Export configuration information for red runs

2025-12-28 10:10:17 +08:00 · 2023-03-07 18:03:58 +00:00
parent e4b846c482
commit d98eadb536
12 changed files with 92 additions and 19 deletions
--- a/src/codeql.ts
+++ b/src/codeql.ts
@@ -6,7 +6,7 @@ import * as yaml from "js-yaml";

 import { getOptionalInput } from "./actions-util";
 import * as api from "./api-client";
-import { Config } from "./config-utils";
+import { Config, getGeneratedCodeScanningConfigPath } from "./config-utils";
 import { errorMatchers } from "./error-matcher";
 import { CodeQLDefaultVersionInfo, FeatureEnablement } from "./feature-flags";
 import { ToolsSource } from "./init";
@@ -184,7 +184,8 @@ export interface CodeQL {
   */
  diagnosticsExport(
    sarifFile: string,
-    automationDetailsId: string | undefined
+    automationDetailsId: string | undefined,
+    config: Config
  ): Promise<void>;
 }

@@ -290,6 +291,12 @@ export const CODEQL_VERSION_BETTER_RESOLVE_LANGUAGES = "2.10.3";
 */
 export const CODEQL_VERSION_SECURITY_EXPERIMENTAL_SUITE = "2.12.1";

+/**
+ * Versions 2.12.3+ of the CodeQL CLI support exporting information in the code scanning
+ * configuration file to SARIF.
+ */
+export const CODEQL_VERSION_EXPORT_CODE_SCANNING_CONFIG = "2.12.3";
+
 /**
 * Versions 2.12.4+ of the CodeQL CLI support the `--qlconfig-file` flag in calls to `database init`.
 */
@@ -973,13 +980,15 @@ export async function getCodeQLForCmd(
    },
    async diagnosticsExport(
      sarifFile: string,
-      automationDetailsId: string | undefined
+      automationDetailsId: string | undefined,
+      config: Config
    ): Promise<void> {
      const args = [
        "diagnostics",
        "export",
        "--format=sarif-latest",
        `--output=${sarifFile}`,
+        ...(await getCodeScanningConfigExportArguments(config, this)),
        ...getExtraOptionsFromEnv(["diagnostics", "export"]),
      ];
      if (automationDetailsId !== undefined) {
@@ -1124,10 +1133,8 @@ async function generateCodeScanningConfig(
  if (!(await util.useCodeScanningConfigInCli(codeql, featureEnablement))) {
    return;
  }
-  const codeScanningConfigFile = path.resolve(
-    config.tempDir,
-    "user-config.yaml"
-  );
+  const codeScanningConfigFile = getGeneratedCodeScanningConfigPath(config);
+
  // make a copy so we can modify it
  const augmentedConfig = cloneObject(config.originalUserInput);

@@ -1198,3 +1205,26 @@ async function generateCodeScanningConfig(
 function cloneObject<T>(obj: T): T {
  return JSON.parse(JSON.stringify(obj));
 }
+
+/**
+ * Gets arguments for passing the code scanning configuration file to interpretation commands like
+ * `codeql database interpret-results` and `codeql database export-diagnostics`.
+ *
+ * Returns an empty list if a code scanning configuration file was not generated by the CLI.
+ */
+async function getCodeScanningConfigExportArguments(
+  config: Config,
+  codeql: CodeQL
+): Promise<string[]> {
+  const codeScanningConfigPath = getGeneratedCodeScanningConfigPath(config);
+  if (
+    fs.existsSync(codeScanningConfigPath) &&
+    (await util.codeQlVersionAbove(
+      codeql,
+      CODEQL_VERSION_EXPORT_CODE_SCANNING_CONFIG
+    ))
+  ) {
+    return ["--sarif-codescanning-config", codeScanningConfigPath];
+  }
+  return [];
+}