robojerk/codeql-action

Merge branch 'main' into henrymercer/update-release-process

Browse source
This commit is contained in:
Henry Mercer 2022-03-25 15:18:11 +00:00 committed by GitHub
commit f7846479e6
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
12 changed files with 53 additions and 22 deletions
Download patch file Download diff file Expand all files Collapse all files

5
lib/analyze.js generated
View file

@ -131,11 +131,12 @@ async function runQueries(sarifFolder, memoryFlag, addSnippetsFlag, threadsFlag,
if (!hasBuiltinQueries && !hasCustomQueries && !hasPackWithCustomQueries) { if (!hasBuiltinQueries && !hasCustomQueries && !hasPackWithCustomQueries) {
throw new Error(`Unable to analyse ${language} as no queries were selected for this language`); throw new Error(`Unable to analyse ${language} as no queries were selected for this language`);
} }
const codeql = await (0, codeql_1.getCodeQL)(config.codeQLCmd);
try { try {
if (hasPackWithCustomQueries) { if (hasPackWithCustomQueries &&
!(await util.codeQlVersionAbove(codeql, codeql_1.CODEQL_VERSION_CONFIG_FILES))) {
logger.info("Performing analysis with custom CodeQL Packs."); logger.info("Performing analysis with custom CodeQL Packs.");
logger.startGroup(`Downloading custom packs for ${language}`); logger.startGroup(`Downloading custom packs for ${language}`);
const codeql = await (0, codeql_1.getCodeQL)(config.codeQLCmd);
const results = await codeql.packDownload(packsWithVersion); const results = await codeql.packDownload(packsWithVersion);
logger.info(`Downloaded packs: ${results.packs logger.info(`Downloaded packs: ${results.packs
.map((r) => `${r.name}@${r.version || "latest"}`) .map((r) => `${r.name}@${r.version || "latest"}`)

