diff --git a/lib/analyze-action-post.js b/lib/analyze-action-post.js index 1f53d4775..641b11a8b 100644 --- a/lib/analyze-action-post.js +++ b/lib/analyze-action-post.js @@ -117083,6 +117083,9 @@ function wrapError(error2) { function getErrorMessage(error2) { return error2 instanceof Error ? error2.message : String(error2); } +function cloneObject(obj) { + return JSON.parse(JSON.stringify(obj)); +} async function asyncSome(array, predicate) { const results = await Promise.all(array.map(predicate)); return results.some((result) => result); @@ -117240,9 +117243,9 @@ async function getGitHubVersion() { } // src/codeql.ts -var fs3 = __toESM(require("fs")); -var path3 = __toESM(require("path")); -var core9 = __toESM(require_core()); +var fs4 = __toESM(require("fs")); +var path4 = __toESM(require("path")); +var core10 = __toESM(require_core()); var toolrunner3 = __toESM(require_toolrunner()); // src/cli-errors.ts @@ -117482,6 +117485,22 @@ function wrapCliConfigurationError(cliError) { return new ConfigurationError(errorMessageBuilder); } +// src/config-utils.ts +var fs3 = __toESM(require("fs")); +var path3 = __toESM(require("path")); +var semver4 = __toESM(require_semver2()); + +// src/analyses.ts +var AnalysisKind = /* @__PURE__ */ ((AnalysisKind2) => { + AnalysisKind2["CodeScanning"] = "code-scanning"; + AnalysisKind2["CodeQuality"] = "code-quality"; + return AnalysisKind2; +})(AnalysisKind || {}); +var supportedAnalysisKinds = new Set(Object.values(AnalysisKind)); + +// src/caching-utils.ts +var core6 = __toESM(require_core()); + // src/feature-flags.ts var semver3 = __toESM(require_semver2()); @@ -117491,13 +117510,13 @@ var path2 = __toESM(require("path")); var actionsCache = __toESM(require_cache3()); // src/git-utils.ts -var core6 = __toESM(require_core()); +var core7 = __toESM(require_core()); var toolrunner2 = __toESM(require_toolrunner()); var io3 = __toESM(require_io()); var runGitCommand = async function(workingDirectory, args, customErrorMessage) { let stdout = ""; let stderr = ""; - core6.debug(`Running git command: git ${args.join(" ")}`); + core7.debug(`Running git command: git ${args.join(" ")}`); try { await new toolrunner2.ToolRunner(await io3.which("git", true), args, { silent: true, @@ -117517,7 +117536,7 @@ var runGitCommand = async function(workingDirectory, args, customErrorMessage) { if (stderr.includes("not a git repository")) { reason = "The checkout path provided to the action does not appear to be a git repository."; } - core6.info(`git call failed. ${customErrorMessage} Error: ${reason}`); + core7.info(`git call failed. ${customErrorMessage} Error: ${reason}`); throw error2; } }; @@ -117628,7 +117647,7 @@ async function getRef() { ) !== head; if (hasChangedRef) { const newRef = ref.replace(pull_ref_regex, "refs/pull/$1/head"); - core6.debug( + core7.debug( `No longer on merge commit, rewriting ref from ${ref} to ${newRef}.` ); return newRef; @@ -117654,16 +117673,16 @@ async function isAnalyzingDefaultBranch() { } // src/logging.ts -var core7 = __toESM(require_core()); +var core8 = __toESM(require_core()); function getActionsLogger() { - return core7; + return core8; } function withGroup(groupName, f) { - core7.startGroup(groupName); + core8.startGroup(groupName); try { return f(); } finally { - core7.endGroup(); + core8.endGroup(); } } @@ -117898,23 +117917,89 @@ var featureConfig = { } }; +// src/trap-caching.ts +var actionsCache2 = __toESM(require_cache3()); + +// src/config-utils.ts +var OVERLAY_ANALYSIS_FEATURES = { + actions: "overlay_analysis_actions" /* OverlayAnalysisActions */, + cpp: "overlay_analysis_cpp" /* OverlayAnalysisCpp */, + csharp: "overlay_analysis_csharp" /* OverlayAnalysisCsharp */, + go: "overlay_analysis_go" /* OverlayAnalysisGo */, + java: "overlay_analysis_java" /* OverlayAnalysisJava */, + javascript: "overlay_analysis_javascript" /* OverlayAnalysisJavascript */, + python: "overlay_analysis_python" /* OverlayAnalysisPython */, + ruby: "overlay_analysis_ruby" /* OverlayAnalysisRuby */, + rust: "overlay_analysis_rust" /* OverlayAnalysisRust */, + swift: "overlay_analysis_swift" /* OverlayAnalysisSwift */ +}; +var OVERLAY_ANALYSIS_CODE_SCANNING_FEATURES = { + actions: "overlay_analysis_code_scanning_actions" /* OverlayAnalysisCodeScanningActions */, + cpp: "overlay_analysis_code_scanning_cpp" /* OverlayAnalysisCodeScanningCpp */, + csharp: "overlay_analysis_code_scanning_csharp" /* OverlayAnalysisCodeScanningCsharp */, + go: "overlay_analysis_code_scanning_go" /* OverlayAnalysisCodeScanningGo */, + java: "overlay_analysis_code_scanning_java" /* OverlayAnalysisCodeScanningJava */, + javascript: "overlay_analysis_code_scanning_javascript" /* OverlayAnalysisCodeScanningJavascript */, + python: "overlay_analysis_code_scanning_python" /* OverlayAnalysisCodeScanningPython */, + ruby: "overlay_analysis_code_scanning_ruby" /* OverlayAnalysisCodeScanningRuby */, + rust: "overlay_analysis_code_scanning_rust" /* OverlayAnalysisCodeScanningRust */, + swift: "overlay_analysis_code_scanning_swift" /* OverlayAnalysisCodeScanningSwift */ +}; +var PACK_IDENTIFIER_PATTERN = (function() { + const alphaNumeric = "[a-z0-9]"; + const alphaNumericDash = "[a-z0-9-]"; + const component = `${alphaNumeric}(${alphaNumericDash}*${alphaNumeric})?`; + return new RegExp(`^${component}/${component}$`); +})(); +function getPathToParsedConfigFile(tempDir) { + return path3.join(tempDir, "config"); +} +async function getConfig(tempDir, logger) { + const configFile = getPathToParsedConfigFile(tempDir); + if (!fs3.existsSync(configFile)) { + return void 0; + } + const configString = fs3.readFileSync(configFile, "utf8"); + logger.debug("Loaded config:"); + logger.debug(configString); + return JSON.parse(configString); +} +function appendExtraQueryExclusions(extraQueryExclusions, cliConfig) { + if (extraQueryExclusions.length === 0) { + return cliConfig; + } + const augmentedConfig = cloneObject(cliConfig); + augmentedConfig["query-filters"] = [ + // Ordering matters. If the first filter is an inclusion, it implicitly + // excludes all queries that are not included. If it is an exclusion, + // it implicitly includes all queries that are not excluded. So user + // filters (if any) should always be first to preserve intent. + ...augmentedConfig["query-filters"] || [], + ...extraQueryExclusions + ]; + if (augmentedConfig["query-filters"]?.length === 0) { + delete augmentedConfig["query-filters"]; + } + return augmentedConfig; +} + // src/setup-codeql.ts var toolcache3 = __toESM(require_tool_cache()); var import_fast_deep_equal = __toESM(require_fast_deep_equal()); -var semver6 = __toESM(require_semver2()); +var semver7 = __toESM(require_semver2()); // src/tar.ts var import_toolrunner = __toESM(require_toolrunner()); var io4 = __toESM(require_io()); var toolcache = __toESM(require_tool_cache()); -var semver4 = __toESM(require_semver2()); +var semver5 = __toESM(require_semver2()); // src/tools-download.ts -var core8 = __toESM(require_core()); +var core9 = __toESM(require_core()); var import_http_client = __toESM(require_lib()); var toolcache2 = __toESM(require_tool_cache()); var import_follow_redirects = __toESM(require_follow_redirects()); -var semver5 = __toESM(require_semver2()); +var semver6 = __toESM(require_semver2()); var STREAMING_HIGH_WATERMARK_BYTES = 4 * 1024 * 1024; // src/tracer-config.ts @@ -117972,12 +118057,12 @@ async function getCodeQLForCmd(cmd, checkVersion) { }, async isTracedLanguage(language) { const extractorPath = await this.resolveExtractor(language); - const tracingConfigPath = path3.join( + const tracingConfigPath = path4.join( extractorPath, "tools", "tracing-config.lua" ); - return fs3.existsSync(tracingConfigPath); + return fs4.existsSync(tracingConfigPath); }, async isScannedLanguage(language) { return !await this.isTracedLanguage(language); @@ -118048,7 +118133,7 @@ async function getCodeQLForCmd(cmd, checkVersion) { }, async runAutobuild(config, language) { applyAutobuildAzurePipelinesTimeoutFix(); - const autobuildCmd = path3.join( + const autobuildCmd = path4.join( await this.resolveExtractor(language), "tools", process.platform === "win32" ? "autobuild.cmd" : "autobuild.sh" @@ -118369,12 +118454,12 @@ ${output}` ); } else if (checkVersion && process.env["CODEQL_ACTION_SUPPRESS_DEPRECATED_SOON_WARNING" /* SUPPRESS_DEPRECATED_SOON_WARNING */] !