github/codeql-action
1
0
Fork 0
mirror of https://github.com/github/codeql-action.git synced 2026-01-05 06:00:32 +08:00
Code Issues Packages Projects Releases Wiki Activity

Merge branch 'main' into update-supported-enterprise-server-versions

Browse Source
This commit is contained in:
Henry Mercer
2024-01-02 19:12:46 +00:00
committed by Henry Mercer
parent 6111b7c004 e345646da5
commit 6ebbf452bb
1130 changed files with 110322 additions and 223658 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
src/actions-util.ts
View File

@@ -187,7 +187,7 @@ export async function getRef(): Promise<string> {
const hasShaInput = !!shaInput;
// If one of 'ref' or 'sha' are provided, both are required
if ((hasRefInput || hasShaInput) && !(hasRefInput && hasShaInput)) {
throw new Error(
throw new UserError(
"Both 'ref' and 'sha' are required if one of them is provided.",
);
}

7
src/analyze.ts
View File

@@ -25,6 +25,7 @@ import { DatabaseCreationTimings, EventReport } from "./status-report";
import { endTracingForCluster } from "./tracer-config";
import { validateSarifFileSchema } from "./upload-lib";
import * as util from "./util";
import { UserError } from "./util";
export class CodeQLAnalysisError extends Error {
queriesStatusReport: QueriesStatusReport;
@@ -297,7 +298,7 @@ export async function runQueries(
!hasCustomQueries &&
!hasPackWithCustomQueries
) {
throw new Error(
throw new UserError(
`Unable to analyze ${language} as no queries were selected for this language`,
);
}
@@ -614,7 +615,7 @@ export function validateQueryFilters(queryFilters?: configUtils.QueryFilter[]) {
}
if (!Array.isArray(queryFilters)) {
throw new Error(
throw new UserError(
`Query filters must be an array of "include" or "exclude" entries. Found ${typeof queryFilters}`,
);
}
@@ -637,7 +638,7 @@ export function validateQueryFilters(queryFilters?: configUtils.QueryFilter[]) {
}
if (errors.length) {
throw new Error(`Invalid query filter.\n${errors.join("\n")}`);
throw new UserError(`Invalid query filter.\n${errors.join("\n")}`);
}
return queryFilters;

2
src/api-compatibility.json
View File

@@ -1 +1 @@
{"maximumVersion": "3.11", "minimumVersion": "3.8"}
{"maximumVersion": "3.12", "minimumVersion": "3.8"}

6
src/autobuild.ts
View File

@@ -38,11 +38,11 @@ export async function determineAutobuildLanguages(
* For example, consider a user with the following workflow file:
*
* ```yml
* - uses: github/codeql-action/init@v2
* - uses: github/codeql-action/init@v3
* with:
* languages: go, java
* - uses: github/codeql-action/autobuild@v2
* - uses: github/codeql-action/analyze@v2
* - uses: github/codeql-action/autobuild@v3
* - uses: github/codeql-action/analyze@v3
* ```
*
* - With Go extraction disabled, we will run the Java autobuilder in the

21
src/codeql.ts
View File

@@ -418,7 +418,7 @@ export async function setupCodeQL(
if (process.platform === "win32") {
codeqlCmd += ".exe";
} else if (process.platform !== "linux" && process.platform !== "darwin") {
throw new Error(`Unsupported platform: ${process.platform}`);
throw new util.UserError(`Unsupported platform: ${process.platform}`);
}
cachedCodeQL = await getCodeQLForCmd(codeqlCmd, checkVersion);
@@ -692,24 +692,13 @@ export async function getCodeQLForCmd(
await runTool(autobuildCmd);
},
async extractScannedLanguage(config: Config, language: Language) {
const databasePath = util.getCodeQLDatabasePath(config, language);
// Set trace command
const ext = process.platform === "win32" ? ".cmd" : ".sh";
const traceCommand = path.resolve(
await this.resolveExtractor(language),
"tools",
`autobuild${ext}`,
);
// Run trace command
await runTool(cmd, [
"database",
"trace-command",
"--index-traceless-dbs",
...(await getTrapCachingExtractorConfigArgsForLang(config, language)),
...getExtraOptionsFromEnv(["database", "trace-command"]),
databasePath,
"--",
traceCommand,
util.getCodeQLDatabasePath(config, language),
]);
},
async finalizeDatabase(
@@ -1150,7 +1139,7 @@ export async function getCodeQLForCmd(
checkVersion &&
!(await util.codeQlVersionAbove(codeql, CODEQL_MINIMUM_VERSION))
) {
throw new Error(
throw new util.UserError(
`Expected a CodeQL CLI with version at least ${CODEQL_MINIMUM_VERSION} but got version ${
(await codeql.getVersion()).version
}`,
@@ -1170,7 +1159,7 @@ export async function getCodeQLForCmd(
"version of the CLI using the 'tools' input to the 'init' Action, you can remove this " +
"input to use the default version.\n\n" +
"Alternatively, if you want to continue using CodeQL CLI version " +
`${result.version}, you can replace 'github/codeql-action/*@v2' by ` +
`${result.version}, you can replace 'github/codeql-action/*@v3' by ` +
`'github/codeql-action/*@v${getActionVersion()}' in your code scanning workflow to ` +
"continue using this version of the CodeQL Action.",
);

