robojerk/codeql-action

Merge branch 'main' into henrymercer/remove-legacy-tracing

Browse source
This commit is contained in:
Henry Mercer 2023-04-05 18:39:27 +01:00
commit f7a67e4341
92 changed files with 401 additions and 220 deletions
Download patch file Download diff file Expand all files Collapse all files

0
.github/check-codescanning-config/action.yml → .github/actions/check-codescanning-config/action.yml vendored
View file

0
.github/check-codescanning-config/index.ts → .github/actions/check-codescanning-config/index.ts vendored
View file

0
.github/check-sarif/action.yml → .github/actions/check-sarif/action.yml vendored
View file

0
.github/check-sarif/index.js → .github/actions/check-sarif/index.js vendored
View file

0
.github/prepare-test/action.yml → .github/actions/prepare-test/action.yml vendored
View file

2
.github/query-filter-test/action.yml → .github/actions/query-filter-test/action.yml vendored
View file

@ -44,7 +44,7 @@ runs:
env:
CODEQL_ACTION_TEST_MODE: "true"
- name: Check SARIF
uses: ./../action/.github/check-sarif
uses: ./../action/.github/actions/check-sarif
with:
sarif-file: ${{ inputs.sarif-file }}
queries-run: ${{ inputs.queries-run}}

0
.github/setup-swift/action.yml → .github/actions/setup-swift/action.yml vendored
View file

14
.github/actions/update-bundle/action.yml vendored Normal file
View file

@ -0,0 +1,14 @@
name: Update default CodeQL bundle
description: Updates 'src/defaults.json' to point to a new CodeQL bundle release.
runs:
using: composite
steps:
- name: Install ts-node
shell: bash
run: npm install -g ts-node
- name: Run update script
working-directory: ${{ github.action_path }}
shell: bash
run: ts-node ./index.ts

69
.github/actions/update-bundle/index.ts vendored Normal file
View file

@ -0,0 +1,69 @@
import * as fs from 'fs';
import * as github from '@actions/github';
interface BundleInfo {
bundleVersion: string;
cliVersion: string;
}
interface Defaults {
bundleVersion: string;
cliVersion: string;
priorBundleVersion: string;
priorCliVersion: string;
}
const CODEQL_BUNDLE_PREFIX = 'codeql-bundle-';
function getCodeQLCliVersionForRelease(release): string {
// We do not currently tag CodeQL bundles based on the CLI version they contain.
// Instead, we use a marker file `cli-version-<version>.txt` to record the CLI version.
// This marker file is uploaded as a release asset for all new CodeQL bundles.
const cliVersionsFromMarkerFiles = release.assets
.map((asset) => asset.name.match(/cli-version-(.*)\.txt/)?.[1])
.filter((v) => v)
.map((v) => v as string);
if (cliVersionsFromMarkerFiles.length > 1) {
throw new Error(
`Release ${release.tag_name} has multiple CLI version marker files.`
);
} else if (cliVersionsFromMarkerFiles.length === 0) {
throw new Error(
`Failed to find the CodeQL CLI version for release ${release.tag_name}.`
);
}
return cliVersionsFromMarkerFiles[0];
}
async function getBundleInfoFromRelease(release): Promise<BundleInfo> {
return {
bundleVersion: release.tag_name.substring(CODEQL_BUNDLE_PREFIX.length),
cliVersion: getCodeQLCliVersionForRelease(release)
};
}
async function getNewDefaults(currentDefaults: Defaults): Promise<Defaults> {
const release = github.context.payload.release;
console.log('Updating default bundle as a result of the following release: ' +
`${JSON.stringify(release)}.`)
const bundleInfo = await getBundleInfoFromRelease(release);
return {
bundleVersion: bundleInfo.bundleVersion,
cliVersion: bundleInfo.cliVersion,
priorBundleVersion: currentDefaults.bundleVersion,
priorCliVersion: currentDefaults.cliVersion
};
}
async function main() {
const previousDefaults: Defaults = JSON.parse(fs.readFileSync('../../../src/defaults.json', 'utf8'));
const newDefaults = await getNewDefaults(previousDefaults);
// Update the source file in the repository. Calling workflows should subsequently rebuild
// the Action to update `lib/defaults.json`.
fs.writeFileSync('../../../src/defaults.json', JSON.stringify(newDefaults, null, 2) + "\n");
}
// Ideally, we'd await main() here, but that doesn't work well with `ts-node`.
// So instead we rely on the fact that Node won't exit until the event loop is empty.
main();

2
.github/dependabot.yml vendored
View file

@ -16,6 +16,6 @@ updates:
schedule:
interval: weekly
- package-ecosystem: github-actions
directory: "/.github/setup-swift/" # All subdirectories outside of "/.github/workflows" must be explicitly included.
directory: "/.github/actions/setup-swift/" # All subdirectories outside of "/.github/workflows" must be explicitly included.
schedule:
interval: weekly

2
.github/workflows/__analyze-ref-input.yml generated vendored
View file

@ -75,7 +75,7 @@ jobs:
uses: actions/checkout@v3
- name: Prepare test
id: prepare-test
uses: ./.github/prepare-test
uses: ./.github/actions/prepare-test
with:
version: ${{ matrix.version }}
- name: Set environment variable for Swift enablement

2
.github/workflows/__autobuild-action.yml generated vendored
View file

@ -39,7 +39,7 @@ jobs:
uses: actions/checkout@v3
- name: Prepare test
id: prepare-test
uses: ./.github/prepare-test
uses: ./.github/actions/prepare-test
with:
version: ${{ matrix.version }}
- name: Set environment variable for Swift enablement

2
.github/workflows/__config-export.yml generated vendored
View file

@ -45,7 +45,7 @@ jobs:
uses: actions/checkout@v3
- name: Prepare test
id: prepare-test
uses: ./.github/prepare-test
uses: ./.github/actions/prepare-test
with:
version: ${{ matrix.version }}
- name: Set environment variable for Swift enablement

8
.github/workflows/__diagnostics-export.yml generated vendored
View file

@ -25,6 +25,12 @@ jobs:
strategy:
matrix:
include:
- os: ubuntu-latest
version: stable-20230317
- os: macos-latest
version: stable-20230317
- os: windows-latest
version: stable-20230317
- os: ubuntu-latest
version: latest
- os: macos-latest
@ -45,7 +51,7 @@ jobs:
uses: actions/checkout@v3
- name: Prepare test
id: prepare-test
uses: ./.github/prepare-test
uses: ./.github/actions/prepare-test
with:
version: ${{ matrix.version }}
- name: Set environment variable for Swift enablement

4
.github/workflows/__export-file-baseline-information.yml generated vendored
View file

@ -39,7 +39,7 @@ jobs:
uses: actions/checkout@v3
- name: Prepare test
id: prepare-test
uses: ./.github/prepare-test
uses: ./.github/actions/prepare-test
with:
version: ${{ matrix.version }}
- name: Set environment variable for Swift enablement
@ -61,7 +61,7 @@ jobs:
env:
CODEQL_ENABLE_EXPERIMENTAL_FEATURES_SWIFT: true
CODEQL_FILE_BASELINE_INFORMATION: true
- uses: ./../action/.github/setup-swift
- uses: ./../action/.github/actions/setup-swift
with:
codeql-path: ${{steps.init.outputs.codeql-path}}
- name: Build code

2
.github/workflows/__extractor-ram-threads.yml generated vendored
View file

@ -35,7 +35,7 @@ jobs:
uses: actions/checkout@v3
- name: Prepare test
id: prepare-test
uses: ./.github/prepare-test
uses: ./.github/actions/prepare-test
with:
version: ${{ matrix.version }}
- name: Set environment variable for Swift enablement

2
.github/workflows/__go-custom-queries.yml generated vendored
View file

@ -75,7 +75,7 @@ jobs:
uses: actions/checkout@v3
- name: Prepare test
id: prepare-test
uses: ./.github/prepare-test
uses: ./.github/actions/prepare-test
with:
version: ${{ matrix.version }}
- name: Set environment variable for Swift enablement

2
.github/workflows/__go-tracing-autobuilder.yml generated vendored
View file

@ -61,7 +61,7 @@ jobs:
uses: actions/checkout@v3
- name: Prepare test
id: prepare-test
uses: ./.github/prepare-test
uses: ./.github/actions/prepare-test
with:
version: ${{ matrix.version }}
- name: Set environment variable for Swift enablement

2
.github/workflows/__go-tracing-custom-build-steps.yml generated vendored
View file

@ -61,7 +61,7 @@ jobs:
uses: actions/checkout@v3
- name: Prepare test
id: prepare-test
uses: ./.github/prepare-test
uses: ./.github/actions/prepare-test
with:
version: ${{ matrix.version }}
- name: Set environment variable for Swift enablement

2
.github/workflows/__go-tracing-legacy-workflow.yml generated vendored
View file