2
lib/analyze.js.map
View file

File diff suppressed because one or more lines are too long

10
lib/codeql.js generated
View file

@ -22,7 +22,7 @@ var __importDefault = (this && this.__importDefault) || function (mod) {
return (mod && mod.__esModule) ? mod : { "default": mod }; return (mod && mod.__esModule) ? mod : { "default": mod };
}; };
Object.defineProperty(exports, "__esModule", { value: true }); Object.defineProperty(exports, "__esModule", { value: true });
exports.getExtraOptions = exports.getCodeQLForTesting = exports.getCachedCodeQL = exports.setCodeQL = exports.getCodeQL = exports.convertToSemVer = exports.getCodeQLURLVersion = exports.setupCodeQL = exports.getCodeQLActionRepository = exports.CODEQL_VERSION_NEW_TRACING = exports.CODEQL_VERSION_ML_POWERED_QUERIES = exports.CODEQL_VERSION_COUNTS_LINES = exports.CommandInvocationError = void 0; exports.getExtraOptions = exports.getCodeQLForTesting = exports.getCachedCodeQL = exports.setCodeQL = exports.getCodeQL = exports.convertToSemVer = exports.getCodeQLURLVersion = exports.setupCodeQL = exports.getCodeQLActionRepository = exports.CODEQL_VERSION_NEW_TRACING = exports.CODEQL_VERSION_ML_POWERED_QUERIES = exports.CODEQL_VERSION_CONFIG_FILES = exports.CODEQL_VERSION_COUNTS_LINES = exports.CommandInvocationError = void 0;
const fs = __importStar(require("fs")); const fs = __importStar(require("fs"));
const path = __importStar(require("path")); const path = __importStar(require("path"));
const toolrunner = __importStar(require("@actions/exec/lib/toolrunner")); const toolrunner = __importStar(require("@actions/exec/lib/toolrunner"));
@ -76,7 +76,7 @@ const CODEQL_VERSION_GROUP_RULES = "2.5.5";
const CODEQL_VERSION_SARIF_GROUP = "2.5.3"; const CODEQL_VERSION_SARIF_GROUP = "2.5.3";
exports.CODEQL_VERSION_COUNTS_LINES = "2.6.2"; exports.CODEQL_VERSION_COUNTS_LINES = "2.6.2";
const CODEQL_VERSION_CUSTOM_QUERY_HELP = "2.7.1"; const CODEQL_VERSION_CUSTOM_QUERY_HELP = "2.7.1";
const CODEQL_VERSION_CONFIG_FILES = "2.8.2"; // Versions before 2.8.2 weren't tolerant to unknown properties exports.CODEQL_VERSION_CONFIG_FILES = "2.8.2"; // Versions before 2.8.2 weren't tolerant to unknown properties
exports.CODEQL_VERSION_ML_POWERED_QUERIES = "2.7.5"; exports.CODEQL_VERSION_ML_POWERED_QUERIES = "2.7.5";
/** /**
* This variable controls using the new style of tracing from the CodeQL * This variable controls using the new style of tracing from the CodeQL
@ -468,7 +468,7 @@ async function getCodeQLForCmd(cmd, checkVersion) {
extraArgs.push(`--trace-process-level=${processLevel || 3}`); extraArgs.push(`--trace-process-level=${processLevel || 3}`);
} }
} }
if (await util.codeQlVersionAbove(codeql, CODEQL_VERSION_CONFIG_FILES)) { if (await util.codeQlVersionAbove(codeql, exports.CODEQL_VERSION_CONFIG_FILES)) {
const configLocation = path.resolve(config.tempDir, "user-config.yaml"); const configLocation = path.resolve(config.tempDir, "user-config.yaml");
fs.writeFileSync(configLocation, yaml.dump(config.originalUserInput)); fs.writeFileSync(configLocation, yaml.dump(config.originalUserInput));
extraArgs.push(`--codescanning-config=${configLocation}`); extraArgs.push(`--codescanning-config=${configLocation}`);
@ -593,7 +593,7 @@ async function getCodeQLForCmd(cmd, checkVersion) {
if (extraSearchPath !== undefined) { if (extraSearchPath !== undefined) {
codeqlArgs.push("--additional-packs", extraSearchPath); codeqlArgs.push("--additional-packs", extraSearchPath);
} }
if (!(await util.codeQlVersionAbove(this, CODEQL_VERSION_CONFIG_FILES))) { if (!(await util.codeQlVersionAbove(this, exports.CODEQL_VERSION_CONFIG_FILES))) {
codeqlArgs.push(querySuitePath); codeqlArgs.push(querySuitePath);
} }
await runTool(cmd, codeqlArgs); await runTool(cmd, codeqlArgs);
@ -622,7 +622,7 @@ async function getCodeQLForCmd(cmd, checkVersion) {
codeqlArgs.push("--sarif-category", automationDetailsId); codeqlArgs.push("--sarif-category", automationDetailsId);
} }
codeqlArgs.push(databasePath); codeqlArgs.push(databasePath);
if (!(await util.codeQlVersionAbove(this, CODEQL_VERSION_CONFIG_FILES))) { if (!(await util.codeQlVersionAbove(this, exports.CODEQL_VERSION_CONFIG_FILES))) {
codeqlArgs.push(...querySuitePaths); codeqlArgs.push(...querySuitePaths);
} }
// capture stdout, which contains analysis summaries // capture stdout, which contains analysis summaries

2
lib/codeql.js.map
View file

File diff suppressed because one or more lines are too long

5
node_modules/.package-lock.json generated vendored
View file

@ -3593,8 +3593,9 @@
} }
}, },
"node_modules/minimist": { "node_modules/minimist": {
"version": "1.2.5", "version": "1.2.6",
"integrity": "sha512-FM9nNUYrRBAELZQT3xeZQ7fmMOBg6nWNmJKTcgsJeaLstP/UODVpGsr5OhXhhXg6f+qtJ8uiZ+PUxkDWcgIXLw==", "resolved": "https://registry.npmjs.org/minimist/-/minimist-1.2.6.tgz",
"integrity": "sha512-Jsjnk4bw3YJqYzbdyBiNsPWHPfO++UGG749Cxs6peCu5Xg4nrena6OVxOYxrQTqww0Jmwt+Ref8rggumkTLz9Q==",
"dev": true "dev": true
}, },
"node_modules/ms": { "node_modules/ms": {

