robojerk/codeql-action

ensure only the upload-sarif action can submit a status report with first_party_analysis=false

Browse source
This commit is contained in:
nickfyson 2024-02-21 14:01:56 +00:00
parent a7dc229496
commit f32f0bf8e4
9 changed files with 77 additions and 23 deletions
Download patch file Download diff file Expand all files Collapse all files

16
src/actions-util.ts
View file

@ -15,6 +15,14 @@ import {
ConfigurationError,
} from "./util";
export type ActionName =
| "autobuild"
| "finish"
| "init"
| "init-post"
| "resolve-environment"
| "upload-sarif";
// eslint-disable-next-line import/no-commonjs
const pkg = require("../package.json") as JSONSchemaForNPMPackageJsonFiles;
@ -265,9 +273,13 @@ export function getActionVersion(): string {
*
* This is based on whether the init action has been used, which is only used for first party analysis.
* When a SARIF file has been generated by other means and submitted using the upload action, this is
* considered to be a third party analysis and is treated differently when calculating SLOs.
* considered to be a third party analysis and is treated differently when calculating SLOs. To ensure
* misconfigured workflows are not treated as third party, only the upload-sarif action can return false.
*/
export function isFirstPartyAnalysis(): boolean {
export function isFirstPartyAnalysis(actionName: ActionName): boolean {
if (actionName !== "upload-sarif") {
return true;
}
return process.env[EnvVar.INIT_ACTION_HAS_RUN] === "true";
}

48
src/status-report.test.ts
View file

@ -79,7 +79,7 @@ test("createStatusReportBase_firstParty", async (t) => {
t.is(
(
await createStatusReportBase(
"init",
"upload-sarif",
"failure",
new Date("May 19, 2023 05:19:00"),
{ numAvailableBytes: 100, numTotalBytes: 500 },
@ -90,11 +90,25 @@ test("createStatusReportBase_firstParty", async (t) => {
false,
);
t.is(
(
await createStatusReportBase(
"autobuild",
"failure",
new Date("May 19, 2023 05:19:00"),
{ numAvailableBytes: 100, numTotalBytes: 500 },
"failure cause",
"exception stack trace",
)
).first_party_analysis,
true,
);
process.env["CODEQL_INIT_ACTION_HAS_RUN"] = "foobar";
t.is(
(
await createStatusReportBase(
"init",
"upload-sarif",
"failure",
new Date("May 19, 2023 05:19:00"),
{ numAvailableBytes: 100, numTotalBytes: 500 },
@ -105,7 +119,6 @@ test("createStatusReportBase_firstParty", async (t) => {
false,
);
process.env["CODEQL_INIT_ACTION_HAS_RUN"] = "true";
t.is(
(
await createStatusReportBase(
@ -119,5 +132,34 @@ test("createStatusReportBase_firstParty", async (t) => {
).first_party_analysis,
true,
);
process.env["CODEQL_INIT_ACTION_HAS_RUN"] = "true";
t.is(
(
await createStatusReportBase(
"upload-sarif",
"failure",
new Date("May 19, 2023 05:19:00"),
{ numAvailableBytes: 100, numTotalBytes: 500 },
"failure cause",
"exception stack trace",
)
).first_party_analysis,
true,
);
t.is(
(
await createStatusReportBase(
"finish",
"failure",
new Date("May 19, 2023 05:19:00"),
{ numAvailableBytes: 100, numTotalBytes: 500 },
"failure cause",
"exception stack trace",
)
).first_party_analysis,
true,
);
});
});

11
src/status-report.ts
View file

@ -11,6 +11,7 @@ import {
getActionVersion,
getRequiredInput,
isFirstPartyAnalysis,
ActionName,
} from "./actions-util";
import { getAnalysisKey, getApiClient } from "./api-client";
import { EnvVar } from "./environment";
@ -24,14 +25,6 @@ import {
DiskUsage,
} from "./util";
export type ActionName =
| "autobuild"
| "finish"
| "init"
| "init-post"
| "resolve-environment"
| "upload-sarif";
export type ActionStatus =
| "aborted" // Only used in the init Action, if init failed before initializing the tracer due to something other than a configuration error.
| "failure"
@ -230,7 +223,7 @@ export async function createStatusReportBase(
action_version: getActionVersion(),
analysis_key,
commit_oid: commitOid,
first_party_analysis: isFirstPartyAnalysis(),
first_party_analysis: isFirstPartyAnalysis(actionName),
job_name: jobName,
job_run_uuid: jobRunUUID,
ref,