github/codeql-action
1
0
Fork 0
mirror of https://github.com/github/codeql-action.git synced 2026-01-06 22:50:17 +08:00
Code Issues Packages Projects Releases Wiki Activity

Add packs and queries from input

Browse Source 
This commit adds the packs and queries from the actions input to the
config file used by the CodeQL CLI.

When the `+` is used, the actions input value is combined with the
config value and when it is not used, the input value overrides the
config value.

This commit also adds a bunch of integration tests for this feature.
In order to avoid adding too many new jobs, all of the tests are
run sequentially in a single job (matrixed across relevant operating
systems and OSes).
This commit is contained in:
Andrew Eisenberg
2022-06-19 16:44:24 -07:00
parent 237260b693
commit 6fabde2be8
53 changed files with 2072 additions and 219 deletions
Download Patch File Download Diff File Expand all files Collapse all files

9
.github/workflows/__ml-powered-queries.yml generated vendored
View File

@@ -81,6 +81,15 @@ jobs:
path: ${{ runner.temp }}/results/javascript.sarif
retention-days: 7
- name: Check sarif
uses: ./../action/.github/check-sarif
if: matrix.os != 'windows-latest' || matrix.version == 'latest' || matrix.version
== 'nightly-latest'
with:
sarif-file: ${{ runner.temp }}/results/javascript.sarif
queries-run: js/ml-powered/nosql-injection,js/ml-powered/path-injection,js/ml-powered/sql-injection,js/ml-powered/xss
queries-not-run: foo,bar
- name: Check results
# Running ML-powered queries on Windows requires CodeQL CLI 2.9.0+. We don't run these checks
# against Windows and `cached` while CodeQL CLI 2.9.0 makes its way into `cached` to avoid the

100
.github/workflows/__packaging-codescanning-config-inputs-js.yml generated vendored Normal file
View File

@@ -0,0 +1,100 @@
# Warning: This file is generated automatically, and should not be modified.
# Instead, please modify the template in the pr-checks directory and run:
# pip install ruamel.yaml && python3 sync.py
# to regenerate this file.
name: 'PR Check - Packaging: Config and input passed to the CLI'
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
GO111MODULE: auto
on:
push:
branches:
- main
- releases/v1
- releases/v2
pull_request:
types:
- opened
- synchronize
- reopened
- ready_for_review
workflow_dispatch: {}
jobs:
packaging-codescanning-config-inputs-js:
strategy:
matrix:
include:
- os: ubuntu-latest
version: latest
- os: macos-latest
version: latest
- os: windows-2019
version: latest
- os: windows-2022
version: latest
- os: ubuntu-latest
version: cached
- os: macos-latest
version: cached
- os: windows-2019
version: cached
- os: ubuntu-latest
version: nightly-latest
- os: macos-latest
version: nightly-latest
- os: windows-2019
version: nightly-latest
- os: windows-2022
version: nightly-latest
name: 'Packaging: Config and input passed to the CLI'
timeout-minutes: 45
runs-on: ${{ matrix.os }}
steps:
- name: Check out repository
uses: actions/checkout@v3
- name: Prepare test
id: prepare-test
uses: ./.github/prepare-test
with:
version: ${{ matrix.version }}
- uses: ./../action/init
with:
config-file: .github/codeql/codeql-config-packaging3.yml
packs: +dsp-testing/codeql-pack1@1.0.0
languages: javascript
tools: ${{ steps.prepare-test.outputs.tools-url }}
- name: Build code
shell: bash
run: ./build.sh
- uses: ./../action/analyze
with:
output: ${{ runner.temp }}/results
env:
TEST_MODE: true
- name: Check results
uses: ./../action/.github/check-sarif
with:
sarif-file: ${{ runner.temp }}/results/javascript.sarif
queries-run: javascript/example/empty-or-one-block,javascript/example/empty-or-one-block,javascript/example/other-query-block,javascript/example/two-block
queries-not-run: foo,bar
- name: Assert Results
shell: bash
run: |
cd "$RUNNER_TEMP/results"
# We should have 4 hits from these rules
EXPECTED_RULES="javascript/example/empty-or-one-block javascript/example/empty-or-one-block javascript/example/other-query-block javascript/example/two-block"
# use tr to replace newlines with spaces and xargs to trim leading and trailing whitespace
RULES="$(cat javascript.sarif | jq -r '.runs[0].results[].ruleId' | sort | tr "\n\r" " " | xargs)"
echo "Found matching rules '$RULES'"
if [ "$RULES" != "$EXPECTED_RULES" ]; then
echo "Did not match expected rules '$EXPECTED_RULES'."
exit 1
fi
env:
CODEQL_PASS_CONFIG_TO_CLI: true
INTERNAL_CODEQL_ACTION_DEBUG_LOC: true

