Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merge main into releases/v2 #1107

Merged
merged 41 commits into from
Jun 21, 2022
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
41 commits
Select commit Hold shift + click to select a range
bfe9d7d
Add Swift as a supported language.
MathiasVP May 27, 2022
16c620d
Make the linter happy.
MathiasVP May 31, 2022
57096f1
Update changelog and version after v2.1.12
invalid-email-address Jun 1, 2022
632cc8e
Update checked-in dependencies
invalid-email-address Jun 1, 2022
69e0990
Merge pull request #1089 from github/mergeback/v2.1.12-to-main-27ea8f8f
aeisenberg Jun 1, 2022
1b5ea4a
Merge branch 'main' into swift-support
MathiasVP Jun 3, 2022
ccf479d
Merge pull request #1085 from github/swift-support
aeisenberg Jun 3, 2022
f7c46e5
Avoid use of rmdir
aeisenberg Jun 13, 2022
29a2159
Merge pull request #1095 from github/aeisenberg/use-del
aeisenberg Jun 14, 2022
0efcf74
Add typings for js-yaml
aeisenberg Jun 13, 2022
bcb7fad
Add the check-sarif action
aeisenberg Jun 14, 2022
40b2800
Add capability to filter queries
aeisenberg Jun 14, 2022
06e27d3
Merge branch 'aeisenberg/js-yaml-typings' into aeisenberg/remove-queries
aeisenberg Jun 14, 2022
eec34d5
Add integration tests for query filters
aeisenberg Jun 14, 2022
81b419c
Merge pull request #1097 from github/aeisenberg/js-yaml-typings
aeisenberg Jun 15, 2022
0ece1d1
add ml query pack 0.3.0
TomBolton Jun 1, 2022
79d8e4a
fix lint errors
TomBolton Jun 13, 2022
f8f4c0b
compile the modified TypeScript to Javascript
TomBolton Jun 13, 2022
a568674
add tests for ML powered queries 0.3.0 and CLI 2.9.3
TomBolton Jun 13, 2022
a27dc4f
update security extended test for all platforms
TomBolton Jun 15, 2022
df05122
Merge pull request #1087 from github/tombolton/update-ml-pack
TomBolton Jun 15, 2022
428caf0
Update changelog
aeisenberg Jun 15, 2022
4918636
Clarify variable names in new action
aeisenberg Jun 15, 2022
6834383
Apply suggestions from code review
aeisenberg Jun 15, 2022
59ca9b5
Extract query-filters test into a composite action
aeisenberg Jun 15, 2022
97f9db4
Update supported GitHub Enterprise Server versions.
web-flow Jun 16, 2022
777b778
Spelling, capitalization, and better descriptions
aeisenberg Jun 16, 2022
6db77ee
Merge remote-tracking branch 'upstream/main' into aeisenberg/remove-q…
aeisenberg Jun 16, 2022
d7459f0
Merge branch 'aeisenberg/check-sarif-action' into aeisenberg/remove-q…
aeisenberg Jun 16, 2022
d2ab7a2
Merge pull request #1086 from github/update-supported-enterprise-serv…
henrymercer Jun 16, 2022
ee4575b
Merge branch 'main' into aeisenberg/check-sarif-action
aeisenberg Jun 16, 2022
7c412c6
Merge branch 'aeisenberg/check-sarif-action' into aeisenberg/remove-q…
aeisenberg Jun 16, 2022
80ecdcd
Merge pull request #1098 from github/aeisenberg/remove-queries
aeisenberg Jun 16, 2022
2e80c74
Merge pull request #1096 from github/aeisenberg/check-sarif-action
aeisenberg Jun 16, 2022
c7785f6
Fix input to action
aeisenberg Jun 17, 2022
2e111b2
Merge pull request #1102 from github/aeisenberg/fix-query-filters-test
aeisenberg Jun 17, 2022
7adb33d
Ensure there are no duplicates when sending up required checks
aeisenberg Jun 17, 2022
30fe0a5
Merge pull request #1103 from github/aeisenberg/fix-required-checks-s…
aeisenberg Jun 17, 2022
ccf5d70
Update default CodeQL version to 2.9.4
edoardopirovano Jun 15, 2022
31367d4
Merge pull request #1100 from github/edoardo/2.9.4-bump
edoardopirovano Jun 20, 2022
8bd4419
Update changelog for v2.1.13
invalid-email-address Jun 21, 2022
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
20 changes: 20 additions & 0 deletions .github/check-sarif/action.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,20 @@
name: Check SARIF
description: Checks a SARIF file to see if certain queries were run and others were not run.
inputs:
sarif-file:
required: true
description: The SARIF file to check

queries-run:
required: true
description: |
Comma separated list of query ids that should be included in this SARIF file.