8
src/defaults.json
View File

@@ -1,6 +1,6 @@
{
"bundleVersion": "codeql-bundle-v2.15.2",
"cliVersion": "2.15.2",
"priorBundleVersion": "codeql-bundle-v2.15.1",
"priorCliVersion": "2.15.1"
"bundleVersion": "codeql-bundle-v2.15.5",
"cliVersion": "2.15.5",
"priorBundleVersion": "codeql-bundle-v2.15.4",
"priorCliVersion": "2.15.4"
}

3
src/external-queries.ts
View File

@@ -6,6 +6,7 @@ import * as safeWhich from "@chrisgavin/safe-which";
import { GitHubApiExternalRepoDetails } from "./api-client";
import { Logger } from "./logging";
import { UserError } from "./util";
/**
* Check out repository at the given ref, and return the directory of the checkout.
@@ -23,7 +24,7 @@ export async function checkoutExternalRepository(
if (!checkoutLocation.startsWith(tempDir)) {
// this still permits locations that mess with sibling repositories in `tempDir`, but that is acceptable
throw new Error(
throw new UserError(
`'${repository}@${ref}' is not a valid repository and reference.`,
);
}

25
src/init-action-post-helper.test.ts
View File

@@ -91,14 +91,14 @@ test("uploads failed SARIF run with `diagnostics export` if feature flag is off"
},
{
name: "Initialize CodeQL",
uses: "github/codeql-action/init@v2",
uses: "github/codeql-action/init@v3",
with: {
languages: "javascript",
},
},
{
name: "Perform CodeQL Analysis",
uses: "github/codeql-action/analyze@v2",
uses: "github/codeql-action/analyze@v3",
with: {
category: "my-category",
},
@@ -115,14 +115,14 @@ test("uploads failed SARIF run with `diagnostics export` if the database doesn't
},
{
name: "Initialize CodeQL",
uses: "github/codeql-action/init@v2",
uses: "github/codeql-action/init@v3",
with: {
languages: "javascript",
},
},
{
name: "Perform CodeQL Analysis",
uses: "github/codeql-action/analyze@v2",
uses: "github/codeql-action/analyze@v3",
with: {
category: "my-category",
},
@@ -142,14 +142,14 @@ test("uploads failed SARIF run with database export-diagnostics if the database
},
{
name: "Initialize CodeQL",
uses: "github/codeql-action/init@v2",
uses: "github/codeql-action/init@v3",
with: {
languages: "javascript",
},
},
{
name: "Perform CodeQL Analysis",
uses: "github/codeql-action/analyze@v2",
uses: "github/codeql-action/analyze@v3",
with: {
category: "my-category",
},
@@ -199,14 +199,14 @@ for (const { uploadInput, shouldUpload } of UPLOAD_INPUT_TEST_CASES) {
},
{
name: "Initialize CodeQL",
uses: "github/codeql-action/init@v2",
uses: "github/codeql-action/init@v3",
with: {
languages: "javascript",
},
},
{
name: "Perform CodeQL Analysis",
uses: "github/codeql-action/analyze@v2",
uses: "github/codeql-action/analyze@v3",
with: {
category: "my-category",
upload: uploadInput,
@@ -234,14 +234,14 @@ test("uploading failed SARIF run succeeds when workflow uses an input with a mat
},
{
name: "Initialize CodeQL",
uses: "github/codeql-action/init@v2",
uses: "github/codeql-action/init@v3",
with: {
languages: "javascript",
},
},
{
name: "Perform CodeQL Analysis",
uses: "github/codeql-action/analyze@v2",
uses: "github/codeql-action/analyze@v3",
with: {
category: "/language:${{ matrix.language }}",
},
@@ -261,14 +261,14 @@ test("uploading failed SARIF run fails when workflow uses a complex upload input
},
{
name: "Initialize CodeQL",
uses: "github/codeql-action/init@v2",
uses: "github/codeql-action/init@v3",
with: {
languages: "javascript",
},
},
{
name: "Perform CodeQL Analysis",
uses: "github/codeql-action/analyze@v2",
uses: "github/codeql-action/analyze@v3",
with: {
upload: "${{ matrix.language != 'csharp' }}",
},
@@ -391,6 +391,7 @@ async function testFailedSarifUpload(
);
if (expectUpload) {
t.deepEqual(result, {
sarifID: "42",
raw_upload_size_bytes: 20,
zipped_upload_size_bytes: 10,
});

