Merge branch 'master' into disable-default-queries

.github/pull_request_template.md

@@ -1,6 +1,6 @@
 ### Merge / deployment checklist
 
-- Run test builds as necessary. Can be on this repository or elsewhere as needed in order to test the change - please include links to tests in otehr repos!
+- Run test builds as necessary. Can be on this repository or elsewhere as needed in order to test the change - please include links to tests in other repos!
   - [ ] CodeQL using init/finish actions
   - [ ] 3rd party tool using upload action
 - [ ] Confirm this change is backwards compatible with existing workflows.

README.md

@@ -1,9 +1,8 @@
- # CodeQL Action
+# CodeQL Action
+
 This action runs GitHub's industry-leading static analysis engine, CodeQL, against a repository's source code to find security vulnerabilities. It then automatically uploads the results to GitHub so they can be displayed in the repository's security tab. CodeQL runs an extensible set of [queries](https://github.com/semmle/ql), which have been developed by the community and the [GitHub Security Lab](https://securitylab.github.com/) to find common vulnerabilities in your code.
 
-[Sign up for the Advanced Security beta](https://github.com/features/security/advanced-security/signup)
- 
- ## Usage
+## Usage
 
 To get code scanning results from CodeQL analysis on your repo you can use the following workflow as a template:
 
@@ -22,39 +21,38 @@ jobs:
     strategy:
       fail-fast: false
 
-
     # CodeQL runs on ubuntu-latest, windows-latest, and macos-latest
     runs-on: ubuntu-latest
 
     steps:
-    - name: Checkout repository
-      uses: actions/checkout@v2
+      - name: Checkout repository
+        uses: actions/checkout@v2
 
-    # Initializes the CodeQL tools for scanning.
-    - name: Initialize CodeQL
-      uses: github/codeql-action/init@v1
-      # Override language selection by uncommenting this and choosing your languages
-      # with:
-      #   languages: go, javascript, csharp, python, cpp, java
+      # Initializes the CodeQL tools for scanning.
+      - name: Initialize CodeQL
+        uses: github/codeql-action/init@v1
+        # Override language selection by uncommenting this and choosing your languages
+        # with:
+        #   languages: go, javascript, csharp, python, cpp, java
 
-    # Autobuild attempts to build any compiled languages  (C/C++, C#, or Java).
-    # If this step fails, then you should remove it and run the build manually (see below).
-    - name: Autobuild
-      uses: github/codeql-action/autobuild@v1
+      # Autobuild attempts to build any compiled languages (C/C++, C#, or Java).
+      # If this step fails, then you should remove it and run the build manually (see below).
+      - name: Autobuild
+        uses: github/codeql-action/autobuild@v1
 
-    # ℹ️ Command-line programs to run using the OS shell.
-    # 📚 https://git.io/JvXDl
+      # ℹ️ Command-line programs to run using the OS shell.
+      # 📚 https://git.io/JvXDl
 
-    # ✏️ If the Autobuild fails above, remove it and uncomment the following three lines
-    #    and modify them (or add more) to build your code if your project
-    #    uses a compiled language
+      # ✏️ If the Autobuild fails above, remove it and uncomment the following
+      #    three lines and modify them (or add more) to build your code if your
+      #    project uses a compiled language
 
-    #- run: |
-    #   make bootstrap
-    #   make release
+      #- run: |
+      #   make bootstrap
+      #   make release
 
-    - name: Perform CodeQL Analysis
-      uses: github/codeql-action/analyze@v1
+      - name: Perform CodeQL Analysis
+        uses: github/codeql-action/analyze@v1
 ```
 
 If you prefer to integrate this within an existing CI workflow, it should end up looking something like this:
@@ -73,21 +71,25 @@ If you prefer to integrate this within an existing CI workflow, it should end up
 - name: Perform CodeQL Analysis
   uses: github/codeql-action/analyze@v1
 ```
+
 ### Actions triggers
-The CodeQL action should be run on `push` events, and on a `schedule`. `Push` events allow us to do detailed analysis of the delta in a pull request, while the `schedule` event ensures that GitHub regularly scans the repository for the latest vulnerabilities, even if the repository becomes inactive. This action does not support the `pull_request` event.
+
+The CodeQL action should be run on `push` events, and on a `schedule`. `Push` events allow us to do a detailed analysis of the delta in a pull request, while the `schedule` event ensures that GitHub regularly scans the repository for the latest vulnerabilities, even if the repository becomes inactive. This action does not support the `pull_request` event.
 
 ### Configuration
+
 You may optionally specify additional queries for CodeQL to execute by using a config file. The queries must belong to a [QL pack](https://help.semmle.com/codeql/codeql-cli/reference/qlpack-overview.html) and can be in your repository or any public repository. You can choose a single .ql file, a folder containing multiple .ql files, a .qls [query suite](https://help.semmle.com/codeql/codeql-cli/procedures/query-suites.html) file, or any combination of the above. To use queries from other repositories use the same syntax as when [using an action](https://help.github.com/en/actions/reference/workflow-syntax-for-github-actions#jobsjob_idstepsuses).
 