@ -61,7 +61,7 @@ jobs:
uses: actions/checkout@v3
- name: Prepare test
id: prepare-test
uses: ./.github/prepare-test
uses: ./.github/actions/prepare-test
with:
version: ${{ matrix.version }}
- name: Set environment variable for Swift enablement

10
.github/workflows/__init-with-registries.yml generated vendored
View file

@ -51,7 +51,7 @@ jobs:
uses: actions/checkout@v3
- name: Prepare test
id: prepare-test
uses: ./.github/prepare-test
uses: ./.github/actions/prepare-test
with:
version: ${{ matrix.version }}
- name: Set environment variable for Swift enablement
@ -80,8 +80,8 @@ jobs:
- name: Verify packages installed
shell: bash
run: |
PRIVATE_PACK="$HOME/.codeql/packages/dsp-testing/private-pack"
CODEQL_PACK1="$HOME/.codeql/packages/dsp-testing/codeql-pack1"
PRIVATE_PACK="$HOME/.codeql/packages/codeql-testing/private-pack"
CODEQL_PACK1="$HOME/.codeql/packages/codeql-testing/codeql-pack1"
if [[ -d $PRIVATE_PACK ]]
then
@ -128,5 +128,9 @@ jobs:
cat $QLCONFIG_PATH
exit 1
fi
permissions:
contents: read
packages: read
env:
CODEQL_ACTION_TEST_MODE: true

2
.github/workflows/__javascript-source-root.yml generated vendored
View file

@ -39,7 +39,7 @@ jobs:
uses: actions/checkout@v3
- name: Prepare test
id: prepare-test
uses: ./.github/prepare-test
uses: ./.github/actions/prepare-test
with:
version: ${{ matrix.version }}
- name: Set environment variable for Swift enablement

4
.github/workflows/__ml-powered-queries.yml generated vendored
View file

@ -75,7 +75,7 @@ jobs:
uses: actions/checkout@v3
- name: Prepare test
id: prepare-test
uses: ./.github/prepare-test
uses: ./.github/actions/prepare-test
with:
version: ${{ matrix.version }}
- name: Set environment variable for Swift enablement
@ -109,7 +109,7 @@ jobs:
retention-days: 7
- name: Check sarif
uses: ./../action/.github/check-sarif
uses: ./../action/.github/actions/check-sarif
# Running on Windows requires CodeQL CLI 2.9.0+.
if: "!(matrix.version == 'stable-20220401' && runner.os == 'Windows')"
with:

4
.github/workflows/__multi-language-autodetect.yml generated vendored
View file

@ -61,7 +61,7 @@ jobs:
uses: actions/checkout@v3
- name: Prepare test
id: prepare-test
uses: ./.github/prepare-test
uses: ./.github/actions/prepare-test
with:
version: ${{ matrix.version }}
- name: Set environment variable for Swift enablement
@ -81,7 +81,7 @@ jobs:
db-location: ${{ runner.temp }}/customDbLocation
tools: ${{ steps.prepare-test.outputs.tools-url }}
- uses: ./../action/.github/setup-swift
- uses: ./../action/.github/actions/setup-swift
with:
codeql-path: ${{steps.init.outputs.codeql-path}}

6
.github/workflows/__packaging-codescanning-config-inputs-js.yml generated vendored
View file

@ -51,7 +51,7 @@ jobs:
uses: actions/checkout@v3
- name: Prepare test
id: prepare-test
uses: ./.github/prepare-test
uses: ./.github/actions/prepare-test
with:
version: ${{ matrix.version }}
- name: Set environment variable for Swift enablement
@ -68,7 +68,7 @@ jobs:
- uses: ./../action/init
with:
config-file: .github/codeql/codeql-config-packaging3.yml
packs: +dsp-testing/codeql-pack1@1.0.0
packs: +codeql-testing/codeql-pack1@1.0.0
languages: javascript
tools: ${{ steps.prepare-test.outputs.tools-url }}
- name: Build code
@ -80,7 +80,7 @@ jobs:
upload-database: false
- name: Check results
uses: ./../action/.github/check-sarif
uses: ./../action/.github/actions/check-sarif
with:
sarif-file: ${{ runner.temp }}/results/javascript.sarif
queries-run: javascript/example/empty-or-one-block,javascript/example/empty-or-one-block,javascript/example/other-query-block,javascript/example/two-block

6
.github/workflows/__packaging-config-inputs-js.yml generated vendored
View file

@ -51,7 +51,7 @@ jobs:
uses: actions/checkout@v3
- name: Prepare test
id: prepare-test
uses: ./.github/prepare-test
uses: ./.github/actions/prepare-test
with:
version: ${{ matrix.version }}
- name: Set environment variable for Swift enablement
@ -68,7 +68,7 @@ jobs:
- uses: ./../action/init
with:
config-file: .github/codeql/codeql-config-packaging3.yml
packs: +dsp-testing/codeql-pack1@1.0.0
packs: +codeql-testing/codeql-pack1@1.0.0
languages: javascript
tools: ${{ steps.prepare-test.outputs.tools-url }}
- name: Build code
@ -80,7 +80,7 @@ jobs:
upload-database: false
- name: Check results
uses: ./../action/.github/check-sarif
uses: ./../action/.github/actions/check-sarif
with:
sarif-file: ${{ runner.temp }}/results/javascript.sarif
queries-run: javascript/example/empty-or-one-block,javascript/example/empty-or-one-block,javascript/example/other-query-block,javascript/example/two-block

4
.github/workflows/__packaging-config-js.yml generated vendored
View file

@ -51,7 +51,7 @@ jobs:
uses: actions/checkout@v3
- name: Prepare test
id: prepare-test
uses: ./.github/prepare-test
uses: ./.github/actions/prepare-test
with:
version: ${{ matrix.version }}
- name: Set environment variable for Swift enablement
@ -79,7 +79,7 @@ jobs:
upload-database: false
- name: Check results
uses: ./../action/.github/check-sarif
uses: ./../action/.github/actions/check-sarif
with:
sarif-file: ${{ runner.temp }}/results/javascript.sarif
queries-run: javascript/example/empty-or-one-block,javascript/example/empty-or-one-block,javascript/example/other-query-block,javascript/example/two-block

6
.github/workflows/__packaging-inputs-js.yml generated vendored
View file

@ -51,7 +51,7 @@ jobs:
uses: actions/checkout@v3
- name: Prepare test
id: prepare-test
uses: ./.github/prepare-test
uses: ./.github/actions/prepare-test
with:
version: ${{ matrix.version }}
- name: Set environment variable for Swift enablement
@ -69,7 +69,7 @@ jobs:
with:
config-file: .github/codeql/codeql-config-packaging2.yml
languages: javascript
packs: dsp-testing/codeql-pack1@1.0.0, dsp-testing/codeql-pack2, dsp-testing/codeql-pack3:other-query.ql
packs: codeql-testing/codeql-pack1@1.0.0, codeql-testing/codeql-pack2, codeql-testing/codeql-pack3:other-query.ql
tools: ${{ steps.prepare-test.outputs.tools-url }}
- name: Build code
shell: bash
@ -79,7 +79,7 @@ jobs:
output: ${{ runner.temp }}/results
- name: Check results
uses: ./../action/.github/check-sarif
uses: ./../action/.github/actions/check-sarif
with:
sarif-file: ${{ runner.temp }}/results/javascript.sarif
queries-run: javascript/example/empty-or-one-block,javascript/example/empty-or-one-block,javascript/example/other-query-block,javascript/example/two-block

2
.github/workflows/__remote-config.yml generated vendored
View file

@ -75,7 +75,7 @@ jobs:
uses: actions/checkout@v3
- name: Prepare test
id: prepare-test
uses: ./.github/prepare-test
uses: ./.github/actions/prepare-test
with:
version: ${{ matrix.version }}
- name: Set environment variable for Swift enablement

2
.github/workflows/__rubocop-multi-language.yml generated vendored
View file

@ -35,7 +35,7 @@ jobs:
uses: actions/checkout@v3
- name: Prepare test
id: prepare-test
uses: ./.github/prepare-test
uses: ./.github/actions/prepare-test
with:
version: ${{ matrix.version }}
- name: Set environment variable for Swift enablement

2
.github/workflows/__ruby.yml generated vendored
View file

@ -45,7 +45,7 @@ jobs:
uses: actions/checkout@v3
- name: Prepare test
id: prepare-test
uses: ./.github/prepare-test
uses: ./.github/actions/prepare-test
with:
version: ${{ matrix.version }}
- name: Set environment variable for Swift enablement

4
.github/workflows/__split-workflow.yml generated vendored
View file

@ -45,7 +45,7 @@ jobs:
uses: actions/checkout@v3
- name: Prepare test
id: prepare-test
uses: ./.github/prepare-test
uses: ./.github/actions/prepare-test
with:
version: ${{ matrix.version }}
- name: Set environment variable for Swift enablement
@ -62,7 +62,7 @@ jobs:
- uses: ./../action/init
with:
config-file: .github/codeql/codeql-config-packaging3.yml
packs: +dsp-testing/codeql-pack1@1.0.0
packs: +codeql-testing/codeql-pack1@1.0.0
languages: javascript
tools: ${{ steps.prepare-test.outputs.tools-url }}
- name: Build code

