
"database",
"init",
@ -611,9 +586,7 @@ async function getCodeQLForCmd(cmd, checkVersion) {
if (extraSearchPath !== undefined) {
codeqlArgs.push("--additional-packs", extraSearchPath);
}
if (!(await util.codeQlVersionAbove(this, exports.CODEQL_VERSION_CONFIG_FILES))) {
codeqlArgs.push(querySuitePath);
}
codeqlArgs.push(querySuitePath);
await runTool(cmd, codeqlArgs);
},
async databaseInterpretResults(databasePath, querySuitePaths, sarifFile, addSnippetsFlag, threadsFlag, automationDetailsId) {
@ -640,9 +613,7 @@ async function getCodeQLForCmd(cmd, checkVersion) {
codeqlArgs.push("--sarif-category", automationDetailsId);
}
codeqlArgs.push(databasePath);
if (!(await util.codeQlVersionAbove(this, exports.CODEQL_VERSION_CONFIG_FILES))) {
codeqlArgs.push(...querySuitePaths);
}
codeqlArgs.push(...querySuitePaths);
// capture stdout, which contains analysis summaries
return await runTool(cmd, codeqlArgs);
},

2
lib/codeql.js.map
View file

File diff suppressed because one or more lines are too long

9
lib/config-utils.js generated
View file

@ -130,15 +130,18 @@ async function addBuiltinSuiteQueries(languages, codeQL, resultMap, packs, suite
// If we're running the JavaScript security-extended analysis (or a superset of it), the repo is
// opted into the ML-powered queries beta, and a user hasn't already added the ML-powered query
// pack, then add the ML-powered query pack so that we run ML-powered queries.
if (languages.includes("javascript") &&
if (
// Disable ML-powered queries on Windows
process.platform !== "win32" &&
languages.includes("javascript") &&
(found === "security-extended" || found === "security-and-quality") &&
!((_a = packs.javascript) === null || _a === void 0 ? void 0 : _a.some((pack) => pack.packName === util_1.ML_POWERED_JS_QUERIES_PACK.packName)) &&
!((_a = packs.javascript) === null || _a === void 0 ? void 0 : _a.some((pack) => pack.packName === util_1.ML_POWERED_JS_QUERIES_PACK_NAME)) &&
(await featureFlags.getValue(feature_flags_1.FeatureFlag.MlPoweredQueriesEnabled)) &&
(await (0, util_1.codeQlVersionAbove)(codeQL, codeql_1.CODEQL_VERSION_ML_POWERED_QUERIES))) {
if (!packs.javascript) {
packs.javascript = [];
}
packs.javascript.push(util_1.ML_POWERED_JS_QUERIES_PACK);
packs.javascript.push(await (0, util_1.getMlPoweredJsQueriesPack)(codeQL));
injectedMlQueries = true;
}
const suites = languages.map((l) => `${l}-${suiteName}.qls`);

2
lib/config-utils.js.map
View file

File diff suppressed because one or more lines are too long

17
lib/config-utils.test.js generated
View file

@ -911,11 +911,20 @@ const mlPoweredQueriesMacro = ava_1.default.macro({
? `${expectedVersionString} are`
: "aren't"} loaded for packs: ${packsInput}, queries: ${queriesInput} using CLI v${codeQLVersion} when feature flag is ${isMlPoweredQueriesFlagEnabled ? "enabled" : "disabled"}`,
});
// macro, isMlPoweredQueriesFlagEnabled, packsInput, queriesInput, versionString
// macro, codeQLVersion, isMlPoweredQueriesFlagEnabled, packsInput, queriesInput, expectedVersionString
// Test that ML-powered queries aren't run on v2.7.4 of the CLI.
(0, ava_1.default)(mlPoweredQueriesMacro, "2.7.4", true, undefined, "security-extended", undefined);
// Test that ML-powered queries aren't run when the feature flag is off.
(0, ava_1.default)(mlPoweredQueriesMacro, "2.7.5", false, undefined, "security-extended", undefined);
// Test that ML-powered queries aren't run when the user hasn't specified that we should run the
// `security-extended` or `security-and-quality` query suite.
(0, ava_1.default)(mlPoweredQueriesMacro, "2.7.5", true, undefined, undefined, undefined);
(0, ava_1.default)(mlPoweredQueriesMacro, "2.7.5", true, undefined, "security-extended", "~0.1.0");
(0, ava_1.default)(mlPoweredQueriesMacro, "2.7.5", true, undefined, "security-and-quality", "~0.1.0");
(0, ava_1.default)(mlPoweredQueriesMacro, "2.7.5", true, "codeql/javascript-experimental-atm-queries@0.0.1", "security-and-quality", "0.0.1");
// Test that ML-powered queries are run on non-Windows platforms running `security-extended`.
(0, ava_1.default)(mlPoweredQueriesMacro, "2.7.5", true, undefined, "security-extended", process.platform === "win32" ? undefined : "~0.1.0");
// Test that ML-powered queries are run on non-Windows platforms running `security-and-quality`.
(0, ava_1.default)(mlPoweredQueriesMacro, "2.7.5", true, undefined, "security-and-quality", process.platform === "win32" ? undefined : "~0.1.0");
// Test that we don't inject an ML-powered query pack if the user has already specified one.
(0, ava_1.default)(mlPoweredQueriesMacro, "2.7.5", true, "codeql/javascript-experimental-atm-queries@0.0.1", "security-and-quality", process.platform === "win32" ? undefined : "0.0.1");
// Test that the ~0.2.0 version of ML-powered queries is run on v2.8.4 of the CLI.
(0, ava_1.default)(mlPoweredQueriesMacro, "2.8.4", true, undefined, "security-extended", process.platform === "win32" ? undefined : "~0.2.0");
//# sourceMappingURL=config-utils.test.js.map

2
lib/config-utils.test.js.map
View file

File diff suppressed because one or more lines are too long

2
lib/defaults.json
View file

@ -1,3 +1,3 @@
{
"bundleVersion": "codeql-bundle-20220322"
"bundleVersion": "codeql-bundle-20220401"
}