8
node_modules/minimist/index.js generated vendored
View file

@ -70,7 +70,7 @@ module.exports = function (args, opts) {
var o = obj; var o = obj;
for (var i = 0; i < keys.length-1; i++) { for (var i = 0; i < keys.length-1; i++) {
var key = keys[i]; var key = keys[i];
if (key === '__proto__') return; if (isConstructorOrProto(o, key)) return;
if (o[key] === undefined) o[key] = {}; if (o[key] === undefined) o[key] = {};
if (o[key] === Object.prototype || o[key] === Number.prototype if (o[key] === Object.prototype || o[key] === Number.prototype
|| o[key] === String.prototype) o[key] = {}; || o[key] === String.prototype) o[key] = {};
@ -79,7 +79,7 @@ module.exports = function (args, opts) {
} }
var key = keys[keys.length - 1]; var key = keys[keys.length - 1];
if (key === '__proto__') return; if (isConstructorOrProto(o, key)) return;
if (o === Object.prototype || o === Number.prototype if (o === Object.prototype || o === Number.prototype
|| o === String.prototype) o = {}; || o === String.prototype) o = {};
if (o === Array.prototype) o = []; if (o === Array.prototype) o = [];
@ -243,3 +243,7 @@ function isNumber (x) {
return /^[-+]?(?:\d+(?:\.\d*)?|\.\d+)(e[-+]?\d+)?$/.test(x); return /^[-+]?(?:\d+(?:\.\d*)?|\.\d+)(e[-+]?\d+)?$/.test(x);
} }
function isConstructorOrProto (obj, key) {
return key === 'constructor' && typeof obj[key] === 'function' || key === '__proto__';
}

2
node_modules/minimist/package.json generated vendored
View file

@ -1,6 +1,6 @@
{ {
"name": "minimist", "name": "minimist",
"version": "1.2.5", "version": "1.2.6",
"description": "parse argument options", "description": "parse argument options",
"main": "index.js", "main": "index.js",
"devDependencies": { "devDependencies": {

5
node_modules/minimist/readme.markdown generated vendored
View file

@ -34,7 +34,10 @@ $ node example/parse.js -x 3 -y 4 -n5 -abc --beep=boop foo bar baz
Previous versions had a prototype pollution bug that could cause privilege Previous versions had a prototype pollution bug that could cause privilege
escalation in some circumstances when handling untrusted user input. escalation in some circumstances when handling untrusted user input.
Please use version 1.2.3 or later: https://snyk.io/vuln/SNYK-JS-MINIMIST-559764 Please use version 1.2.6 or later:
* https://security.snyk.io/vuln/SNYK-JS-MINIMIST-2429795 (version <=1.2.5)
* https://snyk.io/vuln/SNYK-JS-MINIMIST-559764 (version <=1.2.3)
# methods # methods

16
node_modules/minimist/test/proto.js generated vendored
View file

@ -42,3 +42,19 @@ test('proto pollution (constructor)', function (t) {
t.equal(argv.y, undefined); t.equal(argv.y, undefined);
t.end(); t.end();
}); });
test('proto pollution (constructor function)', function (t) {
var argv = parse(['--_.concat.constructor.prototype.y', '123']);
function fnToBeTested() {}
t.equal(fnToBeTested.y, undefined);
t.equal(argv.y, undefined);
t.end();
});
// powered by snyk - https://github.com/backstage/backstage/issues/10343
test('proto pollution (constructor function) snyk', function (t) {
var argv = parse('--_.constructor.constructor.prototype.foo bar'.split(' '));
t.equal((function(){}).foo, undefined);
t.equal(argv.y, undefined);
t.end();
})