8
.github/workflows/__packaging-config-inputs-js.yml generated vendored
View File

@@ -72,6 +72,14 @@ jobs:
output: ${{ runner.temp }}/results
env:
TEST_MODE: true
- name: Check results
uses: ./../action/.github/check-sarif
with:
sarif-file: ${{ runner.temp }}/results/javascript.sarif
queries-run: javascript/example/empty-or-one-block,javascript/example/empty-or-one-block,javascript/example/other-query-block,javascript/example/two-block
queries-not-run: foo,bar
- name: Assert Results
shell: bash
run: |

8
.github/workflows/__packaging-config-js.yml generated vendored
View File

@@ -71,6 +71,14 @@ jobs:
output: ${{ runner.temp }}/results
env:
TEST_MODE: true
- name: Check results
uses: ./../action/.github/check-sarif
with:
sarif-file: ${{ runner.temp }}/results/javascript.sarif
queries-run: javascript/example/empty-or-one-block,javascript/example/empty-or-one-block,javascript/example/other-query-block,javascript/example/two-block
queries-not-run: foo,bar
- name: Assert Results
shell: bash
run: |

8
.github/workflows/__packaging-inputs-js.yml generated vendored
View File

@@ -72,6 +72,14 @@ jobs:
output: ${{ runner.temp }}/results
env:
TEST_MODE: true
- name: Check results
uses: ./../action/.github/check-sarif
with:
sarif-file: ${{ runner.temp }}/results/javascript.sarif
queries-run: javascript/example/empty-or-one-block,javascript/example/empty-or-one-block,javascript/example/other-query-block,javascript/example/two-block
queries-not-run: foo,bar
- name: Assert Results
shell: bash
run: |

1
.github/workflows/__split-workflow.yml generated vendored
View File

@@ -63,6 +63,7 @@ jobs:
output: ${{ runner.temp }}/results
env:
TEST_MODE: true
- name: Assert No Results
shell: bash
run: |

