cdcdbb5797
Now that `latest` and `cached` are both 2.13.3, which is the version in which we GA'ed Swift, we should stop setting this experimental variable when we test these CLI versions so we can test the case where the variable is unset.
160 lines
5.6 KiB
YAML
Generated
160 lines
5.6 KiB
YAML
Generated
# Warning: This file is generated automatically, and should not be modified.
|
|
# Instead, please modify the template in the pr-checks directory and run:
|
|
# (cd pr-checks; pip install ruamel.yaml && python3 sync.py)
|
|
# to regenerate this file.
|
|
|
|
name: PR Check - ML-powered queries
|
|
env:
|
|
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
|
|
GO111MODULE: auto
|
|
CODEQL_EXTRACTOR_JAVA_AGENT_DISABLE_KOTLIN: 'true'
|
|
on:
|
|
push:
|
|
branches:
|
|
- main
|
|
- releases/v2
|
|
pull_request:
|
|
types:
|
|
- opened
|
|
- synchronize
|
|
- reopened
|
|
- ready_for_review
|
|
workflow_dispatch: {}
|
|
jobs:
|
|
ml-powered-queries:
|
|
strategy:
|
|
matrix:
|
|
include:
|
|
- os: ubuntu-latest
|
|
version: stable-20220401
|
|
- os: macos-latest
|
|
version: stable-20220401
|
|
- os: windows-latest
|
|
version: stable-20220401
|
|
- os: ubuntu-latest
|
|
version: stable-20220615
|
|
- os: macos-latest
|
|
version: stable-20220615
|
|
- os: windows-latest
|
|
version: stable-20220615
|
|
- os: ubuntu-latest
|
|
version: stable-20220908
|
|
- os: macos-latest
|
|
version: stable-20220908
|
|
- os: windows-latest
|
|
version: stable-20220908
|
|
- os: ubuntu-latest
|
|
version: stable-20221211
|
|
- os: macos-latest
|
|
version: stable-20221211
|
|
- os: windows-latest
|
|
version: stable-20221211
|
|
- os: ubuntu-latest
|
|
version: cached
|
|
- os: macos-latest
|
|
version: cached
|
|
- os: windows-latest
|
|
version: cached
|
|
- os: ubuntu-latest
|
|
version: latest
|
|
- os: macos-latest
|
|
version: latest
|
|
- os: windows-latest
|
|
version: latest
|
|
- os: ubuntu-latest
|
|
version: nightly-latest
|
|
- os: macos-latest
|
|
version: nightly-latest
|
|
- os: windows-latest
|
|
version: nightly-latest
|
|
name: ML-powered queries
|
|
permissions:
|
|
contents: read
|
|
security-events: write
|
|
timeout-minutes: 45
|
|
runs-on: ${{ matrix.os }}
|
|
steps:
|
|
- name: Check out repository
|
|
uses: actions/checkout@v3
|
|
- name: Prepare test
|
|
id: prepare-test
|
|
uses: ./.github/actions/prepare-test
|
|
with:
|
|
version: ${{ matrix.version }}
|
|
- name: Set environment variable for Swift enablement
|
|
if: >-
|
|
runner.os != 'Windows' && (
|
|
matrix.version == '20220908' ||
|
|
matrix.version == '20221211'
|
|
)
|
|
shell: bash
|
|
run: echo "CODEQL_ENABLE_EXPERIMENTAL_FEATURES_SWIFT=true" >> $GITHUB_ENV
|
|
- uses: ./../action/init
|
|
with:
|
|
languages: javascript
|
|
queries: security-extended
|
|
source-root: ./../action/tests/ml-powered-queries-repo
|
|
tools: ${{ steps.prepare-test.outputs.tools-url }}
|
|
|
|
- uses: ./../action/analyze
|
|
with:
|
|
output: ${{ runner.temp }}/results
|
|
upload-database: false
|
|
|
|
- name: Upload SARIF
|
|
uses: actions/upload-artifact@v3
|
|
with:
|
|
name: ml-powered-queries-${{ matrix.os }}-${{ matrix.version }}.sarif.json
|
|
path: ${{ runner.temp }}/results/javascript.sarif
|
|
retention-days: 7
|
|
|
|
- name: Check sarif
|
|
uses: ./../action/.github/actions/check-sarif
|
|
# Running on Windows requires CodeQL CLI 2.9.0+.
|
|
if: "!(matrix.version == 'stable-20220401' && runner.os == 'Windows')"
|
|
with:
|
|
sarif-file: ${{ runner.temp }}/results/javascript.sarif
|
|
queries-run:
|
|
js/ml-powered/nosql-injection,js/ml-powered/path-injection,js/ml-powered/sql-injection,js/ml-powered/xss
|
|
queries-not-run: foo,bar
|
|
|
|
- name: Check results
|
|
env:
|
|
# Running on Windows requires CodeQL CLI 2.9.0+.
|
|
SHOULD_RUN_ML_POWERED_QUERIES: ${{ !(matrix.version == 'stable-20220401' &&
|
|
runner.os == 'Windows') }}
|
|
shell: bash
|
|
run: |
|
|
echo "Expecting ML-powered queries to be run: ${SHOULD_RUN_ML_POWERED_QUERIES}"
|
|
|
|
cd "$RUNNER_TEMP/results"
|
|
# We should run at least the ML-powered queries in `expected_rules`.
|
|
expected_rules="js/ml-powered/nosql-injection js/ml-powered/path-injection js/ml-powered/sql-injection js/ml-powered/xss"
|
|
|
|
for rule in ${expected_rules}; do
|
|
found_rule=$(jq --arg rule "${rule}" '[.runs[0].tool.extensions[].rules | select(. != null) |
|
|
flatten | .[].id] | any(. == $rule)' javascript.sarif)
|
|
echo "Did find rule '${rule}': ${found_rule}"
|
|
if [[ "${found_rule}" != "true" && "${SHOULD_RUN_ML_POWERED_QUERIES}" == "true" ]]; then
|
|
echo "Expected SARIF output to contain rule '${rule}', but found no such rule."
|
|
exit 1
|
|
elif [[ "${found_rule}" == "true" && "${SHOULD_RUN_ML_POWERED_QUERIES}" != "true" ]]; then
|
|
echo "Found rule '${rule}' in the SARIF output which shouldn't have been part of the analysis."
|
|
exit 1
|
|
fi
|
|
done
|
|
|
|
# We should have at least one alert from an ML-powered query.
|
|
num_alerts=$(jq '[.runs[0].results[] |
|
|
select(.properties.score != null and (.rule.id | startswith("js/ml-powered/")))] | length' \
|
|
javascript.sarif)
|
|
echo "Found ${num_alerts} alerts from ML-powered queries.";
|
|
if [[ "${num_alerts}" -eq 0 && "${SHOULD_RUN_ML_POWERED_QUERIES}" == "true" ]]; then
|
|
echo "Expected to find at least one alert from an ML-powered query but found ${num_alerts}."
|
|
exit 1
|
|
elif [[ "${num_alerts}" -ne 0 && "${SHOULD_RUN_ML_POWERED_QUERIES}" != "true" ]]; then
|
|
echo "Expected not to find any alerts from an ML-powered query but found ${num_alerts}."
|
|
exit 1
|
|
fi
|
|
env:
|
|
CODEQL_ACTION_TEST_MODE: true
|