96
src/init-action-post-helper.ts
View File

@@ -1,15 +1,16 @@
import * as core from "@actions/core";
import * as actionsUtil from "./actions-util";
import { getApiClient } from "./api-client";
import { CODEQL_VERSION_EXPORT_FAILED_SARIF, getCodeQL } from "./codeql";
import { Config, getConfig } from "./config-utils";
import { EnvVar } from "./environment";
import { Feature, FeatureEnablement } from "./feature-flags";
import { Logger } from "./logging";
import { RepositoryNwo } from "./repository";
import { RepositoryNwo, parseRepositoryNwo } from "./repository";
import * as uploadLib from "./upload-lib";
import {
codeQlVersionAbove,
delay,
getErrorMessage,
getRequiredEnvParam,
isInTestMode,
parseMatrixInput,
@@ -29,6 +30,9 @@ export interface UploadFailedSarifResult extends uploadLib.UploadStatusReport {
upload_failed_run_stack_trace?: string;
/** Reason why we did not upload a SARIF payload with `executionSuccessful: false`. */
upload_failed_run_skipped_because?: string;
/** The internal ID of SARIF analysis. */
sarifID?: string;
}
function createFailedUploadFailedSarifResult(
@@ -93,7 +97,7 @@ async function maybeUploadFailedSarif(
);
}
core.info(`Uploading failed SARIF file ${sarifFile}`);
logger.info(`Uploading failed SARIF file ${sarifFile}`);
const uploadResult = await uploadLib.uploadFromActions(
sarifFile,
checkoutPath,
@@ -107,7 +111,9 @@ async function maybeUploadFailedSarif(
logger,
{ isUnsuccessfulExecution: true },
);
return uploadResult?.statusReport ?? {};
return uploadResult
? { ...uploadResult.statusReport, sarifID: uploadResult.sarifID }
: {};
}
export async function tryUploadSarifIfRunFailed(
@@ -180,9 +186,13 @@ export async function run(
);
}
if (process.env["CODEQL_ACTION_EXPECT_UPLOAD_FAILED_SARIF"] === "true") {
await removeUploadedSarif(uploadFailedSarifResult, logger);
}
// Upload appropriate Actions artifacts for debugging
if (config.debugMode) {
core.info(
logger.info(
"Debug mode is on. Uploading available database bundles and logs as Actions debugging artifacts...",
);
await uploadDatabaseBundleDebugArtifact(config, logger);
@@ -193,3 +203,77 @@ export async function run(
return uploadFailedSarifResult;
}
async function removeUploadedSarif(
uploadFailedSarifResult: UploadFailedSarifResult,
logger: Logger,
) {
const sarifID = uploadFailedSarifResult.sarifID;
if (sarifID) {
logger.startGroup("Deleting failed SARIF upload");
logger.info(
`In test mode, therefore deleting the failed analysis to avoid impacting tool status for the Action repository. SARIF ID to delete: ${sarifID}.`,
);
const client = getApiClient();
try {
const repositoryNwo = parseRepositoryNwo(
getRequiredEnvParam("GITHUB_REPOSITORY"),
);
// Wait to make sure the analysis is ready for download before requesting it.
await delay(5000);
// Get the analysis associated with the uploaded sarif
const analysisInfo = await client.request(
"GET /repos/:owner/:repo/code-scanning/analyses?sarif_id=:sarif_id",
{
owner: repositoryNwo.owner,
repo: repositoryNwo.repo,
sarif_id: sarifID,
},
);
// Delete the analysis.
if (analysisInfo.data.length === 1) {
const analysis = analysisInfo.data[0];
logger.info(`Analysis ID to delete: ${analysis.id}.`);
try {
await client.request(
"DELETE /repos/:owner/:repo/code-scanning/analyses/:analysis_id?confirm_delete",
{
owner: repositoryNwo.owner,
repo: repositoryNwo.repo,
analysis_id: analysis.id,
},
);
logger.info(`Analysis deleted.`);
} catch (e) {
const origMessage = getErrorMessage(e);
const newMessage = origMessage.includes(
"No analysis found for analysis ID",
)
? `Analysis ${analysis.id} does not exist. It was likely already deleted.`
: origMessage;
throw new Error(newMessage);
}
} else {
throw new Error(
`Expected to find exactly one analysis with sarif_id ${sarifID}. Found ${analysisInfo.data.length}.`,
);
}
} catch (e) {
throw new Error(
`Failed to delete uploaded SARIF analysis. Reason: ${getErrorMessage(
e,
)}`,
);
} finally {
logger.endGroup();
}
} else {
logger.warning(
"Could not delete the uploaded SARIF analysis because a SARIF ID wasn't provided by the API when uploading the SARIF file.",
);
}
}