55
lib/util.js generated
View file

@ -22,7 +22,7 @@ var __importDefault = (this && this.__importDefault) || function (mod) {
return (mod && mod.__esModule) ? mod : { "default": mod };
};
Object.defineProperty(exports, "__esModule", { value: true });
exports.getMlPoweredJsQueriesStatus = exports.ML_POWERED_JS_QUERIES_PACK = exports.isGoodVersion = exports.delay = exports.bundleDb = exports.codeQlVersionAbove = exports.getCachedCodeQlVersion = exports.cacheCodeQlVersion = exports.isGitHubGhesVersionBelow = exports.isHTTPError = exports.UserError = exports.HTTPError = exports.getRequiredEnvParam = exports.isActions = exports.getMode = exports.enrichEnvironment = exports.initializeEnvironment = exports.Mode = exports.assertNever = exports.getGitHubAuth = exports.apiVersionInRange = exports.DisallowedAPIVersionReason = exports.checkGitHubVersionInRange = exports.getGitHubVersion = exports.GitHubVariant = exports.parseGitHubUrl = exports.getCodeQLDatabasePath = exports.getThreadsFlag = exports.getThreadsFlagValue = exports.getAddSnippetsFlag = exports.getMemoryFlag = exports.getMemoryFlagValue = exports.withTmpDir = exports.getToolNames = exports.getExtraOptionsEnvParam = exports.DEFAULT_DEBUG_DATABASE_NAME = exports.DEFAULT_DEBUG_ARTIFACT_NAME = exports.GITHUB_DOTCOM_URL = void 0;
exports.getMlPoweredJsQueriesStatus = exports.getMlPoweredJsQueriesPack = exports.ML_POWERED_JS_QUERIES_PACK_NAME = exports.isGoodVersion = exports.delay = exports.bundleDb = exports.codeQlVersionAbove = exports.getCachedCodeQlVersion = exports.cacheCodeQlVersion = exports.isGitHubGhesVersionBelow = exports.isHTTPError = exports.UserError = exports.HTTPError = exports.getRequiredEnvParam = exports.isActions = exports.getMode = exports.enrichEnvironment = exports.initializeEnvironment = exports.Mode = exports.assertNever = exports.getGitHubAuth = exports.apiVersionInRange = exports.DisallowedAPIVersionReason = exports.checkGitHubVersionInRange = exports.getGitHubVersion = exports.GitHubVariant = exports.parseGitHubUrl = exports.getCodeQLDatabasePath = exports.getThreadsFlag = exports.getThreadsFlagValue = exports.getAddSnippetsFlag = exports.getMemoryFlag = exports.getMemoryFlagValue = exports.withTmpDir = exports.getToolNames = exports.getExtraOptionsEnvParam = exports.DEFAULT_DEBUG_DATABASE_NAME = exports.DEFAULT_DEBUG_ARTIFACT_NAME = exports.GITHUB_DOTCOM_URL = void 0;
const fs = __importStar(require("fs"));
const os = __importStar(require("os"));
const path = __importStar(require("path"));
@ -545,24 +545,26 @@ function isGoodVersion(versionSpec) {
return !BROKEN_VERSIONS.includes(versionSpec);
}
exports.isGoodVersion = isGoodVersion;
exports.ML_POWERED_JS_QUERIES_PACK_NAME = "codeql/javascript-experimental-atm-queries";
/**
* The ML-powered JS query pack to add to the analysis if a repo is opted into the ML-powered
* Gets the ML-powered JS query pack to add to the analysis if a repo is opted into the ML-powered
* queries beta.
*/
exports.ML_POWERED_JS_QUERIES_PACK = {
packName: "codeql/javascript-experimental-atm-queries",
version: "~0.1.0",
};
async function getMlPoweredJsQueriesPack(codeQL) {
if (await codeQlVersionAbove(codeQL, "2.8.4")) {
return { packName: exports.ML_POWERED_JS_QUERIES_PACK_NAME, version: "~0.2.0" };
}
return { packName: exports.ML_POWERED_JS_QUERIES_PACK_NAME, version: "~0.1.0" };
}
exports.getMlPoweredJsQueriesPack = getMlPoweredJsQueriesPack;
/**
* Get information about ML-powered JS queries to populate status reports with.
*
* This will be:
*
* - The version string if the analysis is using the ML-powered query pack that will be added to the
* analysis if the repo is opted into the ML-powered queries beta, i.e.
* {@link ML_POWERED_JS_QUERIES_PACK.version}. If the version string
* {@link ML_POWERED_JS_QUERIES_PACK.version} is undefined, then the status report string will be
* "latest", however this shouldn't occur in practice (see comment below).
* - The version string if the analysis is using a single version of the ML-powered query pack.
* - "latest" if the version string of the ML-powered query pack is undefined. This is unlikely to
* occur in practice (see comment below).
* - "false" if the analysis won't run any ML-powered JS queries.
* - "other" in all other cases.
*
@ -572,30 +574,25 @@ exports.ML_POWERED_JS_QUERIES_PACK = {
* version of the CodeQL Action. For instance, we might want to compare the `~0.1.0` and `~0.0.2`
* version strings.
*
* We restrict the set of strings we report here by excluding other version strings and combinations
* of version strings. We do this to limit the cardinality of the ML-powered JS queries status
* report field, since some platforms that ingest this status report bill based on the cardinality
* of its fields.
*
* This function lives here rather than in `init-action.ts` so it's easier to test, since tests for
* `init-action.ts` would each need to live in their own file. See `analyze-action-env.ts` for an
* explanation as to why this is.
*/
function getMlPoweredJsQueriesStatus(config) {
const mlPoweredJsQueryPacks = (config.packs.javascript || []).filter((pack) => pack.packName === exports.ML_POWERED_JS_QUERIES_PACK.packName);
if (mlPoweredJsQueryPacks.length === 0) {
return "false";
const mlPoweredJsQueryPacks = (config.packs.javascript || []).filter((pack) => pack.packName === exports.ML_POWERED_JS_QUERIES_PACK_NAME);
switch (mlPoweredJsQueryPacks.length) {
case 1:
// We should always specify an explicit version string in `getMlPoweredJsQueriesPack`,
// otherwise we won't be able to make changes to the pack unless those changes are compatible
// with each version of the CodeQL Action. Therefore in practice we should only hit the
// `latest` case here when customers have explicitly added the ML-powered query pack to their
// CodeQL config.
return mlPoweredJsQueryPacks[0].version || "latest";
case 0:
return "false";
default:
return "other";
}
const firstVersionString = mlPoweredJsQueryPacks[0].version;
if (mlPoweredJsQueryPacks.length === 1 &&
exports.ML_POWERED_JS_QUERIES_PACK.version === firstVersionString) {
// We should always specify an explicit version string in `ML_POWERED_JS_QUERIES_PACK`,
// otherwise we won't be able to make changes to the pack unless those changes are compatible
// with each version of the CodeQL Action. Therefore in practice, we should never hit the
// `latest` case here.
return exports.ML_POWERED_JS_QUERIES_PACK.version || "latest";
}
return "other";
}
exports.getMlPoweredJsQueriesStatus = getMlPoweredJsQueriesStatus;
//# sourceMappingURL=util.js.map