 You can disable the default queries using `disable-default-queries: true`.
 
 You can choose to ignore some files or folders from the analysis, or include additional files/folders for analysis. This *only* works for Javascript and Python analysis.
 Identifying potential files for extraction:
-- Scans each folder that's defined as `paths` in turn, traversing subfolders and looking for relevant files.
+
+- Scans each folder that's defined as `paths` in turn, traversing subfolders, and looking for relevant files.
 - If it finds a subfolder that's defined as `paths-ignore`, stop traversing.
 - If a file or folder is both in `paths` and `paths-ignore`, the `paths-ignore` is ignored.
 
-Use the config-file parameter of the init action to enable the configuration file. For example:
+Use the `config-file` parameter of the init action to enable the configuration file. For example:
 
 ```yaml
 - uses: github/codeql-action/init@v1
@@ -116,8 +118,8 @@ paths:
   - src/util.ts
 
 paths-ignore:
- - src
- - lib
+  - src
+  - lib
 ```
 
 ## Troubleshooting
@@ -132,6 +134,7 @@ Try passing
 env:
   GOFLAGS: "-mod=vendor"
 ```
+
 to `github/codeql-action/analyze`.
 
 ### If you do not use a vendor directory
@@ -140,21 +143,24 @@ Dependencies on public repositories should just work. If you have dependencies o
 
 ```yaml
 steps:
-- name: Configure git private repo access
-  env:
-    TOKEN: ${{ secrets.GITHUB_PAT }}
-  run: |
-    git config --global url."https://${TOKEN}@github.com/foo/bar".insteadOf "https://github.com/foo/bar"
-    git config --global url."https://${TOKEN}@github.com/foo/baz".insteadOf "https://github.com/foo/baz"
+  - name: Configure git private repo access
+    env:
+      TOKEN: ${{ secrets.GITHUB_PAT }}
+    run: |
+      git config --global url."https://${TOKEN}@github.com/foo/bar".insteadOf "https://github.com/foo/bar"
+      git config --global url."https://${TOKEN}@github.com/foo/baz".insteadOf "https://github.com/foo/baz"
 ```
-before any codeql actions. A similar thing can also be done with a SSH key or deploy key.
+
+before any codeql actions. A similar thing can also be done with an SSH key or deploy key.
 
 ### C# using dotnet version 2 on linux
 
 This currently requires invoking `dotnet` with the `/p:UseSharedCompilation=false` flag. For example:
-```
+
+```shell
 dotnet build /p:UseSharedCompilation=false
 ```
+
 Version 3 does not require the additional flag.
 
 ## License

lib/config-utils.js

@@ -88,7 +88,7 @@ function initConfig() {
             });
         }
         const pathsIgnore = parsedYAML['paths-ignore'];
-        if (pathsIgnore && queries instanceof Array) {
+        if (pathsIgnore && pathsIgnore instanceof Array) {
             pathsIgnore.forEach(path => {
                 if (typeof path === "string") {
                     config.pathsIgnore.push(path);

lib/upload-lib.js

@@ -100,6 +100,7 @@ async function uploadFiles(sarifFiles) {
         if (matrix === "null" || matrix === "") {
             matrix = undefined;
         }
+        const toolNames = util.getToolNames(sarifPayload);
         const payload = JSON.stringify({
             "commit_oid": commitOid,
             "ref": ref,
@@ -108,7 +109,8 @@ async function uploadFiles(sarifFiles) {
             "workflow_run_id": workflowRunID,
             "checkout_uri": checkoutURI,
             "environment": matrix,
-            "started_at": startedAt
+            "started_at": startedAt,
+            "tool_names": toolNames,
         });
         core.info('Uploading results');
         const githubToken = core.getInput('token');

lib/util.js

@@ -262,3 +262,21 @@ async function reportActionSucceeded(action) {
     await sendStatusReport(await createStatusReport(action, 'success'));
 }
 exports.reportActionSucceeded = reportActionSucceeded;
+/**
+ * Get the array of all the tool names contained in the given sarif contents.
+ *
+ * Returns an array of unique string tool names.
+ */
+function getToolNames(sarifContents) {
+    const sarif = JSON.parse(sarifContents);
+    const toolNames = {};
+    for (const run of sarif.runs || []) {
+        const tool = run.tool || {};
+        const driver = tool.driver || {};
+        if (typeof driver.name === "string" && driver.name.length > 0) {
+            toolNames[driver.name] = true;
+        }
+    }
+    return Object.keys(toolNames);
+}
+exports.getToolNames = getToolNames;