2
.github/workflows/__submit-sarif-failure.yml generated vendored
View file

@ -39,7 +39,7 @@ jobs:
uses: actions/checkout@v3
- name: Prepare test
id: prepare-test
uses: ./.github/prepare-test
uses: ./.github/actions/prepare-test
with:
version: ${{ matrix.version }}
- name: Set environment variable for Swift enablement

4
.github/workflows/__swift-custom-build.yml generated vendored
View file

@ -45,7 +45,7 @@ jobs:
uses: actions/checkout@v3
- name: Prepare test
id: prepare-test
uses: ./.github/prepare-test
uses: ./.github/actions/prepare-test
with:
version: ${{ matrix.version }}
- name: Set environment variable for Swift enablement
@ -64,7 +64,7 @@ jobs:
with:
languages: swift
tools: ${{ steps.prepare-test.outputs.tools-url }}
- uses: ./../action/.github/setup-swift
- uses: ./../action/.github/actions/setup-swift
with:
codeql-path: ${{steps.init.outputs.codeql-path}}
- name: Check working directory

2
.github/workflows/__test-autobuild-working-dir.yml generated vendored
View file

@ -35,7 +35,7 @@ jobs:
uses: actions/checkout@v3
- name: Prepare test
id: prepare-test
uses: ./.github/prepare-test
uses: ./.github/actions/prepare-test
with:
version: ${{ matrix.version }}
- name: Set environment variable for Swift enablement

2
.github/workflows/__test-local-codeql.yml generated vendored
View file

@ -35,7 +35,7 @@ jobs:
uses: actions/checkout@v3
- name: Prepare test
id: prepare-test
uses: ./.github/prepare-test
uses: ./.github/actions/prepare-test
with:
version: ${{ matrix.version }}
- name: Set environment variable for Swift enablement

2
.github/workflows/__test-proxy.yml generated vendored
View file

@ -35,7 +35,7 @@ jobs:
uses: actions/checkout@v3
- name: Prepare test
id: prepare-test
uses: ./.github/prepare-test
uses: ./.github/actions/prepare-test
with:
version: ${{ matrix.version }}
- name: Set environment variable for Swift enablement

2
.github/workflows/__unset-environment.yml generated vendored
View file

@ -47,7 +47,7 @@ jobs:
uses: actions/checkout@v3
- name: Prepare test
id: prepare-test
uses: ./.github/prepare-test
uses: ./.github/actions/prepare-test
with:
version: ${{ matrix.version }}
- name: Set environment variable for Swift enablement

2
.github/workflows/__upload-ref-sha-input.yml generated vendored
View file

@ -75,7 +75,7 @@ jobs:
uses: actions/checkout@v3
- name: Prepare test
id: prepare-test
uses: ./.github/prepare-test
uses: ./.github/actions/prepare-test
with:
version: ${{ matrix.version }}
- name: Set environment variable for Swift enablement

2
.github/workflows/__with-checkout-path.yml generated vendored
View file

@ -75,7 +75,7 @@ jobs:
uses: actions/checkout@v3
- name: Prepare test
id: prepare-test
uses: ./.github/prepare-test
uses: ./.github/actions/prepare-test
with:
version: ${{ matrix.version }}
- name: Set environment variable for Swift enablement

44
.github/workflows/codescanning-config-cli.yml vendored
View file

@ -47,12 +47,12 @@ jobs:
uses: actions/checkout@v3
- name: Prepare test
id: prepare-test
uses: ./.github/prepare-test
uses: ./.github/actions/prepare-test
with:
version: ${{ matrix.version }}
- name: Empty file
uses: ./../action/.github/check-codescanning-config
uses: ./../action/.github/actions/check-codescanning-config
with:
expected-config-file-contents: "{}"
languages: javascript
@ -60,31 +60,31 @@ jobs:
- name: Packs from input
if: success() || failure()
uses: ./../action/.github/check-codescanning-config
uses: ./../action/.github/actions/check-codescanning-config
with:
expected-config-file-contents: |
{
"packs": ["dsp-testing/codeql-pack1@1.0.0", "dsp-testing/codeql-pack2" ]
"packs": ["codeql-testing/codeql-pack1@1.0.0", "codeql-testing/codeql-pack2" ]
}
languages: javascript
packs: dsp-testing/codeql-pack1@1.0.0, dsp-testing/codeql-pack2
packs: codeql-testing/codeql-pack1@1.0.0, codeql-testing/codeql-pack2
tools: ${{ steps.prepare-test.outputs.tools-url }}
- name: Packs from input with +
if: success() || failure()
uses: ./../action/.github/check-codescanning-config
uses: ./../action/.github/actions/check-codescanning-config
with:
expected-config-file-contents: |
{
"packs": ["dsp-testing/codeql-pack1@1.0.0", "dsp-testing/codeql-pack2" ]
"packs": ["codeql-testing/codeql-pack1@1.0.0", "codeql-testing/codeql-pack2" ]
}
languages: javascript
packs: + dsp-testing/codeql-pack1@1.0.0, dsp-testing/codeql-pack2
packs: + codeql-testing/codeql-pack1@1.0.0, codeql-testing/codeql-pack2
tools: ${{ steps.prepare-test.outputs.tools-url }}
- name: Queries from input
if: success() || failure()
uses: ./../action/.github/check-codescanning-config
uses: ./../action/.github/actions/check-codescanning-config
with:
expected-config-file-contents: |
{
@ -96,7 +96,7 @@ jobs:
- name: Queries from input with +
if: success() || failure()
uses: ./../action/.github/check-codescanning-config
uses: ./../action/.github/actions/check-codescanning-config
with:
expected-config-file-contents: |
{
@ -108,27 +108,27 @@ jobs:
- name: Queries and packs from input with +
if: success() || failure()
uses: ./../action/.github/check-codescanning-config
uses: ./../action/.github/actions/check-codescanning-config
with:
expected-config-file-contents: |
{
"queries": [{ "uses": "./codeql-qlpacks/complex-javascript-qlpack/show_ifs.ql" }],
"packs": ["dsp-testing/codeql-pack1@1.0.0", "dsp-testing/codeql-pack2" ]
"packs": ["codeql-testing/codeql-pack1@1.0.0", "codeql-testing/codeql-pack2" ]
}
languages: javascript
queries: + ./codeql-qlpacks/complex-javascript-qlpack/show_ifs.ql
packs: + dsp-testing/codeql-pack1@1.0.0, dsp-testing/codeql-pack2
packs: + codeql-testing/codeql-pack1@1.0.0, codeql-testing/codeql-pack2
tools: ${{ steps.prepare-test.outputs.tools-url }}
- name: Queries and packs from config
if: success() || failure()
uses: ./../action/.github/check-codescanning-config
uses: ./../action/.github/actions/check-codescanning-config
with:
expected-config-file-contents: |
{
"queries": [{ "uses": "./codeql-qlpacks/complex-javascript-qlpack/foo2/show_ifs.ql" }],
"packs": {
"javascript": ["dsp-testing/codeql-pack1@1.0.0", "dsp-testing/codeql-pack2" ]
"javascript": ["codeql-testing/codeql-pack1@1.0.0", "codeql-testing/codeql-pack2" ]
}
}
languages: javascript
@ -137,7 +137,7 @@ jobs:
- name: Queries and packs from config overriden by input
if: success() || failure()
uses: ./../action/.github/check-codescanning-config
uses: ./../action/.github/actions/check-codescanning-config
with:
expected-config-file-contents: |
{
@ -152,7 +152,7 @@ jobs:
- name: Queries and packs from config merging with input
if: success() || failure()
uses: ./../action/.github/check-codescanning-config
uses: ./../action/.github/actions/check-codescanning-config
with:
expected-config-file-contents: |
{
@ -161,7 +161,7 @@ jobs:
{ "uses": "./codeql-qlpacks/complex-javascript-qlpack/show_ifs.ql" }
],
"packs": {
"javascript": ["dsp-testing/codeql-pack1@1.0.0", "dsp-testing/codeql-pack2", "codeql/javascript-queries" ]
"javascript": ["codeql-testing/codeql-pack1@1.0.0", "codeql-testing/codeql-pack2", "codeql/javascript-queries" ]
}
}
languages: javascript
@ -172,12 +172,12 @@ jobs:
- name: Multi-language packs from config
if: success() || failure()
uses: ./../action/.github/check-codescanning-config
uses: ./../action/.github/actions/check-codescanning-config
with:
expected-config-file-contents: |
{
"packs": {
"javascript": ["dsp-testing/codeql-pack1@1.0.0", "dsp-testing/codeql-pack2" ],
"javascript": ["codeql-testing/codeql-pack1@1.0.0", "codeql-testing/codeql-pack2" ],
"ruby": ["codeql/ruby-queries"]
},
"queries": [
@ -190,7 +190,7 @@ jobs:
- name: Other config properties
if: success() || failure()
uses: ./../action/.github/check-codescanning-config
uses: ./../action/.github/actions/check-codescanning-config
with:
expected-config-file-contents: |
{
@ -209,7 +209,7 @@ jobs:
if: success() || failure()
env:
CODEQL_PASS_CONFIG_TO_CLI: false
uses: ./../action/.github/check-codescanning-config
uses: ./../action/.github/actions/check-codescanning-config
with:
expected-config-file-contents: ""
languages: javascript