2
lib/util.js.map
View file

File diff suppressed because one or more lines are too long

43
lib/util.test.js generated
View file

@ -205,32 +205,43 @@ async function mockStdInForAuthExpectError(t, mockLogger, ...text) {
await t.throwsAsync(async () => util.getGitHubAuth(mockLogger, undefined, true, stdin));
}
const ML_POWERED_JS_STATUS_TESTS = [
// If no packs are loaded, status is false.
[[], "false"],
// If another pack is loaded but not the ML-powered query pack, status is false.
[[{ packName: "someOtherPack" }], "false"],
// If the ML-powered query pack is loaded with a specific version, status is that version.
[
[{ packName: "someOtherPack" }, util.ML_POWERED_JS_QUERIES_PACK],
util.ML_POWERED_JS_QUERIES_PACK.version,
],
[[util.ML_POWERED_JS_QUERIES_PACK], util.ML_POWERED_JS_QUERIES_PACK.version],
[[{ packName: util.ML_POWERED_JS_QUERIES_PACK.packName }], "other"],
[
[{ packName: util.ML_POWERED_JS_QUERIES_PACK.packName, version: "~0.0.1" }],
"other",
],
[
[
{ packName: util.ML_POWERED_JS_QUERIES_PACK.packName, version: "0.0.1" },
{ packName: util.ML_POWERED_JS_QUERIES_PACK.packName, version: "0.0.2" },
],
"other",
[{ packName: util.ML_POWERED_JS_QUERIES_PACK_NAME, version: "~0.1.0" }],
"~0.1.0",
],
// If the ML-powered query pack is loaded with a specific version and another pack is loaded, the
// status is the version of the ML-powered query pack.
[
[
{ packName: "someOtherPack" },
{ packName: util.ML_POWERED_JS_QUERIES_PACK.packName },
{ packName: util.ML_POWERED_JS_QUERIES_PACK_NAME, version: "~0.1.0" },
],
"~0.1.0",
],
// If the ML-powered query pack is loaded without a version, the status is "latest".
[[{ packName: util.ML_POWERED_JS_QUERIES_PACK_NAME }], "latest"],
// If the ML-powered query pack is loaded with two different versions, the status is "other".
[
[
{ packName: util.ML_POWERED_JS_QUERIES_PACK_NAME, version: "0.0.1" },
{ packName: util.ML_POWERED_JS_QUERIES_PACK_NAME, version: "0.0.2" },
],
"other",
],
// If the ML-powered query pack is loaded with no specific version, and another pack is loaded,
// the status is "latest".
[
[
{ packName: "someOtherPack" },
{ packName: util.ML_POWERED_JS_QUERIES_PACK_NAME },
],
"latest",
],
];
for (const [packs, expectedStatus] of ML_POWERED_JS_STATUS_TESTS) {
const packDescriptions = `[${packs

2
lib/util.test.js.map
View file

File diff suppressed because one or more lines are too long

21
node_modules/.package-lock.json generated vendored
View file

@ -1,6 +1,6 @@
{
"name": "codeql",
"version": "2.1.6",
"version": "2.1.9",
"lockfileVersion": 2,
"requires": true,
"packages": {
@ -893,6 +893,14 @@
"node": ">=8"
}
},
"node_modules/array-uniq": {
"version": "1.0.3",
"resolved": "https://registry.npmjs.org/array-uniq/-/array-uniq-1.0.3.tgz",
"integrity": "sha1-r2rId6Jcx/dOBYiUdThY39sk/bY=",
"engines": {
"node": ">=0.10.0"
}
},
"node_modules/array.prototype.flat": {
"version": "1.2.4",
"resolved": "https://registry.npmjs.org/array.prototype.flat/-/array.prototype.flat-1.2.4.tgz",
@ -2788,6 +2796,17 @@
"loc": "dist/cli.js"
}
},
"node_modules/github-linguist/node_modules/array-union": {
"version": "1.0.2",
"resolved": "https://registry.npmjs.org/array-union/-/array-union-1.0.2.tgz",
"integrity": "sha1-mjRBDk9OPaI96jdb5b5w8kd47Dk=",
"dependencies": {
"array-uniq": "^1.0.1"
},
"engines": {
"node": ">=0.10.0"
}
},
"node_modules/github-linguist/node_modules/commander": {
"version": "2.20.3",
"integrity": "sha512-GpVkmM8vF2vQUkj2LvZmD35JxeJOLCwJ9cUkugyk2nuhbv3+mJvpLYYt+0+USMxE+oj+ey/lJEnhZw75x/OMcQ=="

62
node_modules/array-uniq/index.js generated vendored Normal file
View file

@ -0,0 +1,62 @@
'use strict';
// there's 3 implementations written in increasing order of efficiency
// 1 - no Set type is defined
function uniqNoSet(arr) {
var ret = [];
for (var i = 0; i < arr.length; i++) {
if (ret.indexOf(arr[i]) === -1) {
ret.push(arr[i]);
}
}
return ret;
}
// 2 - a simple Set type is defined
function uniqSet(arr) {
var seen = new Set();
return arr.filter(function (el) {
if (!seen.has(el)) {
seen.add(el);
return true;
}
return false;
});
}
// 3 - a standard Set type is defined and it has a forEach method
function uniqSetWithForEach(arr) {
var ret = [];
(new Set(arr)).forEach(function (el) {
ret.push(el);
});
return ret;
}
// V8 currently has a broken implementation
// https://github.com/joyent/node/issues/8449
function doesForEachActuallyWork() {
var ret = false;
(new Set([true])).forEach(function (el) {
ret = el;
});
return ret === true;
}
if ('Set' in global) {
if (typeof Set.prototype.forEach === 'function' && doesForEachActuallyWork()) {
module.exports = uniqSetWithForEach;
} else {
module.exports = uniqSet;
}
} else {
module.exports = uniqNoSet;
}

21
node_modules/array-uniq/license generated vendored Normal file
View file

@ -0,0 +1,21 @@
The MIT License (MIT)
Copyright (c) Sindre Sorhus <sindresorhus@gmail.com> (sindresorhus.com)
Permission is hereby granted, free of charge, to any person obtaining a copy
of this software and associated documentation files (the "Software"), to deal
in the Software without restriction, including without limitation the rights
to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
copies of the Software, and to permit persons to whom the Software is
furnished to do so, subject to the following conditions:
The above copyright notice and this permission notice shall be included in
all copies or substantial portions of the Software.
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
THE SOFTWARE.

37
node_modules/array-uniq/package.json generated vendored Normal file
View file

@ -0,0 +1,37 @@
{
"name": "array-uniq",
"version": "1.0.3",
"description": "Create an array without duplicates",
"license": "MIT",
"repository": "sindresorhus/array-uniq",
"author": {
"name": "Sindre Sorhus",
"email": "sindresorhus@gmail.com",
"url": "sindresorhus.com"
},
"engines": {
"node": ">=0.10.0"
},
"scripts": {
"test": "xo && ava"
},
"files": [
"index.js"
],
"keywords": [
"array",
"arr",
"set",
"uniq",
"unique",
"es6",
"duplicate",
"remove"
],
"devDependencies": {
"ava": "*",
"es6-set": "^0.1.0",
"require-uncached": "^1.0.2",
"xo": "*"
}
}

30
node_modules/array-uniq/readme.md generated vendored Normal file
View file

@ -0,0 +1,30 @@
# array-uniq [![Build Status](https://travis-ci.org/sindresorhus/array-uniq.svg?branch=master)](https://travis-ci.org/sindresorhus/array-uniq)
> Create an array without duplicates
It's already pretty fast, but will be much faster when [Set](https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/Set) becomes available in V8 (especially with large arrays).
## Install
```
$ npm install --save array-uniq
```
## Usage
```js
const arrayUniq = require('array-uniq');
arrayUniq([1, 1, 2, 3, 3]);
//=> [1, 2, 3]
arrayUniq(['foo', 'foo', 'bar', 'foo']);
//=> ['foo', 'bar']
```
## License
MIT © [Sindre Sorhus](https://sindresorhus.com)