4
src/repository.ts
View File

@@ -1,3 +1,5 @@
import { UserError } from "./util";
// A repository name with owner, parsed into its two parts
export interface RepositoryNwo {
owner: string;
@@ -7,7 +9,7 @@ export interface RepositoryNwo {
export function parseRepositoryNwo(input: string): RepositoryNwo {
const parts = input.split("/");
if (parts.length !== 2) {
throw new Error(`"${input}" is not a valid repository name`);
throw new UserError(`"${input}" is not a valid repository name`);
}
return {
owner: parts[0],

4
src/resolve-environment.ts
View File

@@ -27,7 +27,9 @@ export async function runResolveBuildEnvironment(
) {
const parsedLanguage = parseLanguage(languageInput)?.toString();
if (parsedLanguage === undefined) {
throw new Error(`Did not recognize the language '${languageInput}'.`);
throw new util.UserError(
`Did not recognize the language '${languageInput}'.`,
);
}
language = parsedLanguage;
}

2
src/setup-codeql.ts
View File

@@ -647,7 +647,7 @@ export async function downloadCodeQL(
export function getCodeQLURLVersion(url: string): string {
const match = url.match(/\/codeql-bundle-(.*)\//);
if (match === null || match.length < 2) {
throw new Error(
throw new util.UserError(
`Malformed tools url: ${url}. Version could not be inferred`,
);
}

17
src/util.ts
View File

@@ -120,7 +120,7 @@ export function getExtraOptionsEnvParam(): object {
return JSON.parse(raw);
} catch (unwrappedError) {
const error = wrapError(unwrappedError);
throw new Error(
throw new UserError(
`${varName} environment variable is set, but does not contain valid JSON: ${error.message}`,
);
}
@@ -204,7 +204,7 @@ export function getMemoryFlagValueForPlatform(
if (userInput) {
memoryToUseMegaBytes = Number(userInput);
if (Number.isNaN(memoryToUseMegaBytes) || memoryToUseMegaBytes <= 0) {
throw new Error(`Invalid RAM setting "${userInput}", specified.`);
throw new UserError(`Invalid RAM setting "${userInput}", specified.`);
}
} else {
const totalMemoryMegaBytes = totalMemoryBytes / (1024 * 1024);
@@ -358,7 +358,7 @@ export function getThreadsFlagValue(
if (userInput) {
numThreads = Number(userInput);
if (Number.isNaN(numThreads)) {
throw new Error(`Invalid threads setting "${userInput}", specified.`);
throw new UserError(`Invalid threads setting "${userInput}", specified.`);
}
if (numThreads > maxThreads) {
logger.info(
@@ -412,14 +412,14 @@ export function parseGitHubUrl(inputUrl: string): string {
inputUrl = `https://${inputUrl}`;
}
if (!inputUrl.startsWith("http://") && !inputUrl.startsWith("https://")) {
throw new Error(`"${originalUrl}" is not a http or https URL`);
throw new UserError(`"${originalUrl}" is not a http or https URL`);
}
let url: URL;
try {
url = new URL(inputUrl);
} catch (e) {
throw new Error(`"${originalUrl}" is not a valid URL`);
throw new UserError(`"${originalUrl}" is not a valid URL`);
}
// If we detect this is trying to be to github.com
@@ -624,8 +624,9 @@ export async function bundleDb(
*/
export async function delay(
milliseconds: number,
{ allowProcessExit }: { allowProcessExit: boolean },
opts?: { allowProcessExit: boolean },
) {
const { allowProcessExit } = opts || {};
return new Promise((resolve) => {
const timer = setTimeout(resolve, milliseconds);
if (allowProcessExit) {
@@ -909,6 +910,10 @@ export function wrapError(error: unknown): Error {
return error instanceof Error ? error : new Error(String(error));
}
export function getErrorMessage(error: unknown): string {
return error instanceof Error ? error.toString() : String(error);
}
export function prettyPrintPack(pack: Pack) {
return `${pack.name}${pack.version ? `@${pack.version}` : ""}${
pack.path ? `:${pack.path}` : ""

