Merge main into wait-for-processing-2.

2025-12-30 19:20:08 +08:00 · 2022-04-14 08:48:39 +01:00
parent 9885f86fab 7a12645d7e
commit e7869d541b
92 changed files with 1144 additions and 410 deletions
--- a/src/actions-util.ts
+++ b/src/actions-util.ts
@@ -424,7 +424,7 @@ async function getWorkflowPath(): Promise<string> {

  const apiClient = api.getActionsApiClient();
  const runsResponse = await apiClient.request(
-    "GET /repos/:owner/:repo/actions/runs/:run_id",
+    "GET /repos/:owner/:repo/actions/runs/:run_id?exclude_pull_requests=true",
    {
      owner,
      repo,
@@ -544,7 +544,7 @@ export async function getRef(): Promise<string> {

  const head = await getCommitOid(checkoutPath, "HEAD");

-  // in actions/checkout@v2 we can check if git rev-parse HEAD == GITHUB_SHA
+  // in actions/checkout@v2+ we can check if git rev-parse HEAD == GITHUB_SHA
  // in actions/checkout@v1 this may not be true as it checks out the repository
  // using GITHUB_REF. There is a subtle race condition where
  // git rev-parse GITHUB_REF != GITHUB_SHA, so we must check
--- a/src/analyze.ts
+++ b/src/analyze.ts
@@ -6,7 +6,6 @@ import * as yaml from "js-yaml";

 import * as analysisPaths from "./analysis-paths";
 import {
-  CODEQL_VERSION_CONFIG_FILES,
  CODEQL_VERSION_COUNTS_LINES,
  CODEQL_VERSION_NEW_TRACING,
  getCodeQL,
@@ -238,10 +237,7 @@ export async function runQueries(

    const codeql = await getCodeQL(config.codeQLCmd);
    try {
-      if (
-        hasPackWithCustomQueries &&
-        !(await util.codeQlVersionAbove(codeql, CODEQL_VERSION_CONFIG_FILES))
-      ) {
+      if (hasPackWithCustomQueries) {
        logger.info("Performing analysis with custom CodeQL Packs.");
        logger.startGroup(`Downloading custom packs for ${language}`);

--- a/src/autobuild-action.ts
+++ b/src/autobuild-action.ts
@@ -3,6 +3,7 @@ import * as core from "@actions/core";
 import {
  createStatusReportBase,
  getActionsStatus,
+  getOptionalInput,
  getTemporaryDirectory,
  sendStatusReport,
  StatusReportBase,
@@ -71,6 +72,13 @@ async function run() {
    }
    language = determineAutobuildLanguage(config, logger);
    if (language !== undefined) {
+      const workingDirectory = getOptionalInput("working-directory");
+      if (workingDirectory) {
+        logger.info(
+          `Changing autobuilder working directory to ${workingDirectory}`
+        );
+        process.chdir(workingDirectory);
+      }
      await runAutobuild(language, config, logger);
    }
  } catch (error) {
--- a/src/codeql.ts
+++ b/src/codeql.ts
@@ -4,7 +4,6 @@ import * as path from "path";
 import * as toolrunner from "@actions/exec/lib/toolrunner";
 import { IHeaders } from "@actions/http-client/interfaces";
 import { default as deepEqual } from "fast-deep-equal";
-import * as yaml from "js-yaml";
 import { default as queryString } from "query-string";
 import * as semver from "semver";

@@ -18,7 +17,7 @@ import { Logger } from "./logging";
 import * as toolcache from "./toolcache";
 import { toolrunnerErrorCatcher } from "./toolrunner-error-catcher";
 import * as util from "./util";
-import { isGoodVersion, ML_POWERED_JS_QUERIES_PACK } from "./util";
+import { isGoodVersion } from "./util";

 type Options = Array<string | number | boolean>;

@@ -220,7 +219,6 @@ const CODEQL_VERSION_GROUP_RULES = "2.5.5";
 const CODEQL_VERSION_SARIF_GROUP = "2.5.3";
 export const CODEQL_VERSION_COUNTS_LINES = "2.6.2";
 const CODEQL_VERSION_CUSTOM_QUERY_HELP = "2.7.1";
-export const CODEQL_VERSION_CONFIG_FILES = "2.8.2"; // Versions before 2.8.2 weren't tolerant to unknown properties
 export const CODEQL_VERSION_ML_POWERED_QUERIES = "2.7.5";