6
node_modules/github-linguist/node_modules/array-union/index.js generated vendored Normal file
View file

@ -0,0 +1,6 @@
'use strict';
var arrayUniq = require('array-uniq');
module.exports = function () {
return arrayUniq([].concat.apply([], arguments));
};

21
node_modules/github-linguist/node_modules/array-union/license generated vendored Normal file
View file

@ -0,0 +1,21 @@
The MIT License (MIT)
Copyright (c) Sindre Sorhus <sindresorhus@gmail.com> (sindresorhus.com)
Permission is hereby granted, free of charge, to any person obtaining a copy
of this software and associated documentation files (the "Software"), to deal
in the Software without restriction, including without limitation the rights
to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
copies of the Software, and to permit persons to whom the Software is
furnished to do so, subject to the following conditions:
The above copyright notice and this permission notice shall be included in
all copies or substantial portions of the Software.
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
THE SOFTWARE.

40
node_modules/github-linguist/node_modules/array-union/package.json generated vendored Normal file
View file

@ -0,0 +1,40 @@
{
"name": "array-union",
"version": "1.0.2",
"description": "Create an array of unique values, in order, from the input arrays",
"license": "MIT",
"repository": "sindresorhus/array-union",
"author": {
"name": "Sindre Sorhus",
"email": "sindresorhus@gmail.com",
"url": "sindresorhus.com"
},
"engines": {
"node": ">=0.10.0"
},
"scripts": {
"test": "xo && ava"
},
"files": [
"index.js"
],
"keywords": [
"array",
"arr",
"set",
"uniq",
"unique",
"duplicate",
"remove",
"union",
"combine",
"merge"
],
"dependencies": {
"array-uniq": "^1.0.1"
},
"devDependencies": {
"ava": "*",
"xo": "*"
}
}

28
node_modules/github-linguist/node_modules/array-union/readme.md generated vendored Normal file
View file

@ -0,0 +1,28 @@
# array-union [![Build Status](https://travis-ci.org/sindresorhus/array-union.svg?branch=master)](https://travis-ci.org/sindresorhus/array-union)
> Create an array of unique values, in order, from the input arrays
## Install
```
$ npm install --save array-union
```
## Usage
```js
const arrayUnion = require('array-union');
arrayUnion([1, 1, 2, 3], [2, 3]);
//=> [1, 2, 3]
arrayUnion(['foo', 'foo', 'bar'], ['foo']);
//=> ['foo', 'bar']
```
## License
MIT © [Sindre Sorhus](https://sindresorhus.com)

36
package-lock.json generated
View file

@ -1,12 +1,12 @@
{
"name": "codeql",
"version": "2.1.6",
"version": "2.1.9",
"lockfileVersion": 2,
"requires": true,
"packages": {
"": {
"name": "codeql",
"version": "2.1.6",
"version": "2.1.9",
"license": "MIT",
"dependencies": {
"@actions/artifact": "^1.0.0",
@ -946,6 +946,14 @@
"node": ">=8"
}
},
"node_modules/array-uniq": {
"version": "1.0.3",
"resolved": "https://registry.npmjs.org/array-uniq/-/array-uniq-1.0.3.tgz",
"integrity": "sha1-r2rId6Jcx/dOBYiUdThY39sk/bY=",
"engines": {
"node": ">=0.10.0"
}
},
"node_modules/array.prototype.flat": {
"version": "1.2.4",
"resolved": "https://registry.npmjs.org/array.prototype.flat/-/array.prototype.flat-1.2.4.tgz",
@ -2841,6 +2849,17 @@
"loc": "dist/cli.js"
}
},
"node_modules/github-linguist/node_modules/array-union": {
"version": "1.0.2",
"resolved": "https://registry.npmjs.org/array-union/-/array-union-1.0.2.tgz",
"integrity": "sha1-mjRBDk9OPaI96jdb5b5w8kd47Dk=",
"dependencies": {
"array-uniq": "^1.0.1"
},
"engines": {
"node": ">=0.10.0"
}
},
"node_modules/github-linguist/node_modules/commander": {
"version": "2.20.3",
"integrity": "sha512-GpVkmM8vF2vQUkj2LvZmD35JxeJOLCwJ9cUkugyk2nuhbv3+mJvpLYYt+0+USMxE+oj+ey/lJEnhZw75x/OMcQ=="
@ -6057,6 +6076,11 @@
"version": "2.1.0",
"integrity": "sha512-HGyxoOTYUyCM6stUe6EJgnd4EoewAI7zMdfqO+kGjnlZmBDz/cR5pf8r/cR4Wq60sL/p0IkcjUEEPwS3GFrIyw=="
},
"array-uniq": {
"version": "1.0.3",
"resolved": "https://registry.npmjs.org/array-uniq/-/array-uniq-1.0.3.tgz",
"integrity": "sha1-r2rId6Jcx/dOBYiUdThY39sk/bY="
},
"array.prototype.flat": {
"version": "1.2.4",
"resolved": "https://registry.npmjs.org/array.prototype.flat/-/array.prototype.flat-1.2.4.tgz",
@ -7422,6 +7446,14 @@
"slash2": "^2.0.0"
},
"dependencies": {
"array-union": {
"version": "1.0.2",
"resolved": "https://registry.npmjs.org/array-union/-/array-union-1.0.2.tgz",
"integrity": "sha1-mjRBDk9OPaI96jdb5b5w8kd47Dk=",
"requires": {
"array-uniq": "^1.0.1"
}
},
"commander": {
"version": "2.20.3",
"integrity": "sha512-GpVkmM8vF2vQUkj2LvZmD35JxeJOLCwJ9cUkugyk2nuhbv3+mJvpLYYt+0+USMxE+oj+ey/lJEnhZw75x/OMcQ=="

2
package.json
View file

@ -1,6 +1,6 @@
{
"name": "codeql",
"version": "2.1.6",
"version": "2.1.9",
"private": true,
"description": "CodeQL action",
"scripts": {

2
pr-checks/checks/debug-artifacts.yml
View file

@ -13,7 +13,7 @@ steps:
run: ./build.sh
- uses: ./../action/analyze
id: analysis
- uses: actions/download-artifact@v2
- uses: actions/download-artifact@v3
with:
name: my-debug-artifacts-${{ matrix.os }}-${{ matrix.version }}
- shell: bash

2
pr-checks/checks/go-custom-queries.yml
View file

@ -1,7 +1,7 @@
name: "Go: Custom queries"
description: "Checks that Go works in conjunction with a config file specifying custom queries"
steps:
- uses: actions/setup-go@v2
- uses: actions/setup-go@v3
with:
go-version: "^1.13.1"
- uses: ./../action/init