2
.github/workflows/debug-artifacts-failure.yml vendored
View file

@ -36,7 +36,7 @@ jobs:
uses: actions/checkout@v3
- name: Prepare test
id: prepare-test
uses: ./.github/prepare-test
uses: ./.github/actions/prepare-test
with:
version: latest
- uses: actions/setup-go@v4

2
.github/workflows/debug-artifacts.yml vendored
View file

@ -42,7 +42,7 @@ jobs:
uses: actions/checkout@v3
- name: Prepare test
id: prepare-test
uses: ./.github/prepare-test
uses: ./.github/actions/prepare-test
with:
version: ${{ matrix.version }}
- uses: actions/setup-go@v4

4
.github/workflows/expected-queries-runs.yml vendored
View file

@ -25,7 +25,7 @@ jobs:
uses: actions/checkout@v3
- name: Prepare test
id: prepare-test
uses: ./.github/prepare-test
uses: ./.github/actions/prepare-test
with:
version: latest
- uses: ./../action/init
@ -39,7 +39,7 @@ jobs:
upload: never
- name: Check Sarif
uses: ./../action/.github/check-sarif
uses: ./../action/.github/actions/check-sarif
with:
sarif-file: ${{ runner.temp }}/results/javascript.sarif
queries-run: js/incomplete-hostname-regexp,js/path-injection

8
.github/workflows/query-filters.yml vendored
View file

@ -23,12 +23,12 @@ jobs:
uses: actions/checkout@v3
- name: Prepare test
id: prepare-test
uses: ./.github/prepare-test
uses: ./.github/actions/prepare-test
with:
version: latest
- name: Check SARIF for default queries with Single include, Single exclude
uses: ./../action/.github/query-filter-test
uses: ./../action/.github/actions/query-filter-test
with:
sarif-file: ${{ runner.temp }}/results/javascript.sarif
queries-run: js/zipslip
@ -37,7 +37,7 @@ jobs:
tools: ${{ steps.prepare-test.outputs.tools-url }}
- name: Check SARIF for query packs with Single include, Single exclude
uses: ./../action/.github/query-filter-test
uses: ./../action/.github/actions/query-filter-test
with:
sarif-file: ${{ runner.temp }}/results/javascript.sarif
queries-run: js/zipslip,javascript/example/empty-or-one-block
@ -46,7 +46,7 @@ jobs:
tools: ${{ steps.prepare-test.outputs.tools-url }}
- name: Check SARIF for query packs and local queries with Single include, Single exclude
uses: ./../action/.github/query-filter-test
uses: ./../action/.github/actions/query-filter-test
with:
sarif-file: ${{ runner.temp }}/results/javascript.sarif
queries-run: js/zipslip,javascript/example/empty-or-one-block,inrepo-javascript-querypack/show-ifs

82
.github/workflows/update-bundle.yml vendored Normal file
View file

@ -0,0 +1,82 @@
name: Update default CodeQL bundle
on:
release:
types: [prereleased]
jobs:
update-bundle:
if: startsWith(github.event.release.tag_name, 'codeql-bundle-')
runs-on: ubuntu-latest
steps:
- name: Dump environment
run: env
- name: Dump GitHub context
env:
GITHUB_CONTEXT: '${{ toJson(github) }}'
run: echo "$GITHUB_CONTEXT"
- uses: actions/checkout@v3
- name: Update git config
run: |
git config --global user.email "github-actions@github.com"
git config --global user.name "github-actions[bot]"
- name: Update bundle
uses: ./.github/actions/update-bundle
- name: Rebuild Action
run: npm run build
- name: Commit and push changes
env:
RELEASE_TAG: "${{ github.event.release.tag_name }}"
run: |
git checkout -b "update-bundle/$RELEASE_TAG"
git commit -am "Update default bundle to $RELEASE_TAG"
git push --set-upstream origin "update-bundle/$RELEASE_TAG"
- name: Open pull request
env:
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
run: |
cli_version=$(jq -r '.cliVersion' src/defaults.json)
pr_url=$(gh pr create \
--title "Update default bundle to $cli_version" \
--body "This pull request updates the default CodeQL bundle, as used with \`tools: latest\` and on GHES, to $cli_version." \
--assignee "$GITHUB_ACTOR" \
--draft \
)
echo "CLI_VERSION=$cli_version" | tee -a "$GITHUB_ENV"
echo "PR_URL=$pr_url" | tee -a "$GITHUB_ENV"
- name: Create changelog note
shell: python
run: |
import os
import re
# Get the PR number from the PR URL.
pr_number = os.environ['PR_URL'].split('/')[-1]
changelog_note = f"- Update default CodeQL bundle version to {os.environ['CLI_VERSION']}. [#{pr_number}]({os.environ['PR_URL']})"
# If the "[UNRELEASED]" section starts with "no user facing changes", remove that line.
# Use perl to avoid having to escape the newline character.
with open('CHANGELOG.md', 'r') as f:
changelog = f.read()
changelog = changelog.replace('## [UNRELEASED]\n\nNo user facing changes.', '## [UNRELEASED]\n')
# Add the changelog note to the bottom of the "[UNRELEASED]" section.
changelog = re.sub(r'\n## (\d+\.\d+\.\d+)', f'{changelog_note}\n\n## \\1', changelog, count=1)
with open('CHANGELOG.md', 'w') as f:
f.write(changelog)
- name: Push changelog note
run: |
git commit -am "Add changelog note"
git push

4
CHANGELOG.md
View file

@ -4,6 +4,10 @@
- Bump the minimum CodeQL bundle version to 2.8.5. [#1618](https://github.com/github/codeql-action/pull/1618)
## 2.2.10 - 05 Apr 2023
- Update default CodeQL bundle version to 2.12.6. [#1629](https://github.com/github/codeql-action/pull/1629)
## 2.2.9 - 27 Mar 2023
- Customers post-processing the SARIF output of the `analyze` Action before uploading it to Code Scanning will benefit from an improved debugging experience. [#1598](https://github.com/github/codeql-action/pull/1598)

