Merge branch 'main' into adityasharad/ram-threshold

2021-02-17 11:29:15 -08:00 · 2021-02-17 11:29:15 -08:00 · fd0ad84431
commit fd0ad84431
parent 4c94e29f1b 41b73e168c
31 changed files with 2163 additions and 13 deletions
--- a/lib/codeql.js
+++ b/lib/codeql.js
@ -18,6 +18,7 @@ const toolrunner = __importStar(require("@actions/exec/lib/toolrunner"));
 const http = __importStar(require("@actions/http-client"));
 const toolcache = __importStar(require("@actions/tool-cache"));
 const fast_deep_equal_1 = __importDefault(require("fast-deep-equal"));
+const query_string_1 = __importDefault(require("query-string"));
 const semver = __importStar(require("semver"));
 const uuid_1 = require("uuid");
 const actions_util_1 = require("./actions-util");
@ -109,6 +110,25 @@ async function getCodeQLBundleDownloadURL(apiDetails, mode, logger) {
            logger.info(`Looked for CodeQL bundle in ${downloadSource[1]} on ${downloadSource[0]} but got error ${e}.`);
        }
    }
+    try {
+        const release = await api
+            .getApiClient(apiDetails)
+            .request("GET /enterprise/code-scanning/codeql-bundle/find/{tag}", {
+            tag: CODEQL_BUNDLE_VERSION,
+        });
+        const assetID = release.data.assets[codeQLBundleName];
+        if (assetID !== undefined) {
+            const download = await api
+                .getApiClient(apiDetails)
+                .request("GET /enterprise/code-scanning/codeql-bundle/download/{asset_id}", { asset_id: assetID });
+            const downloadURL = download.data.url;
+            logger.info(`Found CodeQL bundle at GitHub AE endpoint with URL ${downloadURL}.`);
+            return downloadURL;
+        }
+    }
+    catch (e) {
+        logger.info(`Attempted to fetch bundle from GitHub AE endpoint but got error ${e}.`);
+    }
    return `https://github.com/${CODEQL_DEFAULT_ACTION_REPOSITORY}/releases/download/${CODEQL_BUNDLE_VERSION}/${codeQLBundleName}`;
 }
 // We have to download CodeQL manually because the toolcache doesn't support Accept headers.
@ -163,11 +183,15 @@ async function setupCodeQL(codeqlURL, apiDetails, tempDir, toolsDir, mode, logge
            if (!codeqlURL) {
                codeqlURL = await getCodeQLBundleDownloadURL(apiDetails, mode, logger);
            }
+            const parsedCodeQLURL = new URL(codeqlURL);
+            const parsedQueryString = query_string_1.default.parse(parsedCodeQLURL.search);
            const headers = { accept: "application/octet-stream" };
            // We only want to provide an authorization header if we are downloading
            // from the same GitHub instance the Action is running on.
            // This avoids leaking Enterprise tokens to dotcom.
-            if (codeqlURL.startsWith(`${apiDetails.url}/`)) {
+            // We also don't want to send an authorization header if there's already a token provided in the URL.
+            if (codeqlURL.startsWith(`${apiDetails.url}/`) &&
+                parsedQueryString["token"] === undefined) {
                logger.debug("Downloading CodeQL bundle with token.");
                headers.authorization = `token ${apiDetails.auth}`;
            }
--- a/lib/codeql.js.map
+++ b/lib/codeql.js.map
--- a/lib/runner.js
+++ b/lib/runner.js
@ -84,7 +84,6 @@ program
    .requiredOption("--github-url <url>", "URL of GitHub instance. (Required)")
    .option("--github-auth <auth>", "GitHub Apps token or personal access token. This option is insecure and deprecated, please use `--github-auth-stdin` instead.")
    .option("--github-auth-stdin", "Read GitHub Apps token or personal access token from stdin.")
-    .option("--external-repository-token <token>", "A token for fetching external config files and queries if they reside in a private repository.")
    .option("--languages <languages>", "Comma-separated list of languages to analyze. Otherwise detects and analyzes all supported languages from the repo.")
    .option("--queries <queries>", "Comma-separated list of additional queries to run. This overrides the same setting in a configuration file.")
    .option("--config-file <file>", "Path to config file.")
@ -108,7 +107,7 @@ program
        const auth = await util_1.getGitHubAuth(logger, cmd.githubAuth, cmd.githubAuthStdin);
        const apiDetails = {
            auth,
-            externalRepoAuth: cmd.externalRepositoryToken,
+            externalRepoAuth: auth,
            url: util_1.parseGithubUrl(cmd.githubUrl),
        };
        const gitHubVersion = await util_1.getGitHubVersion(apiDetails);
--- a/lib/runner.js.map
+++ b/lib/runner.js.map