2
pr-checks/checks/go-custom-tracing-autobuild.yml
View file

@ -4,7 +4,7 @@ os: ["ubuntu-latest", "macos-latest"]
env:
CODEQL_EXTRACTOR_GO_BUILD_TRACING: "true"
steps:
- uses: actions/setup-go@v2
- uses: actions/setup-go@v3
with:
go-version: "^1.13.1"
- uses: ./../action/init

2
pr-checks/checks/go-custom-tracing.yml
View file

@ -3,7 +3,7 @@ description: "Checks that Go tracing works"
env:
CODEQL_EXTRACTOR_GO_BUILD_TRACING: "true"
steps:
- uses: actions/setup-go@v2
- uses: actions/setup-go@v3
with:
go-version: "^1.13.1"
- uses: ./../action/init

67
pr-checks/checks/ml-powered-queries.yml Normal file
View file

@ -0,0 +1,67 @@
name: "ML-powered queries"
description: "Tests that ML-powered queries are run with the security-extended suite and that they produce alerts on a test DB"
versions: [
# Latest release in 2.7.x series
"stable-20220120",
"cached",
"latest",
"nightly-latest",
]
# Test on all three platforms since ML-powered queries use native code
os: ["ubuntu-latest", "macos-latest", "windows-latest"]
steps:
- uses: ./../action/init
with:
languages: javascript
queries: security-extended
source-root: ./../action/tests/ml-powered-queries-repo
tools: ${{ steps.prepare-test.outputs.tools-url }}
- uses: ./../action/analyze
with:
output: "${{ runner.temp }}/results"
upload-database: false
env:
TEST_MODE: true
- name: Upload SARIF
uses: actions/upload-artifact@v3
with:
name: ml-powered-queries-${{ matrix.os }}-${{ matrix.version }}.sarif.json
path: "${{ runner.temp }}/results/javascript.sarif"
retention-days: 7
- name: Check results
env:
IS_WINDOWS: ${{ matrix.os == 'windows-latest' }}
shell: bash
run: |
cd "$RUNNER_TEMP/results"
# We should run at least the ML-powered queries in `expected_rules`.
expected_rules="js/ml-powered/nosql-injection js/ml-powered/path-injection js/ml-powered/sql-injection js/ml-powered/xss"
for rule in ${expected_rules}; do
found_rule=$(jq --arg rule "${rule}" '[.runs[0].tool.extensions[].rules | select(. != null) |
flatten | .[].id] | any(. == $rule)' javascript.sarif)
echo "Did find rule '${rule}': ${found_rule}"
if [[ "${found_rule}" != "true" && "${IS_WINDOWS}" != "true" ]]; then
echo "Expected SARIF output to contain rule '${rule}', but found no such rule."
exit 1
elif [[ "${found_rule}" == "true" && "${IS_WINDOWS}" == "true" ]]; then
echo "Found rule '${rule}' in the SARIF output which shouldn't have been part of the analysis."
exit 1
fi
done
# We should have at least one alert from an ML-powered query.
num_alerts=$(jq '[.runs[0].results[] |
select(.properties.score != null and (.rule.id | startswith("js/ml-powered/")))] | length' \
javascript.sarif)
echo "Found ${num_alerts} alerts from ML-powered queries.";
if [[ "${num_alerts}" -eq 0 && "${IS_WINDOWS}" != "true" ]]; then
echo "Expected to find at least one alert from an ML-powered query but found ${num_alerts}."
exit 1
elif [[ "${num_alerts}" -ne 0 && "${IS_WINDOWS}" == "true" ]]; then
echo "Expected not to find any alerts from an ML-powered query but found ${num_alerts}."
exit 1
fi

30
pr-checks/checks/test-autobuild-working-dir.yml Normal file
View file

@ -0,0 +1,30 @@
name: "Autobuild working directory"
description: "Tests working-directory input of autobuild action"
versions: ["latest"]
os: ["ubuntu-latest"]
steps:
- name: Test setup
shell: bash
run: |
# Make sure that Gradle build succeeds in autobuild-dir ...
cp -a ../action/tests/java-repo autobuild-dir
# ... and fails if attempted in the current directory
echo > build.gradle
- uses: ./../action/init
with:
languages: java
tools: ${{ steps.prepare-test.outputs.tools-url }}
- uses: ./../action/autobuild
with:
working-directory: autobuild-dir
- uses: ./../action/analyze
env:
TEST_MODE: true
- name: Check database
shell: bash
run: |
cd "$RUNNER_TEMP/codeql_databases"
if [[ ! -d java ]]; then
echo "Did not find a Java database"
exit 1
fi

2
pr-checks/checks/with-checkout-path.yml
View file

@ -7,7 +7,7 @@ os: [ubuntu-latest, macos-latest, windows-2019]
steps:
# Check out the actions repo again, but at a different location.
# choose an arbitrary SHA so that we can later test that the commit_oid is not from main
- uses: actions/checkout@v2
- uses: actions/checkout@v3
with:
ref: 474bbf07f9247ffe1856c6a0f94aeeb10e7afee6
path: x/y/z/some-path

4
pr-checks/sync.py
View file

@ -49,7 +49,7 @@ for file in os.listdir('checks'):
steps = [
{
'name': 'Check out repository',
'uses': 'actions/checkout@v2'
'uses': 'actions/checkout@v3'
},
{
'name': 'Prepare test',
@ -108,7 +108,7 @@ for file in os.listdir('checks'):
},
'on': {
'push': {
'branches': ['main', 'v1']
'branches': ['main', 'v1', 'v2']
},
'pull_request': {
'types': ["opened", "synchronize", "reopened", "ready_for_review"]

4
src/actions-util.ts
View file

@ -424,7 +424,7 @@ async function getWorkflowPath(): Promise<string> {
const apiClient = api.getActionsApiClient();
const runsResponse = await apiClient.request(
"GET /repos/:owner/:repo/actions/runs/:run_id",
"GET /repos/:owner/:repo/actions/runs/:run_id?exclude_pull_requests=true",
{
owner,
repo,
@ -544,7 +544,7 @@ export async function getRef(): Promise<string> {
const head = await getCommitOid(checkoutPath, "HEAD");
// in actions/checkout@v2 we can check if git rev-parse HEAD == GITHUB_SHA
// in actions/checkout@v2+ we can check if git rev-parse HEAD == GITHUB_SHA
// in actions/checkout@v1 this may not be true as it checks out the repository
// using GITHUB_REF. There is a subtle race condition where
// git rev-parse GITHUB_REF != GITHUB_SHA, so we must check

6
src/analyze.ts
View file

@ -6,7 +6,6 @@ import * as yaml from "js-yaml";
import * as analysisPaths from "./analysis-paths";
import {
CODEQL_VERSION_CONFIG_FILES,
CODEQL_VERSION_COUNTS_LINES,
CODEQL_VERSION_NEW_TRACING,
getCodeQL,
@ -238,10 +237,7 @@ export async function runQueries(
const codeql = await getCodeQL(config.codeQLCmd);
try {
if (
hasPackWithCustomQueries &&
!(await util.codeQlVersionAbove(codeql, CODEQL_VERSION_CONFIG_FILES))
) {
if (hasPackWithCustomQueries) {
logger.info("Performing analysis with custom CodeQL Packs.");
logger.startGroup(`Downloading custom packs for ${language}`);

