robojerk/codeql-action

Merge branch 'main' into rneatherway-patch-1

Browse source
This commit is contained in:
Aditya Sharad 2021-07-26 08:17:02 -07:00 committed by GitHub
commit ecc548b556
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
19 changed files with 210 additions and 23 deletions
Download patch file Download diff file Expand all files Collapse all files

9
.github/depandabot.yml vendored Normal file
View file

@ -0,0 +1,9 @@
version: 2
updates:
- package-ecosystem: "npm"
directory: "/"
schedule:
interval: "weekly"
day: "thursday" # Gives us a working day to merge this before our typical release
labels:
- "Update dependencies"

2
.github/workflows/pr-checks.yml vendored
View file

@ -27,7 +27,7 @@ jobs:
run: .github/workflows/script/check-js.sh
check-node-modules:
runs-on: ubuntu-latest
runs-on: macos-latest
steps:
- uses: actions/checkout@v2

1
.github/workflows/script/check-node-modules.sh vendored
View file

@ -7,6 +7,7 @@ if [ ! -z "$(git status --porcelain)" ]; then
>&2 echo "Failed: Repo should be clean before testing!"
exit 1
fi
sudo npm install --force -g npm@latest
# Reinstall modules and then clean to remove absolute paths
# Use 'npm ci' instead of 'npm install' as this is intended to be reproducible
npm ci

39
.github/workflows/update-dependencies.yml vendored Normal file
View file

@ -0,0 +1,39 @@
name: Update dependencies
on:
pull_request_target:
types: [opened, synchronize, reopened, labeled]
jobs:
update:
name: Update dependencies
runs-on: macos-latest
if: contains(github.event.pull_request.labels.*.name, 'Update dependencies')
steps:
- name: Checkout repository
uses: actions/checkout@v2
- name: Remove PR label
env:
REPOSITORY: '${{ github.repository }}'
PR_NUMBER: '${{ github.event.pull_request.number }}'
GITHUB_TOKEN: '${{ secrets.GITHUB_TOKEN }}'
run: |
gh api "repos/$REPOSITORY/issues/$PR_NUMBER/labels/Update%20dependencies" -X DELETE
- name: Push updated dependencies
env:
BRANCH: '${{ github.head_ref }}'
run: |
git fetch
git checkout $BRANCH
sudo npm install --force -g npm@latest
npm install
npm ci
npm run removeNPMAbsolutePaths
if [ ! -z "$(git status --porcelain)" ]; then
git config --global user.email "github-actions@github.com"
git config --global user.name "github-actions[bot]"
git add node_modules
git commit -am "Update checked-in dependencies"
git push origin "$BRANCH"
fi

10
CHANGELOG.md
View file

@ -2,7 +2,15 @@
## [UNRELEASED]
- The `init` step of the Action now supports a `source-root` input as a path to the root source-code directory. By default, the path is relative to $GITHUB_WORKSPACE. [#607](https://github.com/github/codeql-action/pull/607)
No user facing changes.
## 1.0.7 - 21 Jul 2021
No user facing changes.
## 1.0.6 - 19 Jul 2021
- The `init` step of the Action now supports a `source-root` input as a path to the root source-code directory. By default, the path is relative to `$GITHUB_WORKSPACE`. [#607](https://github.com/github/codeql-action/pull/607)
- The `init` step will now try to install a few Python tools needed by this Action when running on a self-hosted runner. [#616](https://github.com/github/codeql-action/pull/616)
## 1.0.5 - 12 Jul 2021

11
lib/analyze.js generated
View file

@ -219,12 +219,14 @@ async function runCleanup(config, cleanupLevel, logger) {
}
exports.runCleanup = runCleanup;
async function injectLinesOfCode(sarifFile, language, locPromise) {
var _a;
const lineCounts = await locPromise;
const idPrefix = count_loc_1.getIdPrefix(language);
if (language in lineCounts) {
const sarif = JSON.parse(fs.readFileSync(sarifFile, "utf8"));
if (Array.isArray(sarif.runs)) {
for (const run of sarif.runs) {
// Old style: Baseline is inserted when rule ID has suffix /summary/lines-of-code
const ruleId = `${idPrefix}/summary/lines-of-code`;
run.properties = run.properties || {};
run.properties.metricResults = run.properties.metricResults || [];
@ -235,6 +237,15 @@ async function injectLinesOfCode(sarifFile, language, locPromise) {
if (rule) {
rule.baseline = lineCounts[language];
}
// New style: Baseline is inserted when matching rule has tag lines-of-code
for (const metric of run.properties.metricResults) {
if (metric.rule && metric.rule.toolComponent) {
const matchingRule = run.tool.extensions[metric.rule.toolComponent.index].rules[metric.rule.index];
if ((_a = matchingRule.properties.tags) === null || _a === void 0 ? void 0 : _a.includes("lines-of-code")) {
metric.baseline = lineCounts[language];
}
}
}
}
}
fs.writeFileSync(sarifFile, JSON.stringify(sarif));