29
lib/codeql.js generated
View file

@ -23,7 +23,7 @@ var __importStar = (this && this.__importStar) || function (mod) {
return result;
};
Object.defineProperty(exports, "__esModule", { value: true });
exports.getExtraOptions = exports.getCodeQLForCmd = exports.getCodeQLForTesting = exports.getCachedCodeQL = exports.setCodeQL = exports.getCodeQL = exports.setupCodeQL = exports.CODEQL_VERSION_INIT_WITH_QLCONFIG = exports.CODEQL_VERSION_SECURITY_EXPERIMENTAL_SUITE = exports.CODEQL_VERSION_BETTER_RESOLVE_LANGUAGES = exports.CODEQL_VERSION_ML_POWERED_QUERIES_WINDOWS = exports.CODEQL_VERSION_GHES_PACK_DOWNLOAD = exports.CommandInvocationError = void 0;
exports.getExtraOptions = exports.getCodeQLForCmd = exports.getCodeQLForTesting = exports.getCachedCodeQL = exports.setCodeQL = exports.getCodeQL = exports.setupCodeQL = exports.CODEQL_VERSION_DUPLICATE_NOTIFICATIONS_FIXED = exports.CODEQL_VERSION_INIT_WITH_QLCONFIG = exports.CODEQL_VERSION_SECURITY_EXPERIMENTAL_SUITE = exports.CODEQL_VERSION_BETTER_RESOLVE_LANGUAGES = exports.CODEQL_VERSION_ML_POWERED_QUERIES_WINDOWS = exports.CODEQL_VERSION_GHES_PACK_DOWNLOAD = exports.CommandInvocationError = void 0;
const fs = __importStar(require("fs"));
const path = __importStar(require("path"));
const toolrunner = __importStar(require("@actions/exec/lib/toolrunner"));
@ -89,6 +89,11 @@ exports.CODEQL_VERSION_SECURITY_EXPERIMENTAL_SUITE = "2.12.1";
* Versions 2.12.4+ of the CodeQL CLI support the `--qlconfig-file` flag in calls to `database init`.
*/
exports.CODEQL_VERSION_INIT_WITH_QLCONFIG = "2.12.4";
/**
* Versions 2.12.6+ of the CodeQL CLI fix a bug where duplicate notification objects could be produced,
* leading to an invalid SARIF output.
*/
exports.CODEQL_VERSION_DUPLICATE_NOTIFICATIONS_FIXED = "2.12.6";
/**
* Set up CodeQL CLI access.
*
@ -423,7 +428,9 @@ async function getCodeQLForCmd(cmd, checkVersion) {
},
async databaseInterpretResults(databasePath, querySuitePaths, sarifFile, addSnippetsFlag, threadsFlag, verbosityFlag, automationDetailsId, config, features, logger) {
const shouldExportDiagnostics = await features.getValue(feature_flags_1.Feature.ExportDiagnosticsEnabled, this);
const codeqlOutputFile = shouldExportDiagnostics
const shouldWorkaroundInvalidNotifications = shouldExportDiagnostics &&
!(await util.codeQlVersionAbove(this, exports.CODEQL_VERSION_DUPLICATE_NOTIFICATIONS_FIXED));
const codeqlOutputFile = shouldWorkaroundInvalidNotifications
? path.join(config.tempDir, "codeql-intermediate-results.sarif")
: sarifFile;
const codeqlArgs = [
@ -451,13 +458,16 @@ async function getCodeQLForCmd(cmd, checkVersion) {
if (shouldExportDiagnostics) {
codeqlArgs.push("--sarif-include-diagnostics");
}
else if (await util.codeQlVersionAbove(this, "2.12.4")) {
codeqlArgs.push("--no-sarif-include-diagnostics");
}
codeqlArgs.push(databasePath);
if (querySuitePaths) {
codeqlArgs.push(...querySuitePaths);
}
// capture stdout, which contains analysis summaries
const returnState = await (0, toolrunner_error_catcher_1.toolrunnerErrorCatcher)(cmd, codeqlArgs, error_matcher_1.errorMatchers);
if (shouldExportDiagnostics) {
if (shouldWorkaroundInvalidNotifications) {
util.fixInvalidNotificationsInFile(codeqlOutputFile, sarifFile, logger);
}
return returnState.stdout;
@ -537,14 +547,17 @@ async function getCodeQLForCmd(cmd, checkVersion) {
await new toolrunner.ToolRunner(cmd, args).exec();
},
async databaseExportDiagnostics(databasePath, sarifFile, automationDetailsId, tempDir, logger) {
const intermediateSarifFile = path.join(tempDir, "codeql-intermediate-results.sarif");
const shouldWorkaroundInvalidNotifications = !(await util.codeQlVersionAbove(this, exports.CODEQL_VERSION_DUPLICATE_NOTIFICATIONS_FIXED));
const codeqlOutputFile = shouldWorkaroundInvalidNotifications
? path.join(tempDir, "codeql-intermediate-results.sarif")
: sarifFile;
const args = [
"database",
"export-diagnostics",
`${databasePath}`,
"--db-cluster",
"--format=sarif-latest",
`--output=${intermediateSarifFile}`,
`--output=${codeqlOutputFile}`,
"--sarif-include-diagnostics",
"-vvv",
...getExtraOptionsFromEnv(["diagnostics", "export"]),
@ -553,8 +566,10 @@ async function getCodeQLForCmd(cmd, checkVersion) {
args.push("--sarif-category", automationDetailsId);
}
await new toolrunner.ToolRunner(cmd, args).exec();
// Fix invalid notifications in the SARIF file output by CodeQL.
util.fixInvalidNotificationsInFile(intermediateSarifFile, sarifFile, logger);
if (shouldWorkaroundInvalidNotifications) {
// Fix invalid notifications in the SARIF file output by CodeQL.
util.fixInvalidNotificationsInFile(codeqlOutputFile, sarifFile, logger);
}
},
async diagnosticsExport(sarifFile, automationDetailsId, config, features) {
const args = [

2
lib/codeql.js.map
View file

File diff suppressed because one or more lines are too long

4
lib/codeql.test.js generated
View file

@ -382,11 +382,11 @@ for (const isBundleVersionInUrl of [true, false]) {
tagName: "codeql-bundle-20230203",
});
mockDownloadApi({
repo: "dsp-testing/codeql-cli-nightlies",
repo: "codeql-testing/codeql-cli-nightlies",
platformSpecific: false,
tagName: "codeql-bundle-20230203",
});
const result = await codeql.setupCodeQL("https://github.com/dsp-testing/codeql-cli-nightlies/releases/download/codeql-bundle-20230203/codeql-bundle.tar.gz", sampleApiDetails, tmpDir, util.GitHubVariant.DOTCOM, SAMPLE_DEFAULT_CLI_VERSION, (0, logging_1.getRunnerLogger)(true), false);
const result = await codeql.setupCodeQL("https://github.com/codeql-testing/codeql-cli-nightlies/releases/download/codeql-bundle-20230203/codeql-bundle.tar.gz", sampleApiDetails, tmpDir, util.GitHubVariant.DOTCOM, SAMPLE_DEFAULT_CLI_VERSION, (0, logging_1.getRunnerLogger)(true), false);
t.is(result.toolsVersion, "0.0.0-20230203");
t.is(result.toolsSource, init_1.ToolsSource.Download);
t.true(Number.isInteger(result.toolsDownloadDurationMs));

2
lib/codeql.test.js.map
View file

File diff suppressed because one or more lines are too long

10
lib/config-utils.test.js generated
View file

@ -1134,7 +1134,7 @@ const calculateAugmentationErrorMacro = ava_1.default.macro({
{
// no slash
url: "http://ghcr.io",
packages: ["codeql/*", "dsp-testing/*"],
packages: ["codeql/*", "codeql-testing/*"],
token: "not-a-token",
},
{
@ -1200,7 +1200,7 @@ const calculateAugmentationErrorMacro = ava_1.default.macro({
const registriesInput = yaml.dump([
{
url: "http://ghcr.io",
packages: ["codeql/*", "dsp-testing/*"],
packages: ["codeql/*", "codeql-testing/*"],
token: "not-a-token",
},
{
@ -1227,7 +1227,7 @@ const calculateAugmentationErrorMacro = ava_1.default.macro({
const registriesInput = yaml.dump([
{
// missing url property
packages: ["codeql/*", "dsp-testing/*"],
packages: ["codeql/*", "codeql-testing/*"],
token: "not-a-token",
},
{
@ -1252,7 +1252,7 @@ const calculateAugmentationErrorMacro = ava_1.default.macro({
{
// no slash
url: "http://ghcr.io",
packages: ["codeql/*", "dsp-testing/*"],
packages: ["codeql/*", "codeql-testing/*"],
token: "not-a-token",
},
]);
@ -1283,7 +1283,7 @@ const calculateAugmentationErrorMacro = ava_1.default.macro({
const registriesInput = yaml.dump([
{
url: "http://ghcr.io",
packages: ["codeql/*", "dsp-testing/*"],
packages: ["codeql/*", "codeql-testing/*"],
token: "not-a-token",
},
]);

2
lib/config-utils.test.js.map
View file

File diff suppressed because one or more lines are too long

8
lib/defaults.json
View file

@ -1,6 +1,6 @@
{
"bundleVersion": "codeql-bundle-20230317",
"cliVersion": "2.12.5",
"priorBundleVersion": "codeql-bundle-20230304",
"priorCliVersion": "2.12.4"
"bundleVersion": "codeql-bundle-20230403",
"cliVersion": "2.12.6",
"priorBundleVersion": "codeql-bundle-20230317",
"priorCliVersion": "2.12.5"
}

6
lib/feature-flags.js generated
View file

@ -55,12 +55,12 @@ exports.featureConfig = {
[Feature.ExportCodeScanningConfigEnabled]: {
envVar: "CODEQL_ACTION_EXPORT_CODE_SCANNING_CONFIG",
minimumVersion: "2.12.3",
defaultValue: false,
defaultValue: true,
},
[Feature.ExportDiagnosticsEnabled]: {
envVar: "CODEQL_ACTION_EXPORT_DIAGNOSTICS",
minimumVersion: "2.12.4",
defaultValue: false,
defaultValue: true,
},
[Feature.MlPoweredQueriesEnabled]: {
envVar: "CODEQL_ML_POWERED_QUERIES",
@ -70,7 +70,7 @@ exports.featureConfig = {
[Feature.UploadFailedSarifEnabled]: {
envVar: "CODEQL_ACTION_UPLOAD_FAILED_SARIF",
minimumVersion: "2.11.3",
defaultValue: false,
defaultValue: true,
},
};
exports.FEATURE_FLAGS_FILE_NAME = "cached-feature-flags.json";

2
lib/feature-flags.js.map
View file

File diff suppressed because one or more lines are too long

3
lib/util.js generated
View file

@ -721,6 +721,9 @@ function fixInvalidNotifications(sarif, logger) {
logger.info(`Removed ${numDuplicateLocationsRemoved} duplicate locations from SARIF notification ` +
"objects.");
}
else {
logger.debug("No duplicate locations found in SARIF notification objects.");
}
return newSarif;
}
exports.fixInvalidNotifications = fixInvalidNotifications;