8
src/autobuild-action.ts
View file

@ -3,6 +3,7 @@ import * as core from "@actions/core";
import {
createStatusReportBase,
getActionsStatus,
getOptionalInput,
getTemporaryDirectory,
sendStatusReport,
StatusReportBase,
@ -71,6 +72,13 @@ async function run() {
}
language = determineAutobuildLanguage(config, logger);
if (language !== undefined) {
const workingDirectory = getOptionalInput("working-directory");
if (workingDirectory) {
logger.info(
`Changing autobuilder working directory to ${workingDirectory}`
);
process.chdir(workingDirectory);
}
await runAutobuild(language, config, logger);
}
} catch (error) {

33
src/codeql.ts
View file

@ -4,7 +4,6 @@ import * as path from "path";
import * as toolrunner from "@actions/exec/lib/toolrunner";
import { IHeaders } from "@actions/http-client/interfaces";
import { default as deepEqual } from "fast-deep-equal";
import * as yaml from "js-yaml";
import { default as queryString } from "query-string";
import * as semver from "semver";
@ -18,7 +17,7 @@ import { Logger } from "./logging";
import * as toolcache from "./toolcache";
import { toolrunnerErrorCatcher } from "./toolrunner-error-catcher";
import * as util from "./util";
import { isGoodVersion, ML_POWERED_JS_QUERIES_PACK } from "./util";
import { isGoodVersion } from "./util";
type Options = Array<string | number | boolean>;
@ -220,7 +219,6 @@ const CODEQL_VERSION_GROUP_RULES = "2.5.5";
const CODEQL_VERSION_SARIF_GROUP = "2.5.3";
export const CODEQL_VERSION_COUNTS_LINES = "2.6.2";
const CODEQL_VERSION_CUSTOM_QUERY_HELP = "2.7.1";
export const CODEQL_VERSION_CONFIG_FILES = "2.8.2"; // Versions before 2.8.2 weren't tolerant to unknown properties
export const CODEQL_VERSION_ML_POWERED_QUERIES = "2.7.5";
/**
@ -735,27 +733,6 @@ async function getCodeQLForCmd(
extraArgs.push(`--trace-process-level=${processLevel || 3}`);
}
}
if (await util.codeQlVersionAbove(codeql, CODEQL_VERSION_CONFIG_FILES)) {
const configLocation = path.resolve(config.tempDir, "user-config.yaml");
const augmentedConfig = config.originalUserInput;
if (config.injectedMlQueries) {
// We need to inject the ML queries into the original user input before
// we pass this on to the CLI, to make sure these get run.
let packString = ML_POWERED_JS_QUERIES_PACK.packName;
if (ML_POWERED_JS_QUERIES_PACK.version)
packString = `${packString}@${ML_POWERED_JS_QUERIES_PACK.version}`;
if (augmentedConfig.packs === undefined) augmentedConfig.packs = [];
if (Array.isArray(augmentedConfig.packs)) {
augmentedConfig.packs.push(packString);
} else {
if (!augmentedConfig.packs.javascript)
augmentedConfig.packs["javascript"] = [];
augmentedConfig.packs["javascript"].push(packString);
}
}
fs.writeFileSync(configLocation, yaml.dump(augmentedConfig));
extraArgs.push(`--codescanning-config=${configLocation}`);
}
await runTool(cmd, [
"database",
"init",
@ -913,9 +890,7 @@ async function getCodeQLForCmd(
if (extraSearchPath !== undefined) {
codeqlArgs.push("--additional-packs", extraSearchPath);
}
if (!(await util.codeQlVersionAbove(this, CODEQL_VERSION_CONFIG_FILES))) {
codeqlArgs.push(querySuitePath);
}
codeqlArgs.push(querySuitePath);
await runTool(cmd, codeqlArgs);
},
async databaseInterpretResults(
@ -951,9 +926,7 @@ async function getCodeQLForCmd(
codeqlArgs.push("--sarif-category", automationDetailsId);
}
codeqlArgs.push(databasePath);
if (!(await util.codeQlVersionAbove(this, CODEQL_VERSION_CONFIG_FILES))) {
codeqlArgs.push(...querySuitePaths);
}
codeqlArgs.push(...querySuitePaths);
// capture stdout, which contains analysis summaries
return await runTool(cmd, codeqlArgs);
},

24
src/config-utils.test.ts
View file

@ -1788,7 +1788,8 @@ const mlPoweredQueriesMacro = test.macro({
}`,
});
// macro, isMlPoweredQueriesFlagEnabled, packsInput, queriesInput, versionString
// macro, codeQLVersion, isMlPoweredQueriesFlagEnabled, packsInput, queriesInput, expectedVersionString
// Test that ML-powered queries aren't run on v2.7.4 of the CLI.
test(
mlPoweredQueriesMacro,
"2.7.4",
@ -1797,6 +1798,7 @@ test(
"security-extended",
undefined
);
// Test that ML-powered queries aren't run when the feature flag is off.
test(
mlPoweredQueriesMacro,
"2.7.5",
@ -1805,28 +1807,42 @@ test(
"security-extended",
undefined
);
// Test that ML-powered queries aren't run when the user hasn't specified that we should run the
// `security-extended` or `security-and-quality` query suite.
test(mlPoweredQueriesMacro, "2.7.5", true, undefined, undefined, undefined);
// Test that ML-powered queries are run on non-Windows platforms running `security-extended`.
test(
mlPoweredQueriesMacro,
"2.7.5",
true,
undefined,
"security-extended",
"~0.1.0"
process.platform === "win32" ? undefined : "~0.1.0"
);
// Test that ML-powered queries are run on non-Windows platforms running `security-and-quality`.
test(
mlPoweredQueriesMacro,
"2.7.5",
true,
undefined,
"security-and-quality",
"~0.1.0"
process.platform === "win32" ? undefined : "~0.1.0"
);
// Test that we don't inject an ML-powered query pack if the user has already specified one.
test(
mlPoweredQueriesMacro,
"2.7.5",
true,
"codeql/javascript-experimental-atm-queries@0.0.1",
"security-and-quality",
"0.0.1"
process.platform === "win32" ? undefined : "0.0.1"
);
// Test that the ~0.2.0 version of ML-powered queries is run on v2.8.4 of the CLI.
test(
mlPoweredQueriesMacro,
"2.8.4",
true,
undefined,
"security-extended",
process.platform === "win32" ? undefined : "~0.2.0"
);