 /**
@@ -735,27 +733,6 @@ async function getCodeQLForCmd(
          extraArgs.push(`--trace-process-level=${processLevel || 3}`);
        }
      }
-      if (await util.codeQlVersionAbove(codeql, CODEQL_VERSION_CONFIG_FILES)) {
-        const configLocation = path.resolve(config.tempDir, "user-config.yaml");
-        const augmentedConfig = config.originalUserInput;
-        if (config.injectedMlQueries) {
-          // We need to inject the ML queries into the original user input before
-          // we pass this on to the CLI, to make sure these get run.
-          let packString = ML_POWERED_JS_QUERIES_PACK.packName;
-          if (ML_POWERED_JS_QUERIES_PACK.version)
-            packString = `${packString}@${ML_POWERED_JS_QUERIES_PACK.version}`;
-          if (augmentedConfig.packs === undefined) augmentedConfig.packs = [];
-          if (Array.isArray(augmentedConfig.packs)) {
-            augmentedConfig.packs.push(packString);
-          } else {
-            if (!augmentedConfig.packs.javascript)
-              augmentedConfig.packs["javascript"] = [];
-            augmentedConfig.packs["javascript"].push(packString);
-          }
-        }
-        fs.writeFileSync(configLocation, yaml.dump(augmentedConfig));
-        extraArgs.push(`--codescanning-config=${configLocation}`);
-      }
      await runTool(cmd, [
        "database",
        "init",
@@ -913,9 +890,7 @@ async function getCodeQLForCmd(
      if (extraSearchPath !== undefined) {
        codeqlArgs.push("--additional-packs", extraSearchPath);
      }
-      if (!(await util.codeQlVersionAbove(this, CODEQL_VERSION_CONFIG_FILES))) {
-        codeqlArgs.push(querySuitePath);
-      }
+      codeqlArgs.push(querySuitePath);
      await runTool(cmd, codeqlArgs);
    },
    async databaseInterpretResults(
@@ -951,9 +926,7 @@ async function getCodeQLForCmd(
        codeqlArgs.push("--sarif-category", automationDetailsId);
      }
      codeqlArgs.push(databasePath);
-      if (!(await util.codeQlVersionAbove(this, CODEQL_VERSION_CONFIG_FILES))) {
-        codeqlArgs.push(...querySuitePaths);
-      }
+      codeqlArgs.push(...querySuitePaths);
      // capture stdout, which contains analysis summaries
      return await runTool(cmd, codeqlArgs);
    },
--- a/src/config-utils.test.ts
+++ b/src/config-utils.test.ts
@@ -1788,7 +1788,8 @@ const mlPoweredQueriesMacro = test.macro({
    }`,
 });

-// macro, isMlPoweredQueriesFlagEnabled, packsInput, queriesInput, versionString
+// macro, codeQLVersion, isMlPoweredQueriesFlagEnabled, packsInput, queriesInput, expectedVersionString
+// Test that ML-powered queries aren't run on v2.7.4 of the CLI.
 test(
  mlPoweredQueriesMacro,
  "2.7.4",
@@ -1797,6 +1798,7 @@ test(
  "security-extended",
  undefined
 );
+// Test that ML-powered queries aren't run when the feature flag is off.
 test(
  mlPoweredQueriesMacro,
  "2.7.5",
@@ -1805,28 +1807,42 @@ test(
  "security-extended",
  undefined
 );
+// Test that ML-powered queries aren't run when the user hasn't specified that we should run the
+// `security-extended` or `security-and-quality` query suite.
 test(mlPoweredQueriesMacro, "2.7.5", true, undefined, undefined, undefined);
+// Test that ML-powered queries are run on non-Windows platforms running `security-extended`.
 test(
  mlPoweredQueriesMacro,
  "2.7.5",
  true,
  undefined,
  "security-extended",
-  "~0.1.0"
+  process.platform === "win32" ? undefined : "~0.1.0"
 );
+// Test that ML-powered queries are run on non-Windows platforms running `security-and-quality`.
 test(
  mlPoweredQueriesMacro,
  "2.7.5",
  true,
  undefined,
  "security-and-quality",
-  "~0.1.0"
+  process.platform === "win32" ? undefined : "~0.1.0"
 );
+// Test that we don't inject an ML-powered query pack if the user has already specified one.
 test(
  mlPoweredQueriesMacro,
  "2.7.5",
  true,
  "codeql/javascript-experimental-atm-queries@0.0.1",
  "security-and-quality",
-  "0.0.1"
+  process.platform === "win32" ? undefined : "0.0.1"
+);
+// Test that the ~0.2.0 version of ML-powered queries is run on v2.8.4 of the CLI.
+test(
+  mlPoweredQueriesMacro,
+  "2.8.4",
+  true,
+  undefined,
+  "security-extended",
+  process.platform === "win32" ? undefined : "~0.2.0"
 );
--- a/src/config-utils.ts
+++ b/src/config-utils.ts
@@ -17,8 +17,9 @@ import { Logger } from "./logging";
 import { RepositoryNwo } from "./repository";
 import {
  codeQlVersionAbove,
+  getMlPoweredJsQueriesPack,
  GitHubVersion,
-  ML_POWERED_JS_QUERIES_PACK,
+  ML_POWERED_JS_QUERIES_PACK_NAME,
 } from "./util";