2
lib/analyze.js.map
View file

File diff suppressed because one or more lines are too long

43
lib/analyze.test.js generated
View file

@ -88,6 +88,35 @@ ava_1.default("status report fields and search path setting", async (t) => {
],
},
},
// variant 3 references a rule with the lines-of-code tag
{
tool: {
extensions: [
{
rules: [
{
properties: {
tags: ["lines-of-code"],
},
},
],
},
],
},
properties: {
metricResults: [
{
rule: {
index: 0,
toolComponent: {
index: 0,
},
},
value: 123,
},
],
},
},
{},
],
}));
@ -180,8 +209,20 @@ ava_1.default("status report fields and search path setting", async (t) => {
baseline: lineCount,
},
]);
t.deepEqual(sarif.runs[2].properties.metricResults, [
{
rule: {
index: 0,
toolComponent: {
index: 0,
},
},
value: 123,
baseline: lineCount,
},
]);
// when the rule doesn't exist, it should not be added
t.deepEqual(sarif.runs[2].properties.metricResults, []);
t.deepEqual(sarif.runs[3].properties.metricResults, []);
}
function verifyQuerySuites(tmpDir) {
const qlsContent = [

2
lib/analyze.test.js.map
View file

File diff suppressed because one or more lines are too long

6
node_modules/.package-lock.json generated vendored
View file

@ -1,6 +1,6 @@
{
"name": "codeql",
"version": "1.0.6",
"version": "1.0.8",
"lockfileVersion": 2,
"requires": true,
"packages": {
@ -1243,7 +1243,6 @@
"dependencies": {
"anymatch": "~3.1.1",
"braces": "~3.0.2",
"fsevents": "~2.1.2",
"glob-parent": "~5.1.0",
"is-binary-path": "~2.1.0",
"is-glob": "~4.0.1",
@ -3220,9 +3219,6 @@
"node_modules/jsonfile": {
"version": "4.0.0",
"license": "MIT",
"dependencies": {
"graceful-fs": "^4.1.6"
},
"optionalDependencies": {
"graceful-fs": "^4.1.6"
}

7
node_modules/glob-parent/CHANGELOG.md generated vendored
View file

@ -4,6 +4,13 @@
- eliminate ReDoS ([#36](https://github.com/gulpjs/glob-parent/issues/36)) ([f923116](https://github.com/gulpjs/glob-parent/commit/f9231168b0041fea3f8f954b3cceb56269fc6366))
### [6.0.1](https://www.github.com/gulpjs/glob-parent/compare/v6.0.0...v6.0.1) (2021-07-20)
### Bug Fixes
* Resolve ReDoS vulnerability from CVE-2021-35065 ([#49](https://www.github.com/gulpjs/glob-parent/issues/49)) ([3e9f04a](https://www.github.com/gulpjs/glob-parent/commit/3e9f04a3b4349db7e1962d87c9a7398cda51f339))
## [6.0.0](https://www.github.com/gulpjs/glob-parent/compare/v5.1.2...v6.0.0) (2021-05-03)
### ⚠ BREAKING CHANGES

26
node_modules/glob-parent/index.js generated vendored
View file

@ -6,7 +6,6 @@ var isWin32 = require('os').platform() === 'win32';
var slash = '/';
var backslash = /\\/g;
var enclosure = /[{[].*\/.*[}\]]$/;
var globby = /(^|[^\\])([{[]|\([^)]+$)/;
var escaped = /\\([!*?|[\](){}])/g;
@ -24,7 +23,7 @@ module.exports = function globParent(str, opts) {
}
// special case for strings ending in enclosure containing path separator
if (enclosure.test(str)) {
if (isEnclosure(str)) {
str += slash;
}
@ -39,3 +38,26 @@ module.exports = function globParent(str, opts) {
// remove escape chars and return result
return str.replace(escaped, '$1');
};
function isEnclosure(str) {
var lastChar = str.slice(-1);
var enclosureStart;
switch (lastChar) {
case '}':
enclosureStart = '{';
break;
case ']':
enclosureStart = '[';
break;
default:
return false;
}
var foundIndex = str.indexOf(enclosureStart);
if (foundIndex < 0) {
return false;
}
return str.slice(foundIndex + 1, -1).includes(slash);
}