queries-not-run:
required: true
description: |
Comma separated list of query ids that should NOT be included in this SARIF file.

runs:
using: node12
main: index.js
43 changes: 43 additions & 0 deletions .github/check-sarif/index.js
Original file line number Diff line number Diff line change
@@ -0,0 +1,43 @@
'use strict'

const core = require('@actions/core')
const fs = require('fs')

const sarif = JSON.parse(fs.readFileSync(core.getInput('sarif-file'), 'utf8'))
const rules = sarif.runs[0].tool.extensions.flatMap(ext => ext.rules || [])
const ruleIds = rules.map(rule => rule.id)

// Check that all the expected queries ran
const expectedQueriesRun = getQueryIdsInput('queries-run')
const queriesThatShouldHaveRunButDidNot = expectedQueriesRun.filter(queryId => !ruleIds.includes(queryId))

if (queriesThatShouldHaveRunButDidNot.length > 0) {
core.setFailed(`The following queries were expected to run but did not: ${queriesThatShouldHaveRunButDidNot.join(', ')}`)
}

// Check that all the unexpected queries did not run
const expectedQueriesNotRun = getQueryIdsInput('queries-not-run')

const queriesThatShouldNotHaveRunButDid = expectedQueriesNotRun.filter(queryId => ruleIds.includes(queryId))

if (queriesThatShouldNotHaveRunButDid.length > 0) {
core.setFailed(`The following queries were NOT expected to have run but did: ${queriesThatShouldNotHaveRunButDid.join(', ')}`)
}


core.startGroup('All queries run')
rules.forEach(rule => {
core.info(`${rule.id}: ${(rule.properties && rule.properties.name) || rule.name}`)
})
core.endGroup()

core.startGroup('Full SARIF')
core.info(JSON.stringify(sarif, null, 2))
core.endGroup()

function getQueryIdsInput(name) {
return core.getInput(name)
.split(',')
.map(q => q.trim())
.filter(q => q.length > 0)
}
52 changes: 52 additions & 0 deletions .github/query-filter-test/action.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,52 @@
name: Query Filter Test
description: Runs a test of query filters using the check SARIF action
inputs:
sarif-file:
required: true
description: The SARIF file to check

queries-run:
required: true
description: |
Comma separated list of query ids that should be included in this SARIF file.

queries-not-run:
required: true
description: |
Comma separated list of query ids that should NOT be included in this SARIF file.

config-file:
required: true
description: |
The location of the codeql configuration file to use.

tools:
required: true
description: |
The url of codeql to use.

runs:
using: composite
steps:
- uses: ./../action/init
with:
languages: javascript
config-file: ${{ inputs.config-file }}
tools: ${{ inputs.tools }}
db-location: ${{ runner.temp }}/query-filter-test
- uses: ./../action/analyze
with:
output: ${{ runner.temp }}/results
upload-database: false
upload: false
env:
TEST_MODE: "true"
- name: Check SARIF
uses: ./../action/.github/check-sarif
with:
sarif-file: ${{ inputs.sarif-file }}
queries-run: ${{ inputs.queries-run}}
queries-not-run: ${{ inputs.queries-not-run}}
- name: Cleanup after test
shell: bash
run: rm -rf "$RUNNER_TEMP/results" "$RUNNER_TEMP//query-filter-test"
47 changes: 47 additions & 0 deletions .github/workflows/expected-queries-runs.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,47 @@
name: Check queries that ran

on:
push:
branches:
- main
- releases/v1
- releases/v2
pull_request:
types:
- opened
- synchronize
- reopened
- ready_for_review
workflow_dispatch: {}

jobs:
expected-queries:
name: Expected Queries Tests
timeout-minutes: 45
runs-on: ubuntu-latest
steps:
- name: Check out repository
uses: actions/checkout@v3
- name: Prepare test
id: prepare-test
uses: ./.github/prepare-test
with:
version: latest
- uses: ./../action/init
with:
languages: javascript
tools: ${{ steps.prepare-test.outputs.tools-url }}
- uses: ./../action/analyze
with:
output: ${{ runner.temp }}/results
upload-database: false
upload: false
env:
TEST_MODE: true