220
.github/workflows/codescanning-config-cli.yml vendored Normal file
View File

@@ -0,0 +1,220 @@
# Tests that the generated code scanning config file contains the expected contents
name: Code-Scanning config CLI tests
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
CODEQL_PASS_CONFIG_TO_CLI: true
on:
push:
branches:
- main
- releases/v1
- releases/v2
pull_request:
types:
- opened
- synchronize
- reopened
- ready_for_review
workflow_dispatch: {}
jobs:
code-scanning-config-tests:
continue-on-error: true
strategy:
fail-fast: true
matrix:
include:
- os: ubuntu-latest
version: latest
- os: macos-latest
version: latest
- os: ubuntu-latest
version: cached
- os: macos-latest
version: cached
- os: ubuntu-latest
version: nightly-latest
- os: macos-latest
version: nightly-latest
# Code-Scanning config not created because environment variable is not set
name: Code Scanning Configuration tests
timeout-minutes: 45
runs-on: ${{ matrix.os }}
steps:
- name: Check out repository
uses: actions/checkout@v3
- name: Prepare test
id: prepare-test
uses: ./.github/prepare-test
with:
version: ${{ matrix.version }}
- name: Empty file
uses: ./../action/.github/check-codescanning-config
with:
expected-config-file-contents: "{}"
languages: javascript
tools: ${{ steps.prepare-test.outputs.tools-url }}
- name: Packs from input
if: success() || failure()
uses: ./../action/.github/check-codescanning-config
with:
expected-config-file-contents: |
{
"packs": ["dsp-testing/codeql-pack1@1.0.0", "dsp-testing/codeql-pack2" ]
}
languages: javascript
packs: dsp-testing/codeql-pack1@1.0.0, dsp-testing/codeql-pack2
tools: ${{ steps.prepare-test.outputs.tools-url }}
- name: Packs from input with +
if: success() || failure()
uses: ./../action/.github/check-codescanning-config
with:
expected-config-file-contents: |
{
"packs": ["dsp-testing/codeql-pack1@1.0.0", "dsp-testing/codeql-pack2" ]
}
languages: javascript
packs: + dsp-testing/codeql-pack1@1.0.0, dsp-testing/codeql-pack2
tools: ${{ steps.prepare-test.outputs.tools-url }}
- name: Queries from input
if: success() || failure()
uses: ./../action/.github/check-codescanning-config
with:
expected-config-file-contents: |
{
"queries": [{ "uses": "./codeql-qlpacks/complex-javascript-qlpack/show_ifs.ql" }]
}
languages: javascript
queries: ./codeql-qlpacks/complex-javascript-qlpack/show_ifs.ql
tools: ${{ steps.prepare-test.outputs.tools-url }}
- name: Queries from input with +
if: success() || failure()
uses: ./../action/.github/check-codescanning-config
with:
expected-config-file-contents: |
{
"queries": [{ "uses": "./codeql-qlpacks/complex-javascript-qlpack/show_ifs.ql" }]
}
languages: javascript
queries: + ./codeql-qlpacks/complex-javascript-qlpack/show_ifs.ql
tools: ${{ steps.prepare-test.outputs.tools-url }}
- name: Queries and packs from input with +
if: success() || failure()
uses: ./../action/.github/check-codescanning-config
with:
expected-config-file-contents: |
{
"queries": [{ "uses": "./codeql-qlpacks/complex-javascript-qlpack/show_ifs.ql" }],
"packs": ["dsp-testing/codeql-pack1@1.0.0", "dsp-testing/codeql-pack2" ]
}
languages: javascript
queries: + ./codeql-qlpacks/complex-javascript-qlpack/show_ifs.ql
packs: + dsp-testing/codeql-pack1@1.0.0, dsp-testing/codeql-pack2
tools: ${{ steps.prepare-test.outputs.tools-url }}
- name: Queries and packs from config
if: success() || failure()
uses: ./../action/.github/check-codescanning-config
with:
expected-config-file-contents: |
{
"queries": [{ "uses": "./codeql-qlpacks/complex-javascript-qlpack/foo2/show_ifs.ql" }],
"packs": {
"javascript": ["dsp-testing/codeql-pack1@1.0.0", "dsp-testing/codeql-pack2" ]
}
}
languages: javascript
config-file-test: .github/codeql/queries-and-packs-config.yml
tools: ${{ steps.prepare-test.outputs.tools-url }}
- name: Queries and packs from config overriden by input
if: success() || failure()
uses: ./../action/.github/check-codescanning-config
with:
expected-config-file-contents: |
{
"queries": [{ "uses": "./codeql-qlpacks/complex-javascript-qlpack/show_ifs.ql" }],
"packs": ["codeql/javascript-queries"]
}
languages: javascript
queries: ./codeql-qlpacks/complex-javascript-qlpack/show_ifs.ql
packs: codeql/javascript-queries
config-file-test: .github/codeql/queries-and-packs-config.yml
tools: ${{ steps.prepare-test.outputs.tools-url }}
- name: Queries and packs from config merging with input
if: success() || failure()
uses: ./../action/.github/check-codescanning-config
with:
expected-config-file-contents: |
{
"queries": [
{ "uses": "./codeql-qlpacks/complex-javascript-qlpack/foo2/show_ifs.ql" },
{ "uses": "./codeql-qlpacks/complex-javascript-qlpack/show_ifs.ql" }
],
"packs": {
"javascript": ["dsp-testing/codeql-pack1@1.0.0", "dsp-testing/codeql-pack2", "codeql/javascript-queries" ]
}
}
languages: javascript
queries: + ./codeql-qlpacks/complex-javascript-qlpack/show_ifs.ql
packs: + codeql/javascript-queries
config-file-test: .github/codeql/queries-and-packs-config.yml
tools: ${{ steps.prepare-test.outputs.tools-url }}
- name: Multi-language packs from config
if: success() || failure()
uses: ./../action/.github/check-codescanning-config
with:
expected-config-file-contents: |
{
"packs": {
"javascript": ["dsp-testing/codeql-pack1@1.0.0", "dsp-testing/codeql-pack2" ],
"ruby": ["codeql/ruby-queries"]
},
"queries": [
{ "uses": "./codeql-qlpacks/complex-javascript-qlpack/foo2/show_ifs.ql" }
]
}
languages: javascript,ruby
config-file-test: .github/codeql/multi-language-packs-config.yml
tools: ${{ steps.prepare-test.outputs.tools-url }}
- name: Other config properties
if: success() || failure()
uses: ./../action/.github/check-codescanning-config
with:
expected-config-file-contents: |
{
"name": "Config using all properties",
"packs": ["codeql/javascript-queries" ],
"disable-default-queries": true,
"paths-ignore": ["xxx"],
"paths": ["yyy"]
}
languages: javascript
packs: + codeql/javascript-queries
config-file-test: .github/codeql/other-config-properties.yml
tools: ${{ steps.prepare-test.outputs.tools-url }}
- name: Config not generated when env var is not set
if: success() || failure()
env:
CODEQL_PASS_CONFIG_TO_CLI: false
uses: ./../action/.github/check-codescanning-config
with:
expected-config-file-contents: ""
languages: javascript
packs: + codeql/javascript-queries
config-file-test: .github/codeql/other-config-properties.yml
tools: ${{ steps.prepare-test.outputs.tools-url }}