2
lib/util.js.map
View file

File diff suppressed because one or more lines are too long

6
lib/util.test.js generated
View file

@ -363,7 +363,11 @@ const stubLocation = {
const messages = [];
const result = util.fixInvalidNotifications(createMockSarifWithNotification([stubLocation]), (0, testing_utils_1.getRecordingLogger)(messages));
t.deepEqual(result, createMockSarifWithNotification([stubLocation]));
t.is(messages.length, 0);
t.is(messages.length, 1);
t.deepEqual(messages[0], {
type: "debug",
message: "No duplicate locations found in SARIF notification objects.",
});
});
(0, ava_1.default)("fixInvalidNotifications removes duplicate locations", (t) => {
const messages = [];

2
lib/util.test.js.map
View file

File diff suppressed because one or more lines are too long

15
lib/workflow.js generated
View file

@ -84,8 +84,6 @@ function toCodedErrors(errors) {
exports.WorkflowErrors = toCodedErrors({
MismatchedBranches: `Please make sure that every branch in on.pull_request is also in on.push so that Code Scanning can compare pull requests against the state of the base branch.`,
MissingPushHook: `Please specify an on.push hook so that Code Scanning can compare pull requests against the state of the base branch.`,
PathsSpecified: `Using on.push.paths can prevent Code Scanning annotating new alerts in your pull requests.`,
PathsIgnoreSpecified: `Using on.push.paths-ignore can prevent Code Scanning annotating new alerts in your pull requests.`,
CheckoutWrongHead: `git checkout HEAD^2 is no longer necessary. Please remove this step as Code Scanning recommends analyzing the merge commit for best results.`,
});
function getWorkflowErrors(doc) {
@ -130,19 +128,6 @@ function getWorkflowErrors(doc) {
if (!hasPush && hasPullRequest) {
missingPush = true;
}
if (hasPush && hasPullRequest) {
const paths = doc.on.push?.paths;
// if you specify paths or paths-ignore you can end up with commits that have no baseline
// if they didn't change any files
// currently we cannot go back through the history and find the most recent baseline
if (Array.isArray(paths) && paths.length > 0) {
errors.push(exports.WorkflowErrors.PathsSpecified);
}
const pathsIgnore = doc.on.push?.["paths-ignore"];
if (Array.isArray(pathsIgnore) && pathsIgnore.length > 0) {
errors.push(exports.WorkflowErrors.PathsIgnoreSpecified);
}
}
// if doc.on.pull_request is null that means 'all branches'
// if doc.on.pull_request is undefined that means 'off'
// we only want to check for mismatched branches if pull_request is on.

2
lib/workflow.js.map
View file

File diff suppressed because one or more lines are too long

15
lib/workflow.test.js generated
View file

@ -58,15 +58,6 @@ function errorCodes(actual, expected) {
});
t.deepEqual(...errorCodes(errors, []));
});
(0, ava_1.default)("getWorkflowErrors() when on.push should not have a path", (t) => {
const errors = (0, workflow_1.getWorkflowErrors)({
on: {
push: { branches: ["main"], paths: ["test/*"] },
pull_request: { branches: ["main"] },
},
});
t.deepEqual(...errorCodes(errors, [workflow_1.WorkflowErrors.PathsSpecified]));
});
(0, ava_1.default)("getWorkflowErrors() when on.push is a correct object", (t) => {
const errors = (0, workflow_1.getWorkflowErrors)({
on: { push: { branches: ["main"] }, pull_request: { branches: ["main"] } },
@ -227,7 +218,7 @@ function errorCodes(actual, expected) {
(0, ava_1.default)("formatWorkflowErrors() when there are multiple errors", (t) => {
const message = (0, workflow_1.formatWorkflowErrors)([
workflow_1.WorkflowErrors.CheckoutWrongHead,
workflow_1.WorkflowErrors.PathsSpecified,
workflow_1.WorkflowErrors.MismatchedBranches,
]);
t.true(message.startsWith("2 issues were detected with this workflow:"));
});
@ -238,9 +229,9 @@ function errorCodes(actual, expected) {
(0, ava_1.default)("formatWorkflowCause()", (t) => {
const message = (0, workflow_1.formatWorkflowCause)([
workflow_1.WorkflowErrors.CheckoutWrongHead,
workflow_1.WorkflowErrors.PathsSpecified,
workflow_1.WorkflowErrors.MismatchedBranches,
]);
t.deepEqual(message, "CheckoutWrongHead,PathsSpecified");
t.deepEqual(message, "CheckoutWrongHead,MismatchedBranches");
t.deepEqual((0, workflow_1.formatWorkflowCause)([]), undefined);
});
(0, ava_1.default)("patternIsSuperset()", (t) => {

2
lib/workflow.test.js.map
View file

File diff suppressed because one or more lines are too long

4
pr-checks/checks/diagnostics-export.yml
View file

@ -1,6 +1,8 @@
name: "Diagnostic export"
description: "Tests that manually added diagnostics are correctly exported to SARIF."
versions: ["latest", "nightly-latest"]
# Test on 2.12.5 (which requires a workaround in the Action), the latest release, and the latest
# nightly.
versions: ["stable-20230317", "latest", "nightly-latest"]
env:
CODEQL_ACTION_EXPORT_DIAGNOSTICS: true
steps:

2
pr-checks/checks/export-file-baseline-information.yml
View file

@ -10,7 +10,7 @@ steps:
env:
CODEQL_ENABLE_EXPERIMENTAL_FEATURES_SWIFT: true
CODEQL_FILE_BASELINE_INFORMATION: true
- uses: ./../action/.github/setup-swift
- uses: ./../action/.github/actions/setup-swift
with:
codeql-path: ${{steps.init.outputs.codeql-path}}
- name: Build code

8
pr-checks/checks/init-with-registries.yml
View file

@ -11,6 +11,10 @@ versions: [
"nightly-latest",
]
permissions:
contents: read
packages: read
steps:
- name: Init with registries
uses: ./../action/init
@ -27,8 +31,8 @@ steps:
- name: Verify packages installed
shell: bash
run: |
PRIVATE_PACK="$HOME/.codeql/packages/dsp-testing/private-pack"
CODEQL_PACK1="$HOME/.codeql/packages/dsp-testing/codeql-pack1"
PRIVATE_PACK="$HOME/.codeql/packages/codeql-testing/private-pack"
CODEQL_PACK1="$HOME/.codeql/packages/codeql-testing/codeql-pack1"
if [[ -d $PRIVATE_PACK ]]
then

2
pr-checks/checks/ml-powered-queries.yml
View file

@ -21,7 +21,7 @@ steps:
retention-days: 7
- name: Check sarif
uses: ./../action/.github/check-sarif
uses: ./../action/.github/actions/check-sarif
# Running on Windows requires CodeQL CLI 2.9.0+.
if: "!(matrix.version == 'stable-20220401' && runner.os == 'Windows')"
with:

2
pr-checks/checks/multi-language-autodetect.yml
View file

@ -8,7 +8,7 @@ steps:
db-location: "${{ runner.temp }}/customDbLocation"
tools: ${{ steps.prepare-test.outputs.tools-url }}
- uses: ./../action/.github/setup-swift
- uses: ./../action/.github/actions/setup-swift
with:
codeql-path: ${{steps.init.outputs.codeql-path}}

4
pr-checks/checks/packaging-codescanning-config-inputs-js.yml
View file

@ -9,7 +9,7 @@ steps:
- uses: ./../action/init
with:
config-file: ".github/codeql/codeql-config-packaging3.yml"
packs: +dsp-testing/codeql-pack1@1.0.0
packs: +codeql-testing/codeql-pack1@1.0.0
languages: javascript
tools: ${{ steps.prepare-test.outputs.tools-url }}
- name: Build code
@ -21,7 +21,7 @@ steps:
upload-database: false
- name: Check results
uses: ./../action/.github/check-sarif
uses: ./../action/.github/actions/check-sarif
with:
sarif-file: ${{ runner.temp }}/results/javascript.sarif
queries-run: javascript/example/empty-or-one-block,javascript/example/empty-or-one-block,javascript/example/other-query-block,javascript/example/two-block

4
pr-checks/checks/packaging-config-inputs-js.yml
View file

@ -5,7 +5,7 @@ steps:
- uses: ./../action/init
with:
config-file: ".github/codeql/codeql-config-packaging3.yml"
packs: +dsp-testing/codeql-pack1@1.0.0
packs: +codeql-testing/codeql-pack1@1.0.0
languages: javascript
tools: ${{ steps.prepare-test.outputs.tools-url }}
- name: Build code
@ -17,7 +17,7 @@ steps:
upload-database: false
- name: Check results
uses: ./../action/.github/check-sarif
uses: ./../action/.github/actions/check-sarif
with:
sarif-file: ${{ runner.temp }}/results/javascript.sarif
queries-run: javascript/example/empty-or-one-block,javascript/example/empty-or-one-block,javascript/example/other-query-block,javascript/example/two-block