 // Property names from the user-supplied config file.
@@ -299,10 +300,12 @@ async function addBuiltinSuiteQueries(
  // opted into the ML-powered queries beta, and a user hasn't already added the ML-powered query
  // pack, then add the ML-powered query pack so that we run ML-powered queries.
  if (
+    // Disable ML-powered queries on Windows
+    process.platform !== "win32" &&
    languages.includes("javascript") &&
    (found === "security-extended" || found === "security-and-quality") &&
    !packs.javascript?.some(
-      (pack) => pack.packName === ML_POWERED_JS_QUERIES_PACK.packName
+      (pack) => pack.packName === ML_POWERED_JS_QUERIES_PACK_NAME
    ) &&
    (await featureFlags.getValue(FeatureFlag.MlPoweredQueriesEnabled)) &&
    (await codeQlVersionAbove(codeQL, CODEQL_VERSION_ML_POWERED_QUERIES))
@@ -310,7 +313,7 @@ async function addBuiltinSuiteQueries(
    if (!packs.javascript) {
      packs.javascript = [];
    }
-    packs.javascript.push(ML_POWERED_JS_QUERIES_PACK);
+    packs.javascript.push(await getMlPoweredJsQueriesPack(codeQL));
    injectedMlQueries = true;
  }

--- a/src/defaults.json
+++ b/src/defaults.json
@@ -1,3 +1,3 @@
 {
-  "bundleVersion": "codeql-bundle-20220322"
+  "bundleVersion": "codeql-bundle-20220401"
 }
--- a/src/util.test.ts
+++ b/src/util.test.ts
@@ -294,32 +294,43 @@ async function mockStdInForAuthExpectError(
 }

 const ML_POWERED_JS_STATUS_TESTS: Array<[PackWithVersion[], string]> = [
+  // If no packs are loaded, status is false.
  [[], "false"],
+  // If another pack is loaded but not the ML-powered query pack, status is false.
  [[{ packName: "someOtherPack" }], "false"],
+  // If the ML-powered query pack is loaded with a specific version, status is that version.
  [
-    [{ packName: "someOtherPack" }, util.ML_POWERED_JS_QUERIES_PACK],
-    util.ML_POWERED_JS_QUERIES_PACK.version!,
-  ],
-  [[util.ML_POWERED_JS_QUERIES_PACK], util.ML_POWERED_JS_QUERIES_PACK.version!],
-  [[{ packName: util.ML_POWERED_JS_QUERIES_PACK.packName }], "other"],
-  [
-    [{ packName: util.ML_POWERED_JS_QUERIES_PACK.packName, version: "~0.0.1" }],
-    "other",
-  ],
-  [
-    [
-      { packName: util.ML_POWERED_JS_QUERIES_PACK.packName, version: "0.0.1" },
-      { packName: util.ML_POWERED_JS_QUERIES_PACK.packName, version: "0.0.2" },
-    ],
-    "other",
+    [{ packName: util.ML_POWERED_JS_QUERIES_PACK_NAME, version: "~0.1.0" }],
+    "~0.1.0",
  ],
+  // If the ML-powered query pack is loaded with a specific version and another pack is loaded, the
+  // status is the version of the ML-powered query pack.
  [
    [
      { packName: "someOtherPack" },
-      { packName: util.ML_POWERED_JS_QUERIES_PACK.packName },
+      { packName: util.ML_POWERED_JS_QUERIES_PACK_NAME, version: "~0.1.0" },
+    ],
+    "~0.1.0",
+  ],
+  // If the ML-powered query pack is loaded without a version, the status is "latest".
+  [[{ packName: util.ML_POWERED_JS_QUERIES_PACK_NAME }], "latest"],
+  // If the ML-powered query pack is loaded with two different versions, the status is "other".
+  [
+    [
+      { packName: util.ML_POWERED_JS_QUERIES_PACK_NAME, version: "0.0.1" },
+      { packName: util.ML_POWERED_JS_QUERIES_PACK_NAME, version: "0.0.2" },
    ],
    "other",
  ],
+  // If the ML-powered query pack is loaded with no specific version, and another pack is loaded,
+  // the status is "latest".
+  [
+    [
+      { packName: "someOtherPack" },
+      { packName: util.ML_POWERED_JS_QUERIES_PACK_NAME },
+    ],
+    "latest",
+  ],
 ];

 for (const [packs, expectedStatus] of ML_POWERED_JS_STATUS_TESTS) {
--- a/src/util.ts
+++ b/src/util.ts
@@ -653,25 +653,30 @@ export function isGoodVersion(versionSpec: string) {
  return !BROKEN_VERSIONS.includes(versionSpec);
 }