9
src/config-utils.ts
View file

@ -17,8 +17,9 @@ import { Logger } from "./logging";
import { RepositoryNwo } from "./repository";
import {
codeQlVersionAbove,
getMlPoweredJsQueriesPack,
GitHubVersion,
ML_POWERED_JS_QUERIES_PACK,
ML_POWERED_JS_QUERIES_PACK_NAME,
} from "./util";
// Property names from the user-supplied config file.
@ -299,10 +300,12 @@ async function addBuiltinSuiteQueries(
// opted into the ML-powered queries beta, and a user hasn't already added the ML-powered query
// pack, then add the ML-powered query pack so that we run ML-powered queries.
if (
// Disable ML-powered queries on Windows
process.platform !== "win32" &&
languages.includes("javascript") &&
(found === "security-extended" || found === "security-and-quality") &&
!packs.javascript?.some(
(pack) => pack.packName === ML_POWERED_JS_QUERIES_PACK.packName
(pack) => pack.packName === ML_POWERED_JS_QUERIES_PACK_NAME
) &&
(await featureFlags.getValue(FeatureFlag.MlPoweredQueriesEnabled)) &&
(await codeQlVersionAbove(codeQL, CODEQL_VERSION_ML_POWERED_QUERIES))
@ -310,7 +313,7 @@ async function addBuiltinSuiteQueries(
if (!packs.javascript) {
packs.javascript = [];
}
packs.javascript.push(ML_POWERED_JS_QUERIES_PACK);
packs.javascript.push(await getMlPoweredJsQueriesPack(codeQL));
injectedMlQueries = true;
}

2
src/defaults.json
View file

@ -1,3 +1,3 @@
{
"bundleVersion": "codeql-bundle-20220322"
"bundleVersion": "codeql-bundle-20220401"
}

43
src/util.test.ts
View file

@ -294,32 +294,43 @@ async function mockStdInForAuthExpectError(
}
const ML_POWERED_JS_STATUS_TESTS: Array<[PackWithVersion[], string]> = [
// If no packs are loaded, status is false.
[[], "false"],
// If another pack is loaded but not the ML-powered query pack, status is false.
[[{ packName: "someOtherPack" }], "false"],
// If the ML-powered query pack is loaded with a specific version, status is that version.
[
[{ packName: "someOtherPack" }, util.ML_POWERED_JS_QUERIES_PACK],
util.ML_POWERED_JS_QUERIES_PACK.version!,
],
[[util.ML_POWERED_JS_QUERIES_PACK], util.ML_POWERED_JS_QUERIES_PACK.version!],
[[{ packName: util.ML_POWERED_JS_QUERIES_PACK.packName }], "other"],
[
[{ packName: util.ML_POWERED_JS_QUERIES_PACK.packName, version: "~0.0.1" }],
"other",
],
[
[
{ packName: util.ML_POWERED_JS_QUERIES_PACK.packName, version: "0.0.1" },
{ packName: util.ML_POWERED_JS_QUERIES_PACK.packName, version: "0.0.2" },
],
"other",
[{ packName: util.ML_POWERED_JS_QUERIES_PACK_NAME, version: "~0.1.0" }],
"~0.1.0",
],
// If the ML-powered query pack is loaded with a specific version and another pack is loaded, the
// status is the version of the ML-powered query pack.
[
[
{ packName: "someOtherPack" },
{ packName: util.ML_POWERED_JS_QUERIES_PACK.packName },
{ packName: util.ML_POWERED_JS_QUERIES_PACK_NAME, version: "~0.1.0" },
],
"~0.1.0",
],
// If the ML-powered query pack is loaded without a version, the status is "latest".
[[{ packName: util.ML_POWERED_JS_QUERIES_PACK_NAME }], "latest"],
// If the ML-powered query pack is loaded with two different versions, the status is "other".
[
[
{ packName: util.ML_POWERED_JS_QUERIES_PACK_NAME, version: "0.0.1" },
{ packName: util.ML_POWERED_JS_QUERIES_PACK_NAME, version: "0.0.2" },
],
"other",
],
// If the ML-powered query pack is loaded with no specific version, and another pack is loaded,
// the status is "latest".
[
[
{ packName: "someOtherPack" },
{ packName: util.ML_POWERED_JS_QUERIES_PACK_NAME },
],
"latest",
],
];
for (const [packs, expectedStatus] of ML_POWERED_JS_STATUS_TESTS) {

58
src/util.ts
View file

@ -653,25 +653,30 @@ export function isGoodVersion(versionSpec: string) {
return !BROKEN_VERSIONS.includes(versionSpec);
}
export const ML_POWERED_JS_QUERIES_PACK_NAME =
"codeql/javascript-experimental-atm-queries";
/**
* The ML-powered JS query pack to add to the analysis if a repo is opted into the ML-powered
* Gets the ML-powered JS query pack to add to the analysis if a repo is opted into the ML-powered
* queries beta.
*/
export const ML_POWERED_JS_QUERIES_PACK: PackWithVersion = {
packName: "codeql/javascript-experimental-atm-queries",
version: "~0.1.0",
};
export async function getMlPoweredJsQueriesPack(
codeQL: CodeQL
): Promise<PackWithVersion> {
if (await codeQlVersionAbove(codeQL, "2.8.4")) {
return { packName: ML_POWERED_JS_QUERIES_PACK_NAME, version: "~0.2.0" };
}
return { packName: ML_POWERED_JS_QUERIES_PACK_NAME, version: "~0.1.0" };
}
/**
* Get information about ML-powered JS queries to populate status reports with.
*
* This will be:
*
* - The version string if the analysis is using the ML-powered query pack that will be added to the
* analysis if the repo is opted into the ML-powered queries beta, i.e.
* {@link ML_POWERED_JS_QUERIES_PACK.version}. If the version string
* {@link ML_POWERED_JS_QUERIES_PACK.version} is undefined, then the status report string will be
* "latest", however this shouldn't occur in practice (see comment below).
* - The version string if the analysis is using a single version of the ML-powered query pack.
* - "latest" if the version string of the ML-powered query pack is undefined. This is unlikely to
* occur in practice (see comment below).
* - "false" if the analysis won't run any ML-powered JS queries.
* - "other" in all other cases.
*
@ -681,32 +686,25 @@ export const ML_POWERED_JS_QUERIES_PACK: PackWithVersion = {
* version of the CodeQL Action. For instance, we might want to compare the `~0.1.0` and `~0.0.2`
* version strings.
*
* We restrict the set of strings we report here by excluding other version strings and combinations
* of version strings. We do this to limit the cardinality of the ML-powered JS queries status
* report field, since some platforms that ingest this status report bill based on the cardinality
* of its fields.
*
* This function lives here rather than in `init-action.ts` so it's easier to test, since tests for
* `init-action.ts` would each need to live in their own file. See `analyze-action-env.ts` for an
* explanation as to why this is.
*/
export function getMlPoweredJsQueriesStatus(config: Config): string {
const mlPoweredJsQueryPacks = (config.packs.javascript || []).filter(
(pack) => pack.packName === ML_POWERED_JS_QUERIES_PACK.packName
(pack) => pack.packName === ML_POWERED_JS_QUERIES_PACK_NAME
);
if (mlPoweredJsQueryPacks.length === 0) {
return "false";
switch (mlPoweredJsQueryPacks.length) {
case 1:
// We should always specify an explicit version string in `getMlPoweredJsQueriesPack`,
// otherwise we won't be able to make changes to the pack unless those changes are compatible
// with each version of the CodeQL Action. Therefore in practice we should only hit the
// `latest` case here when customers have explicitly added the ML-powered query pack to their
// CodeQL config.
return mlPoweredJsQueryPacks[0].version || "latest";
case 0:
return "false";
default:
return "other";
}
const firstVersionString = mlPoweredJsQueryPacks[0].version;
if (
mlPoweredJsQueryPacks.length === 1 &&
ML_POWERED_JS_QUERIES_PACK.version === firstVersionString
) {
// We should always specify an explicit version string in `ML_POWERED_JS_QUERIES_PACK`,
// otherwise we won't be able to make changes to the pack unless those changes are compatible
// with each version of the CodeQL Action. Therefore in practice, we should never hit the
// `latest` case here.
return ML_POWERED_JS_QUERIES_PACK.version || "latest";
}
return "other";
}