2
node_modules/glob-parent/package.json generated vendored
View file

@ -1,6 +1,6 @@
{
"name": "glob-parent",
"version": "6.0.0",
"version": "6.0.1",
"description": "Extract the non-magic parent path from a glob string.",
"author": "Gulp Team <team@gulpjs.com> (https://gulpjs.com/)",
"contributors": [

8
package-lock.json generated
View file

@ -1,12 +1,12 @@
{
"name": "codeql",
"version": "1.0.6",
"version": "1.0.8",
"lockfileVersion": 2,
"requires": true,
"packages": {
"": {
"name": "codeql",
"version": "1.0.6",
"version": "1.0.8",
"license": "MIT",
"dependencies": {
"@actions/artifact": "^0.5.1",
@ -1297,7 +1297,6 @@
"dependencies": {
"anymatch": "~3.1.1",
"braces": "~3.0.2",
"fsevents": "~2.1.2",
"glob-parent": "~5.1.0",
"is-binary-path": "~2.1.0",
"is-glob": "~4.0.1",
@ -3274,9 +3273,6 @@
"node_modules/jsonfile": {
"version": "4.0.0",
"license": "MIT",
"dependencies": {
"graceful-fs": "^4.1.6"
},
"optionalDependencies": {
"graceful-fs": "^4.1.6"
}

2
package.json
View file

@ -1,6 +1,6 @@
{
"name": "codeql",
"version": "1.0.6",
"version": "1.0.8",
"private": true,
"description": "CodeQL action",
"scripts": {

2
runner/package-lock.json generated
View file

@ -1,6 +1,6 @@
{
"name": "codeql-runner",
"version": "1.0.6",
"version": "1.0.8",
"lockfileVersion": 1,
"requires": true,
"dependencies": {

2
runner/package.json
View file

@ -1,6 +1,6 @@
{
"name": "codeql-runner",
"version": "1.0.6",
"version": "1.0.8",
"private": true,
"description": "CodeQL runner",
"scripts": {

43
src/analyze.test.ts
View file

@ -94,6 +94,35 @@ test("status report fields and search path setting", async (t) => {
],
},
},
// variant 3 references a rule with the lines-of-code tag
{
tool: {
extensions: [
{
rules: [
{
properties: {
tags: ["lines-of-code"],
},
},
],
},
],
},
properties: {
metricResults: [
{
rule: {
index: 0,
toolComponent: {
index: 0,
},
},
value: 123,
},
],
},
},
{},
],
})
@ -233,8 +262,20 @@ test("status report fields and search path setting", async (t) => {
baseline: lineCount,
},
]);
t.deepEqual(sarif.runs[2].properties.metricResults, [
{
rule: {
index: 0,
toolComponent: {
index: 0,
},
},
value: 123,
baseline: lineCount,
},
]);
// when the rule doesn't exist, it should not be added
t.deepEqual(sarif.runs[2].properties.metricResults, []);
t.deepEqual(sarif.runs[3].properties.metricResults, []);
}
function verifyQuerySuites(tmpDir: string) {

16
src/analyze.ts
View file

@ -415,8 +415,10 @@ async function injectLinesOfCode(
const idPrefix = getIdPrefix(language);
if (language in lineCounts) {
const sarif = JSON.parse(fs.readFileSync(sarifFile, "utf8"));
if (Array.isArray(sarif.runs)) {
for (const run of sarif.runs) {
// Old style: Baseline is inserted when rule ID has suffix /summary/lines-of-code
const ruleId = `${idPrefix}/summary/lines-of-code`;
run.properties = run.properties || {};
run.properties.metricResults = run.properties.metricResults || [];
@ -428,8 +430,22 @@ async function injectLinesOfCode(
if (rule) {
rule.baseline = lineCounts[language];
}
// New style: Baseline is inserted when matching rule has tag lines-of-code
for (const metric of run.properties.metricResults) {
if (metric.rule && metric.rule.toolComponent) {
const matchingRule =
run.tool.extensions[metric.rule.toolComponent.index].rules[
metric.rule.index
];
if (matchingRule.properties.tags?.includes("lines-of-code")) {
metric.baseline = lineCounts[language];
}
}
}
}
}
fs.writeFileSync(sarifFile, JSON.stringify(sarif));
}
}