2
pr-checks/checks/packaging-config-js.yml
View file

@ -16,7 +16,7 @@ steps:
upload-database: false
- name: Check results
uses: ./../action/.github/check-sarif
uses: ./../action/.github/actions/check-sarif
with:
sarif-file: ${{ runner.temp }}/results/javascript.sarif
queries-run: javascript/example/empty-or-one-block,javascript/example/empty-or-one-block,javascript/example/other-query-block,javascript/example/two-block

4
pr-checks/checks/packaging-inputs-js.yml
View file

@ -6,7 +6,7 @@ steps:
with:
config-file: ".github/codeql/codeql-config-packaging2.yml"
languages: javascript
packs: dsp-testing/codeql-pack1@1.0.0, dsp-testing/codeql-pack2, dsp-testing/codeql-pack3:other-query.ql
packs: codeql-testing/codeql-pack1@1.0.0, codeql-testing/codeql-pack2, codeql-testing/codeql-pack3:other-query.ql
tools: ${{ steps.prepare-test.outputs.tools-url }}
- name: Build code
shell: bash
@ -16,7 +16,7 @@ steps:
output: "${{ runner.temp }}/results"
- name: Check results
uses: ./../action/.github/check-sarif
uses: ./../action/.github/actions/check-sarif
with:
sarif-file: ${{ runner.temp }}/results/javascript.sarif
queries-run: javascript/example/empty-or-one-block,javascript/example/empty-or-one-block,javascript/example/other-query-block,javascript/example/two-block

2
pr-checks/checks/split-workflow.yml
View file

@ -6,7 +6,7 @@ steps:
- uses: ./../action/init
with:
config-file: ".github/codeql/codeql-config-packaging3.yml"
packs: +dsp-testing/codeql-pack1@1.0.0
packs: +codeql-testing/codeql-pack1@1.0.0
languages: javascript
tools: ${{ steps.prepare-test.outputs.tools-url }}
- name: Build code

2
pr-checks/checks/swift-custom-build.yml
View file

@ -10,7 +10,7 @@ steps:
with:
languages: swift
tools: ${{ steps.prepare-test.outputs.tools-url }}
- uses: ./../action/.github/setup-swift
- uses: ./../action/.github/actions/setup-swift
with:
codeql-path: ${{steps.init.outputs.codeql-path}}
- name: Check working directory

6
pr-checks/sync.py
View file

@ -68,7 +68,7 @@ for file in os.listdir('checks'):
{
'name': 'Prepare test',
'id': 'prepare-test',
'uses': './.github/prepare-test',
'uses': './.github/actions/prepare-test',
'with': {
'version': '${{ matrix.version }}'
}
@ -103,8 +103,10 @@ for file in os.listdir('checks'):
'name': checkSpecification['name'],
'timeout-minutes': 45,
'runs-on': '${{ matrix.os }}',
'steps': steps
'steps': steps,
}
if 'permissions' in checkSpecification:
checkJob['permissions'] = checkSpecification['permissions']
for key in ["env", "container", "services"]:
if key in checkSpecification:

4
src/codeql.test.ts
View file

@ -554,13 +554,13 @@ test("bundle URL from another repo is cached as 0.0.0-bundleVersion", async (t)
tagName: "codeql-bundle-20230203",
});
mockDownloadApi({
repo: "dsp-testing/codeql-cli-nightlies",
repo: "codeql-testing/codeql-cli-nightlies",
platformSpecific: false,
tagName: "codeql-bundle-20230203",
});
const result = await codeql.setupCodeQL(
"https://github.com/dsp-testing/codeql-cli-nightlies/releases/download/codeql-bundle-20230203/codeql-bundle.tar.gz",
"https://github.com/codeql-testing/codeql-cli-nightlies/releases/download/codeql-bundle-20230203/codeql-bundle.tar.gz",
sampleApiDetails,
tmpDir,
util.GitHubVariant.DOTCOM,

42
src/codeql.ts
View file

@ -287,6 +287,12 @@ export const CODEQL_VERSION_SECURITY_EXPERIMENTAL_SUITE = "2.12.1";
*/
export const CODEQL_VERSION_INIT_WITH_QLCONFIG = "2.12.4";
/**
* Versions 2.12.6+ of the CodeQL CLI fix a bug where duplicate notification objects could be produced,
* leading to an invalid SARIF output.
*/
export const CODEQL_VERSION_DUPLICATE_NOTIFICATIONS_FIXED = "2.12.6";
/**
* Set up CodeQL CLI access.
*
@ -756,7 +762,13 @@ export async function getCodeQLForCmd(
Feature.ExportDiagnosticsEnabled,
this
);
const codeqlOutputFile = shouldExportDiagnostics
const shouldWorkaroundInvalidNotifications =
shouldExportDiagnostics &&
!(await util.codeQlVersionAbove(
this,
CODEQL_VERSION_DUPLICATE_NOTIFICATIONS_FIXED
));
const codeqlOutputFile = shouldWorkaroundInvalidNotifications
? path.join(config.tempDir, "codeql-intermediate-results.sarif")
: sarifFile;
const codeqlArgs = [
@ -788,6 +800,8 @@ export async function getCodeQLForCmd(
}
if (shouldExportDiagnostics) {
codeqlArgs.push("--sarif-include-diagnostics");
} else if (await util.codeQlVersionAbove(this, "2.12.4")) {
codeqlArgs.push("--no-sarif-include-diagnostics");
}
codeqlArgs.push(databasePath);
if (querySuitePaths) {
@ -800,7 +814,7 @@ export async function getCodeQLForCmd(
errorMatchers
);
if (shouldExportDiagnostics) {
if (shouldWorkaroundInvalidNotifications) {
util.fixInvalidNotificationsInFile(codeqlOutputFile, sarifFile, logger);
}
@ -903,17 +917,21 @@ export async function getCodeQLForCmd(
tempDir: string,
logger: Logger
): Promise<void> {
const intermediateSarifFile = path.join(
tempDir,
"codeql-intermediate-results.sarif"
);
const shouldWorkaroundInvalidNotifications =
!(await util.codeQlVersionAbove(
this,
CODEQL_VERSION_DUPLICATE_NOTIFICATIONS_FIXED
));
const codeqlOutputFile = shouldWorkaroundInvalidNotifications
? path.join(tempDir, "codeql-intermediate-results.sarif")
: sarifFile;
const args = [
"database",
"export-diagnostics",
`${databasePath}`,
"--db-cluster", // Database is always a cluster for CodeQL versions that support diagnostics.
"--format=sarif-latest",
`--output=${intermediateSarifFile}`,
`--output=${codeqlOutputFile}`,
"--sarif-include-diagnostics", // ExportDiagnosticsEnabled is always true if this command is run.
"-vvv",
...getExtraOptionsFromEnv(["diagnostics", "export"]),
@ -923,12 +941,10 @@ export async function getCodeQLForCmd(
}
await new toolrunner.ToolRunner(cmd, args).exec();
// Fix invalid notifications in the SARIF file output by CodeQL.
util.fixInvalidNotificationsInFile(
intermediateSarifFile,
sarifFile,
logger
);
if (shouldWorkaroundInvalidNotifications) {
// Fix invalid notifications in the SARIF file output by CodeQL.
util.fixInvalidNotificationsInFile(codeqlOutputFile, sarifFile, logger);
}
},
async diagnosticsExport(
sarifFile: string,

10
src/config-utils.test.ts
View file

@ -2307,7 +2307,7 @@ test("downloadPacks-with-registries", async (t) => {
{
// no slash
url: "http://ghcr.io",
packages: ["codeql/*", "dsp-testing/*"],
packages: ["codeql/*", "codeql-testing/*"],
token: "not-a-token",
},
{
@ -2397,7 +2397,7 @@ test("downloadPacks-with-registries fails on 2.10.3", async (t) => {
const registriesInput = yaml.dump([
{
url: "http://ghcr.io",
packages: ["codeql/*", "dsp-testing/*"],
packages: ["codeql/*", "codeql-testing/*"],
token: "not-a-token",
},
{
@ -2439,7 +2439,7 @@ test("downloadPacks-with-registries fails with invalid registries block", async
const registriesInput = yaml.dump([
{
// missing url property
packages: ["codeql/*", "dsp-testing/*"],
packages: ["codeql/*", "codeql-testing/*"],
token: "not-a-token",
},
{
@ -2478,7 +2478,7 @@ test("no generateRegistries when CLI is too old", async (t) => {
{
// no slash
url: "http://ghcr.io",
packages: ["codeql/*", "dsp-testing/*"],
packages: ["codeql/*", "codeql-testing/*"],
token: "not-a-token",
},
]);
@ -2527,7 +2527,7 @@ test("generateRegistries prefers original CODEQL_REGISTRIES_AUTH", async (t) =>
const registriesInput = yaml.dump([
{
url: "http://ghcr.io",
packages: ["codeql/*", "dsp-testing/*"],
packages: ["codeql/*", "codeql-testing/*"],
token: "not-a-token",
},
]);