58
src/workflow.test.ts
View File

@@ -396,9 +396,9 @@ async function testLanguageAliases(
},
},
steps: [
{ uses: "actions/checkout@v2" },
{ uses: "github/codeql-action/init@v2" },
{ uses: "github/codeql-action/analyze@v2" },
{ uses: "actions/checkout@v3" },
{ uses: "github/codeql-action/init@v3" },
{ uses: "github/codeql-action/analyze@v3" },
],
},
},
@@ -516,11 +516,11 @@ test("getWorkflowErrors() should only report the current job's CheckoutWrongHead
test:
steps:
- run: "git checkout HEAD^2"
test2:
steps:
- run: "git checkout HEAD^2"
test3:
steps: []
`) as Workflow,
@@ -546,11 +546,11 @@ test("getWorkflowErrors() should not report a different job's CheckoutWrongHead"
test:
steps:
- run: "git checkout HEAD^2"
test2:
steps:
- run: "git checkout HEAD^2"
test3:
steps: []
`) as Workflow,
@@ -652,9 +652,9 @@ test("getCategoryInputOrThrow returns category for simple workflow with category
analysis:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v2
- uses: github/codeql-action/init@v2
- uses: github/codeql-action/analyze@v2
- uses: actions/checkout@v3
- uses: github/codeql-action/init@v3
- uses: github/codeql-action/analyze@v3
with:
category: some-category
`) as Workflow,
@@ -674,9 +674,9 @@ test("getCategoryInputOrThrow returns undefined for simple workflow without cate
analysis:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v2
- uses: github/codeql-action/init@v2
- uses: github/codeql-action/analyze@v2
- uses: actions/checkout@v3
- uses: github/codeql-action/init@v3
- uses: github/codeql-action/analyze@v3
`) as Workflow,
"analysis",
{},
@@ -694,19 +694,19 @@ test("getCategoryInputOrThrow returns category for workflow with multiple jobs",
foo:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v2
- uses: github/codeql-action/init@v2
- uses: actions/checkout@v3
- uses: github/codeql-action/init@v3
- runs: ./build foo
- uses: github/codeql-action/analyze@v2
- uses: github/codeql-action/analyze@v3
with:
category: foo-category
bar:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v2
- uses: github/codeql-action/init@v2
- uses: actions/checkout@v3
- uses: github/codeql-action/init@v3
- runs: ./build bar
- uses: github/codeql-action/analyze@v2
- uses: github/codeql-action/analyze@v3
with:
category: bar-category
`) as Workflow,
@@ -729,11 +729,11 @@ test("getCategoryInputOrThrow finds category for workflow with language matrix",
matrix:
language: [javascript, python]
steps:
- uses: actions/checkout@v2
- uses: github/codeql-action/init@v2
- uses: actions/checkout@v3
- uses: github/codeql-action/init@v3
with:
language: \${{ matrix.language }}
- uses: github/codeql-action/analyze@v2
- uses: github/codeql-action/analyze@v3
with:
category: "/language:\${{ matrix.language }}"
`) as Workflow,
@@ -753,9 +753,9 @@ test("getCategoryInputOrThrow throws error for workflow with dynamic category",
jobs:
analysis:
steps:
- uses: actions/checkout@v2
- uses: github/codeql-action/init@v2
- uses: github/codeql-action/analyze@v2
- uses: actions/checkout@v3
- uses: github/codeql-action/init@v3
- uses: github/codeql-action/analyze@v3
with:
category: "\${{ github.workflow }}"
`) as Workflow,
@@ -780,12 +780,12 @@ test("getCategoryInputOrThrow throws error for workflow with multiple calls to a
analysis:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v2
- uses: github/codeql-action/init@v2
- uses: github/codeql-action/analyze@v2
- uses: actions/checkout@v3
- uses: github/codeql-action/init@v3
- uses: github/codeql-action/analyze@v3
with:
category: some-category
- uses: github/codeql-action/analyze@v2
- uses: github/codeql-action/analyze@v3
with:
category: another-category
`) as Workflow,