package-lock.json

@@ -15,9 +15,9 @@
       "integrity": "sha512-nvFkxwiicvpzNiCBF4wFBDfnBvi7xp/as7LE1hBxBxKG2L29+gkIPBiLKMVORL+Hg3JNf07AKRfl0V5djoypjQ=="
     },
     "@actions/http-client": {
-      "version": "1.0.4",
-      "resolved": "https://registry.npmjs.org/@actions/http-client/-/http-client-1.0.4.tgz",
-      "integrity": "sha512-6EzXhqapKKtYr21ZnFQVBYwfrYPKPCivuSkUN/66/BDakkH2EPjUZH8tZ3MgHdI+gQIdcsY0ybbxw9ZEOmJB6g==",
+      "version": "1.0.8",
+      "resolved": "https://registry.npmjs.org/@actions/http-client/-/http-client-1.0.8.tgz",
+      "integrity": "sha512-G4JjJ6f9Hb3Zvejj+ewLLKLf99ZC+9v+yCxoYf9vSyH+WkzPLB2LuUtRMGNkooMqdugGBFStIKXOuvH1W+EctA==",
       "requires": {
         "tunnel": "0.0.6"
       },

package.json

@@ -12,7 +12,7 @@
   "dependencies": {
     "@actions/core": "^1.0.0",
     "@actions/exec": "^1.0.1",
-    "@actions/http-client": "^1.0.4",
+    "@actions/http-client": "^1.0.8",
     "@actions/io": "^1.0.1",
     "@actions/tool-cache": "^1.1.2",
     "@octokit/rest": "^17.1.0",

src/config-utils.ts

@@ -96,7 +96,7 @@ function initConfig(): Config {
         }
 
         const pathsIgnore = parsedYAML['paths-ignore'];
-        if (pathsIgnore && queries instanceof Array) {
+        if (pathsIgnore && pathsIgnore instanceof Array) {
             pathsIgnore.forEach(path => {
                 if (typeof path === "string") {
                     config.pathsIgnore.push(path);

src/testdata/tool-names.sarif

@@ -0,0 +1,41 @@
+{
+  "$schema": "https://raw.githubusercontent.com/oasis-tcs/sarif-spec/master/Schemata/sarif-schema-2.1.0.json",
+  "version": "2.1.0",
+  "runs": [
+    {
+      "tool": {
+        "driver": {
+          "name": "CodeQL command-line toolchain"
+        }
+      }
+    },
+    {
+      "tool": {
+        "driver": {
+          "name": "CodeQL command-line toolchain"
+        }
+      }
+    },
+    {
+      "tool": {
+        "driver": {
+          "name": "ESLint"
+        }
+      }
+    },
+    {
+      "tool": {
+        "driver": {
+          "name": ""
+        }
+      }
+    },
+    {
+      "tool": {
+        "driver": {
+          "name": null
+        }
+      }
+    }
+  ]
+}

src/upload-lib.ts

@@ -98,6 +98,8 @@ async function uploadFiles(sarifFiles: string[]) {
             matrix = undefined;
         }
 
+        const toolNames = util.getToolNames(sarifPayload);
+
         const payload = JSON.stringify({
             "commit_oid": commitOid,
             "ref": ref,
@@ -106,7 +108,8 @@ async function uploadFiles(sarifFiles: string[]) {
             "workflow_run_id": workflowRunID,
             "checkout_uri": checkoutURI,
             "environment": matrix,
-            "started_at": startedAt
+            "started_at": startedAt,
+            "tool_names": toolNames,
         });
 
         core.info('Uploading results');

src/util.test.ts

@@ -0,0 +1,9 @@
+import * as fs from 'fs';
+
+import * as util from './util';
+
+test('getToolNames', () => {
+  const input = fs.readFileSync(__dirname + '/testdata/tool-names.sarif', 'utf8')
+  const toolNames = util.getToolNames(input);
+  expect(toolNames).toStrictEqual(["CodeQL command-line toolchain", "ESLint"])
+})

src/util.ts

@@ -293,3 +293,23 @@ export async function reportActionFailed(action: string, cause?: string, excepti
 export async function reportActionSucceeded(action: string) {
     await sendStatusReport(await createStatusReport(action, 'success'));
 }
+
+/**
+ * Get the array of all the tool names contained in the given sarif contents.
+ *
+ * Returns an array of unique string tool names.
+ */
+export function getToolNames(sarifContents: string): string[] {
+    const sarif = JSON.parse(sarifContents);
+    const toolNames = {};
+
+    for (const run of sarif.runs || []) {
+        const tool = run.tool || {};
+        const driver = tool.driver || {};
+        if (typeof driver.name === "string" && driver.name.length > 0) {
+            toolNames[driver.name] = true;
+        }
+    }
+
+    return Object.keys(toolNames);
+}