8
src/defaults.json
View file

@ -1,6 +1,6 @@
{
"bundleVersion": "codeql-bundle-20230317",
"cliVersion": "2.12.5",
"priorBundleVersion": "codeql-bundle-20230304",
"priorCliVersion": "2.12.4"
"bundleVersion": "codeql-bundle-20230403",
"cliVersion": "2.12.6",
"priorBundleVersion": "codeql-bundle-20230317",
"priorCliVersion": "2.12.5"
}

6
src/feature-flags.ts
View file

@ -62,12 +62,12 @@ export const featureConfig: Record<
[Feature.ExportCodeScanningConfigEnabled]: {
envVar: "CODEQL_ACTION_EXPORT_CODE_SCANNING_CONFIG",
minimumVersion: "2.12.3",
defaultValue: false,
defaultValue: true,
},
[Feature.ExportDiagnosticsEnabled]: {
envVar: "CODEQL_ACTION_EXPORT_DIAGNOSTICS",
minimumVersion: "2.12.4",
defaultValue: false,
defaultValue: true,
},
[Feature.MlPoweredQueriesEnabled]: {
@ -78,7 +78,7 @@ export const featureConfig: Record<
[Feature.UploadFailedSarifEnabled]: {
envVar: "CODEQL_ACTION_UPLOAD_FAILED_SARIF",
minimumVersion: "2.11.3",
defaultValue: false,
defaultValue: true,
},
};

6
src/util.test.ts
View file

@ -441,7 +441,11 @@ test("fixInvalidNotifications leaves notifications with unique locations alone",
getRecordingLogger(messages)
);
t.deepEqual(result, createMockSarifWithNotification([stubLocation]));
t.is(messages.length, 0);
t.is(messages.length, 1);
t.deepEqual(messages[0], {
type: "debug",
message: "No duplicate locations found in SARIF notification objects.",
});
});
test("fixInvalidNotifications removes duplicate locations", (t) => {

2
src/util.ts
View file

@ -877,6 +877,8 @@ export function fixInvalidNotifications(
`Removed ${numDuplicateLocationsRemoved} duplicate locations from SARIF notification ` +
"objects."
);
} else {
logger.debug("No duplicate locations found in SARIF notification objects.");
}
return newSarif;
}

17
src/workflow.test.ts
View file

@ -56,17 +56,6 @@ test("getWorkflowErrors() when on.push is a valid superset", (t) => {
t.deepEqual(...errorCodes(errors, []));
});
test("getWorkflowErrors() when on.push should not have a path", (t) => {
const errors = getWorkflowErrors({
on: {
push: { branches: ["main"], paths: ["test/*"] },
pull_request: { branches: ["main"] },
},
});
t.deepEqual(...errorCodes(errors, [WorkflowErrors.PathsSpecified]));
});
test("getWorkflowErrors() when on.push is a correct object", (t) => {
const errors = getWorkflowErrors({
on: { push: { branches: ["main"] }, pull_request: { branches: ["main"] } },
@ -317,7 +306,7 @@ test("formatWorkflowErrors() when there is one error", (t) => {
test("formatWorkflowErrors() when there are multiple errors", (t) => {
const message = formatWorkflowErrors([
WorkflowErrors.CheckoutWrongHead,
WorkflowErrors.PathsSpecified,
WorkflowErrors.MismatchedBranches,
]);
t.true(message.startsWith("2 issues were detected with this workflow:"));
});
@ -331,10 +320,10 @@ test("formatWorkflowCause() with no errors", (t) => {
test("formatWorkflowCause()", (t) => {
const message = formatWorkflowCause([
WorkflowErrors.CheckoutWrongHead,
WorkflowErrors.PathsSpecified,
WorkflowErrors.MismatchedBranches,
]);
t.deepEqual(message, "CheckoutWrongHead,PathsSpecified");
t.deepEqual(message, "CheckoutWrongHead,MismatchedBranches");
t.deepEqual(formatWorkflowCause([]), undefined);
});

15
src/workflow.ts
View file

@ -108,8 +108,6 @@ function toCodedErrors(errors: {
export const WorkflowErrors = toCodedErrors({
MismatchedBranches: `Please make sure that every branch in on.pull_request is also in on.push so that Code Scanning can compare pull requests against the state of the base branch.`,
MissingPushHook: `Please specify an on.push hook so that Code Scanning can compare pull requests against the state of the base branch.`,
PathsSpecified: `Using on.push.paths can prevent Code Scanning annotating new alerts in your pull requests.`,
PathsIgnoreSpecified: `Using on.push.paths-ignore can prevent Code Scanning annotating new alerts in your pull requests.`,
CheckoutWrongHead: `git checkout HEAD^2 is no longer necessary. Please remove this step as Code Scanning recommends analyzing the merge commit for best results.`,
});
@ -162,19 +160,6 @@ export function getWorkflowErrors(doc: Workflow): CodedError[] {
if (!hasPush && hasPullRequest) {
missingPush = true;
}
if (hasPush && hasPullRequest) {
const paths = doc.on.push?.paths;
// if you specify paths or paths-ignore you can end up with commits that have no baseline
// if they didn't change any files
// currently we cannot go back through the history and find the most recent baseline
if (Array.isArray(paths) && paths.length > 0) {
errors.push(WorkflowErrors.PathsSpecified);
}
const pathsIgnore = doc.on.push?.["paths-ignore"];
if (Array.isArray(pathsIgnore) && pathsIgnore.length > 0) {
errors.push(WorkflowErrors.PathsIgnoreSpecified);
}
}
// if doc.on.pull_request is null that means 'all branches'
// if doc.on.pull_request is undefined that means 'off'

6
tests/multi-language-repo/.github/codeql/codeql-config-packaging.yml vendored
View file

@ -3,9 +3,9 @@ name: Pack testing in the CodeQL Action
disable-default-queries: true
packs:
javascript:
- dsp-testing/codeql-pack1@1.0.0
- dsp-testing/codeql-pack2
- dsp-testing/codeql-pack3:other-query.ql
- codeql-testing/codeql-pack1@1.0.0
- codeql-testing/codeql-pack2
- codeql-testing/codeql-pack3:other-query.ql
paths-ignore:
- tests

4
tests/multi-language-repo/.github/codeql/codeql-config-packaging3.yml vendored
View file

@ -3,8 +3,8 @@ name: Pack testing in the CodeQL Action
disable-default-queries: true
packs:
javascript:
- dsp-testing/codeql-pack2
- dsp-testing/codeql-pack3:other-query.ql
- codeql-testing/codeql-pack2
- codeql-testing/codeql-pack3:other-query.ql
paths-ignore:
- tests
- lib

2
tests/multi-language-repo/.github/codeql/codeql-config-query-filters2.yml vendored
View file

@ -5,7 +5,7 @@ disable-default-queries: true
packs:
javascript:
- codeql/javascript-queries
- dsp-testing/codeql-pack1@1.0.0
- codeql-testing/codeql-pack1@1.0.0
query-filters:
# This should run js/path-injection and js/zipslip

2
tests/multi-language-repo/.github/codeql/codeql-config-query-filters3.yml vendored
View file

@ -15,7 +15,7 @@ queries:
packs:
javascript:
- codeql/javascript-queries
- dsp-testing/codeql-pack1@1.0.0
- codeql-testing/codeql-pack1@1.0.0
query-filters:
# This should run js/path-injection and js/zipslip

4
tests/multi-language-repo/.github/codeql/codeql-config-registries.yml vendored
View file

@ -3,5 +3,5 @@ name: Pack testing in the CodeQL Action
disable-default-queries: true
packs:
javascript:
- dsp-testing/private-pack
- dsp-testing/codeql-pack1
- codeql-testing/private-pack
- codeql-testing/codeql-pack1

4
tests/multi-language-repo/.github/codeql/multi-language-packs-config.yml vendored
View file

@ -1,7 +1,7 @@
packs:
javascript:
- dsp-testing/codeql-pack1@1.0.0
- dsp-testing/codeql-pack2
- codeql-testing/codeql-pack1@1.0.0
- codeql-testing/codeql-pack2
ruby:
- codeql/ruby-queries

4
tests/multi-language-repo/.github/codeql/queries-and-packs-config.yml vendored
View file

@ -1,7 +1,7 @@
packs:
javascript:
- dsp-testing/codeql-pack1@1.0.0
- dsp-testing/codeql-pack2
- codeql-testing/codeql-pack1@1.0.0
- codeql-testing/codeql-pack2
queries:
- uses: ./codeql-qlpacks/complex-javascript-qlpack/foo2/show_ifs.ql