12
tests/java-repo/build.gradle Normal file
View file

@ -0,0 +1,12 @@
plugins {
id 'application'
}
repositories {
mavenCentral()
}
application {
mainClass = 'Main'
}

8
tests/java-repo/src/main/java/Main.java Normal file
View file

@ -0,0 +1,8 @@
class Main {
public static void main(String args[]) {
if (true) {
System.out.println("Hello, World!");
}
}
}

21
tests/ml-powered-queries-repo/add-note.js Normal file
View file

@ -0,0 +1,21 @@
const mongoose = require('mongoose');
Logger = require('./logger').Logger;
Note = require('./models/note').Note;
(async () => {
if (process.argv.length != 5) {
Logger.log("Creates a private note. Usage: node add-note.js <token> <title> <body>")
return;
}
// Open the default mongoose connection
await mongoose.connect('mongodb://localhost:27017/notes', { useFindAndModify: false });
const [userToken, title, body] = process.argv.slice(2);
await Note.create({ title, body, userToken });
Logger.log(`Created private note with title ${title} and body ${body} belonging to user with token ${userToken}.`);
await mongoose.connection.close();
})();

68
tests/ml-powered-queries-repo/app.js Normal file
View file

@ -0,0 +1,68 @@
const bodyParser = require('body-parser');
const express = require('express');
const mongoose = require('mongoose');
const notesApi = require('./notes-api');
const usersApi = require('./users-api');
const addSampleData = module.exports.addSampleData = async () => {
const [userA, userB] = await User.create([
{
name: "A",
token: "tokenA"
},
{
name: "B",
token: "tokenB"
}
]);
await Note.create([
{
title: "Public note belonging to A",
body: "This is a public note belonging to A",
isPublic: true,
ownerToken: userA.token
},
{
title: "Public note belonging to B",
body: "This is a public note belonging to B",
isPublic: true,
ownerToken: userB.token
},
{
title: "Private note belonging to A",
body: "This is a private note belonging to A",
ownerToken: userA.token
},
{
title: "Private note belonging to B",
body: "This is a private note belonging to B",
ownerToken: userB.token
}
]);
}
module.exports.startApp = async () => {
// Open the default mongoose connection
await mongoose.connect('mongodb://mongo:27017/notes', { useFindAndModify: false });
// Drop contents of DB
mongoose.connection.dropDatabase();
// Add some sample data
await addSampleData();
const app = express();
app.use(bodyParser.json());
app.use(bodyParser.urlencoded());
app.get('/', async (_req, res) => {
res.send('Hello World');
});
app.use('/api/notes', notesApi.router);
app.use('/api/users', usersApi.router);
app.listen(3000);
Logger.log('Express started on port 3000');
};

7
tests/ml-powered-queries-repo/index.js Normal file
View file

@ -0,0 +1,7 @@
const startApp = require('./app').startApp;
Logger = require('./logger').Logger;
Note = require('./models/note').Note;
User = require('./models/user').User;
startApp();

5
tests/ml-powered-queries-repo/logger.js Normal file
View file

@ -0,0 +1,5 @@
module.exports.Logger = class {
log(message, ...objs) {
console.log(message, objs);
}
};

8
tests/ml-powered-queries-repo/models/note.js Normal file
View file

@ -0,0 +1,8 @@
const mongoose = require('mongoose');
module.exports.Note = mongoose.model('Note', new mongoose.Schema({
title: String,
body: String,
ownerToken: String,
isPublic: Boolean
}));

6
tests/ml-powered-queries-repo/models/user.js Normal file
View file

@ -0,0 +1,6 @@
const mongoose = require('mongoose');
module.exports.User = mongoose.model('User', new mongoose.Schema({
name: String,
token: String
}));

44
tests/ml-powered-queries-repo/notes-api.js Normal file
View file

@ -0,0 +1,44 @@
const express = require('express')
const router = module.exports.router = express.Router();
function serializeNote(note) {
return {
title: note.title,
body: note.body
};
}
router.post('/find', async (req, res) => {
const notes = await Note.find({
ownerToken: req.body.token
}).exec();
res.json({
notes: notes.map(serializeNote)
});
});
router.get('/findPublic', async (_req, res) => {
const notes = await Note.find({
isPublic: true
}).exec();
res.json({
notes: notes.map(serializeNote)
});
});
router.post('/findVisible', async (req, res) => {
const notes = await Note.find({
$or: [
{
isPublic: true
},
{
ownerToken: req.body.token
}
]
}).exec();
res.json({
notes: notes.map(serializeNote)
});
});

37
tests/ml-powered-queries-repo/read-notes.js Normal file
View file

@ -0,0 +1,37 @@
const mongoose = require('mongoose');
Logger = require('./logger').Logger;
Note = require('./models/note').Note;
User = require('./models/user').User;
(async () => {
if (process.argv.length != 3) {
Logger.log("Outputs all notes visible to a user. Usage: node read-notes.js <token>")
return;
}
// Open the default mongoose connection
await mongoose.connect('mongodb://localhost:27017/notes', { useFindAndModify: false });
const ownerToken = process.argv[2];
const user = await User.findOne({
token: ownerToken
}).exec();
const notes = await Note.find({
$or: [
{ isPublic: true },
{ ownerToken }
]
}).exec();
notes.map(note => {
Logger.log("Title:" + note.title);
Logger.log("By:" + user.name);
Logger.log("Body:" + note.body);
Logger.log();
});
await mongoose.connection.close();
})();

25
tests/ml-powered-queries-repo/users-api.js Normal file
View file

@ -0,0 +1,25 @@
const express = require('express')
Logger = require('./logger').Logger;
const router = module.exports.router = express.Router();
router.post('/updateName', async (req, res) => {
Logger.log("/updateName called with new name", req.body.name);
await User.findOneAndUpdate({
token: req.body.token
}, {
name: req.body.name
}).exec();
res.json({
name: req.body.name
});
});
router.post('/getName', async (req, res) => {
const user = await User.findOne({
token: req.body.token
}).exec();
res.json({
name: user.name
});
});