+export const ML_POWERED_JS_QUERIES_PACK_NAME =
+  "codeql/javascript-experimental-atm-queries";
+
 /**
- * The ML-powered JS query pack to add to the analysis if a repo is opted into the ML-powered
+ * Gets the ML-powered JS query pack to add to the analysis if a repo is opted into the ML-powered
 * queries beta.
 */
-export const ML_POWERED_JS_QUERIES_PACK: PackWithVersion = {
-  packName: "codeql/javascript-experimental-atm-queries",
-  version: "~0.1.0",
-};
+export async function getMlPoweredJsQueriesPack(
+  codeQL: CodeQL
+): Promise<PackWithVersion> {
+  if (await codeQlVersionAbove(codeQL, "2.8.4")) {
+    return { packName: ML_POWERED_JS_QUERIES_PACK_NAME, version: "~0.2.0" };
+  }
+  return { packName: ML_POWERED_JS_QUERIES_PACK_NAME, version: "~0.1.0" };
+}

 /**
 * Get information about ML-powered JS queries to populate status reports with.
 *
 * This will be:
 *
- * - The version string if the analysis is using the ML-powered query pack that will be added to the
- *   analysis if the repo is opted into the ML-powered queries beta, i.e.
- *   {@link ML_POWERED_JS_QUERIES_PACK.version}. If the version string
- *   {@link ML_POWERED_JS_QUERIES_PACK.version} is undefined, then the status report string will be
- *   "latest", however this shouldn't occur in practice (see comment below).
+ * - The version string if the analysis is using a single version of the ML-powered query pack.
+ * - "latest" if the version string of the ML-powered query pack is undefined. This is unlikely to
+ *   occur in practice (see comment below).
 * - "false" if the analysis won't run any ML-powered JS queries.
 * - "other" in all other cases.
 *
@@ -681,32 +686,25 @@ export const ML_POWERED_JS_QUERIES_PACK: PackWithVersion = {
 * version of the CodeQL Action. For instance, we might want to compare the `~0.1.0` and `~0.0.2`
 * version strings.
 *
- * We restrict the set of strings we report here by excluding other version strings and combinations
- * of version strings. We do this to limit the cardinality of the ML-powered JS queries status
- * report field, since some platforms that ingest this status report bill based on the cardinality
- * of its fields.
- *
 * This function lives here rather than in `init-action.ts` so it's easier to test, since tests for
 * `init-action.ts` would each need to live in their own file. See `analyze-action-env.ts` for an
 * explanation as to why this is.
 */
 export function getMlPoweredJsQueriesStatus(config: Config): string {
  const mlPoweredJsQueryPacks = (config.packs.javascript || []).filter(
-    (pack) => pack.packName === ML_POWERED_JS_QUERIES_PACK.packName
+    (pack) => pack.packName === ML_POWERED_JS_QUERIES_PACK_NAME
  );
-  if (mlPoweredJsQueryPacks.length === 0) {
-    return "false";
+  switch (mlPoweredJsQueryPacks.length) {
+    case 1:
+      // We should always specify an explicit version string in `getMlPoweredJsQueriesPack`,
+      // otherwise we won't be able to make changes to the pack unless those changes are compatible
+      // with each version of the CodeQL Action. Therefore in practice we should only hit the
+      // `latest` case here when customers have explicitly added the ML-powered query pack to their
+      // CodeQL config.
+      return mlPoweredJsQueryPacks[0].version || "latest";
+    case 0:
+      return "false";
+    default:
+      return "other";
  }
-  const firstVersionString = mlPoweredJsQueryPacks[0].version;
-  if (
-    mlPoweredJsQueryPacks.length === 1 &&
-    ML_POWERED_JS_QUERIES_PACK.version === firstVersionString
-  ) {
-    // We should always specify an explicit version string in `ML_POWERED_JS_QUERIES_PACK`,
-    // otherwise we won't be able to make changes to the pack unless those changes are compatible
-    // with each version of the CodeQL Action. Therefore in practice, we should never hit the
-    // `latest` case here.
-    return ML_POWERED_JS_QUERIES_PACK.version || "latest";
-  }
-  return "other";
 }