10
package-lock.json generated
View file

@ -3646,8 +3646,9 @@
} }
}, },
"node_modules/minimist": { "node_modules/minimist": {
"version": "1.2.5", "version": "1.2.6",
"integrity": "sha512-FM9nNUYrRBAELZQT3xeZQ7fmMOBg6nWNmJKTcgsJeaLstP/UODVpGsr5OhXhhXg6f+qtJ8uiZ+PUxkDWcgIXLw==", "resolved": "https://registry.npmjs.org/minimist/-/minimist-1.2.6.tgz",
"integrity": "sha512-Jsjnk4bw3YJqYzbdyBiNsPWHPfO++UGG749Cxs6peCu5Xg4nrena6OVxOYxrQTqww0Jmwt+Ref8rggumkTLz9Q==",
"dev": true "dev": true
}, },
"node_modules/ms": { "node_modules/ms": {
@ -8003,8 +8004,9 @@
} }
}, },
"minimist": { "minimist": {
"version": "1.2.5", "version": "1.2.6",
"integrity": "sha512-FM9nNUYrRBAELZQT3xeZQ7fmMOBg6nWNmJKTcgsJeaLstP/UODVpGsr5OhXhhXg6f+qtJ8uiZ+PUxkDWcgIXLw==", "resolved": "https://registry.npmjs.org/minimist/-/minimist-1.2.6.tgz",
"integrity": "sha512-Jsjnk4bw3YJqYzbdyBiNsPWHPfO++UGG749Cxs6peCu5Xg4nrena6OVxOYxrQTqww0Jmwt+Ref8rggumkTLz9Q==",
"dev": true "dev": true
}, },
"ms": { "ms": {

8
src/analyze.ts
View file

@ -6,6 +6,7 @@ import * as yaml from "js-yaml";
import * as analysisPaths from "./analysis-paths"; import * as analysisPaths from "./analysis-paths";
import { import {
CODEQL_VERSION_CONFIG_FILES,
CODEQL_VERSION_COUNTS_LINES, CODEQL_VERSION_COUNTS_LINES,
CODEQL_VERSION_NEW_TRACING, CODEQL_VERSION_NEW_TRACING,
getCodeQL, getCodeQL,
@ -235,12 +236,15 @@ export async function runQueries(
); );
} }
const codeql = await getCodeQL(config.codeQLCmd);
try { try {
if (hasPackWithCustomQueries) { if (
hasPackWithCustomQueries &&
!(await util.codeQlVersionAbove(codeql, CODEQL_VERSION_CONFIG_FILES))
) {
logger.info("Performing analysis with custom CodeQL Packs."); logger.info("Performing analysis with custom CodeQL Packs.");
logger.startGroup(`Downloading custom packs for ${language}`); logger.startGroup(`Downloading custom packs for ${language}`);
const codeql = await getCodeQL(config.codeQLCmd);
const results = await codeql.packDownload(packsWithVersion); const results = await codeql.packDownload(packsWithVersion);
logger.info( logger.info(
`Downloaded packs: ${results.packs `Downloaded packs: ${results.packs

2
src/codeql.ts
View file

@ -220,7 +220,7 @@ const CODEQL_VERSION_GROUP_RULES = "2.5.5";
const CODEQL_VERSION_SARIF_GROUP = "2.5.3"; const CODEQL_VERSION_SARIF_GROUP = "2.5.3";
export const CODEQL_VERSION_COUNTS_LINES = "2.6.2"; export const CODEQL_VERSION_COUNTS_LINES = "2.6.2";
const CODEQL_VERSION_CUSTOM_QUERY_HELP = "2.7.1"; const CODEQL_VERSION_CUSTOM_QUERY_HELP = "2.7.1";
const CODEQL_VERSION_CONFIG_FILES = "2.8.2"; // Versions before 2.8.2 weren't tolerant to unknown properties export const CODEQL_VERSION_CONFIG_FILES = "2.8.2"; // Versions before 2.8.2 weren't tolerant to unknown properties
export const CODEQL_VERSION_ML_POWERED_QUERIES = "2.7.5"; export const CODEQL_VERSION_ML_POWERED_QUERIES = "2.7.5";
/** /**