- name: Check Sarif
uses: ./../action/.github/check-sarif
with:
sarif-file: ${{ runner.temp }}/results/javascript.sarif
queries-run: js/incomplete-hostname-regexp,js/path-injection
queries-not-run: foo,bar
56 changes: 56 additions & 0 deletions .github/workflows/query-filters.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,56 @@
name: Query filters tests

on:
push:
branches:
- main
- releases/v1
- releases/v2
pull_request:
types:
- opened
- synchronize
- reopened
- ready_for_review
workflow_dispatch: {}

jobs:
query-filters:
name: Query Filters Tests
timeout-minutes: 45
runs-on: ubuntu-latest
steps:
- name: Check out repository
uses: actions/checkout@v3
- name: Prepare test
id: prepare-test
uses: ./.github/prepare-test
with:
version: latest

- name: Check SARIF for default queries with Single include, Single exclude
uses: ./../action/.github/query-filter-test
with:
sarif-file: ${{ runner.temp }}/results/javascript.sarif
queries-run: js/zipslip
queries-not-run: js/path-injection
config-file: ./.github/codeql/codeql-config-query-filters1.yml
tools: ${{ steps.prepare-test.outputs.tools-url }}

- name: Check SARIF for query packs with Single include, Single exclude
uses: ./../action/.github/query-filter-test
with:
sarif-file: ${{ runner.temp }}/results/javascript.sarif
queries-run: js/zipslip,javascript/example/empty-or-one-block
queries-not-run: js/path-injection
config-file: ./.github/codeql/codeql-config-query-filters2.yml
tools: ${{ steps.prepare-test.outputs.tools-url }}

- name: Check SARIF for query packs and local queries with Single include, Single exclude
uses: ./../action/.github/query-filter-test
with:
sarif-file: ${{ runner.temp }}/results/javascript.sarif
queries-run: js/zipslip,javascript/example/empty-or-one-block,inrepo-javascript-querypack/show-ifs
queries-not-run: js/path-injection,complex-python-querypack/show-ifs,complex-python-querypack/foo/bar/show-ifs
config-file: ./.github/codeql/codeql-config-query-filters3.yml
tools: ${{ steps.prepare-test.outputs.tools-url }}
2 changes: 1 addition & 1 deletion .github/workflows/script/update-required-checks.sh
Original file line number Diff line number Diff line change
Expand Up @@ -21,7 +21,7 @@ fi
echo "Getting checks for $GITHUB_SHA"

# Ignore any checks with "https://", CodeQL, LGTM, and Update checks.
CHECKS="$(gh api repos/github/codeql-action/commits/${GITHUB_SHA}/check-runs --paginate | jq --slurp --compact-output --raw-output '[.[].check_runs | .[].name | select(contains("https://") or . == "CodeQL" or . == "LGTM.com" or contains("Update") | not)] | sort')"
CHECKS="$(gh api repos/github/codeql-action/commits/${GITHUB_SHA}/check-runs --paginate | jq --slurp --compact-output --raw-output '[.[].check_runs | .[].name | select(contains("https://") or . == "CodeQL" or . == "LGTM.com" or contains("Update") | not)] | unique | sort')"

echo "$CHECKS" | jq

Expand Down
5 changes: 5 additions & 0 deletions CHANGELOG.md
Original file line number Diff line number Diff line change
@@ -1,5 +1,10 @@
# CodeQL Action Changelog

## 2.1.13 - 21 Jun 2022

- Add the ability to filter queries from a code scanning run by using the `query-filters` option in the code scanning configuration file. [#1098](https://github.com/github/codeql-action/pull/1098)
- Update default CodeQL bundle version to 2.9.4. [#1100](https://github.com/github/codeql-action/pull/1100)

## 2.1.12 - 01 Jun 2022

- Update default CodeQL bundle version to 2.9.3. [#1084](https://github.com/github/codeql-action/pull/1084)
Expand Down
2 changes: 1 addition & 1 deletion lib/actions-util.js.map

Large diffs are not rendered by default.

2 changes: 1 addition & 1 deletion lib/actions-util.test.js.map

Large diffs are not rendered by default.

78 changes: 59 additions & 19 deletions lib/analyze.js

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

Loading