== "true" && !await codeQlVersionAtLeast(codeql, CODEQL_NEXT_MINIMUM_VERSION)) { const result = await codeql.getVersion(); - core9.warning( + core10.warning( `CodeQL CLI version ${result.version} was discontinued on ${GHES_MOST_RECENT_DEPRECATION_DATE} alongside GitHub Enterprise Server ${GHES_VERSION_MOST_RECENTLY_DEPRECATED} and will not be supported by the next minor release of the CodeQL Action. Please update to CodeQL CLI version ${CODEQL_NEXT_MINIMUM_VERSION} or later. For instance, if you have specified a custom version of the CLI using the 'tools' input to the 'init' Action, you can remove this input to use the default version. Alternatively, if you want to continue using CodeQL CLI version ${result.version}, you can replace 'github/codeql-action/*@v${getActionVersion().split(".")[0]}' by 'github/codeql-action/*@v${getActionVersion()}' in your code scanning workflow to continue using this version of the CodeQL Action.` ); - core9.exportVariable("CODEQL_ACTION_SUPPRESS_DEPRECATED_SOON_WARNING" /* SUPPRESS_DEPRECATED_SOON_WARNING */, "true"); + core10.exportVariable("CODEQL_ACTION_SUPPRESS_DEPRECATED_SOON_WARNING" /* SUPPRESS_DEPRECATED_SOON_WARNING */, "true"); } return codeql; } @@ -118426,13 +118511,17 @@ async function runCli(cmd, args = [], opts = {}) { } async function writeCodeScanningConfigFile(config, logger) { const codeScanningConfigFile = getGeneratedCodeScanningConfigPath(config); + const augmentedConfig = appendExtraQueryExclusions( + config.extraQueryExclusions, + config.computedConfig + ); logger.info( `Writing augmented user configuration file to ${codeScanningConfigFile}` ); logger.startGroup("Augmented user configuration file contents"); - logger.info(dump(config.computedConfig)); + logger.info(dump(augmentedConfig)); logger.endGroup(); - fs3.writeFileSync(codeScanningConfigFile, dump(config.computedConfig)); + fs4.writeFileSync(codeScanningConfigFile, dump(augmentedConfig)); return codeScanningConfigFile; } var TRAP_CACHE_SIZE_MB = 1024; @@ -118455,7 +118544,7 @@ async function getTrapCachingExtractorConfigArgsForLang(config, language) { ]; } function getGeneratedCodeScanningConfigPath(config) { - return path3.resolve(config.tempDir, "user-config.yaml"); + return path4.resolve(config.tempDir, "user-config.yaml"); } function getExtractionVerbosityArguments(enableDebugLogging) { return enableDebugLogging ? [`--verbosity=${EXTRACTION_DEBUG_MODE_VERBOSITY}`] : []; @@ -118475,70 +118564,6 @@ async function getJobRunUuidSarifOptions(codeql) { ) ? [`--sarif-run-property=jobRunUuid=${jobRunUuid}`] : []; } -// src/config-utils.ts -var fs4 = __toESM(require("fs")); -var path4 = __toESM(require("path")); -var semver7 = __toESM(require_semver2()); - -// src/analyses.ts -var AnalysisKind = /* @__PURE__ */ ((AnalysisKind2) => { - AnalysisKind2["CodeScanning"] = "code-scanning"; - AnalysisKind2["CodeQuality"] = "code-quality"; - return AnalysisKind2; -})(AnalysisKind || {}); -var supportedAnalysisKinds = new Set(Object.values(AnalysisKind)); - -// src/caching-utils.ts -var core10 = __toESM(require_core()); - -// src/trap-caching.ts -var actionsCache2 = __toESM(require_cache3()); - -// src/config-utils.ts -var OVERLAY_ANALYSIS_FEATURES = { - actions: "overlay_analysis_actions" /* OverlayAnalysisActions */, - cpp: "overlay_analysis_cpp" /* OverlayAnalysisCpp */, - csharp: "overlay_analysis_csharp" /* OverlayAnalysisCsharp */, - go: "overlay_analysis_go" /* OverlayAnalysisGo */, - java: "overlay_analysis_java" /* OverlayAnalysisJava */, - javascript: "overlay_analysis_javascript" /* OverlayAnalysisJavascript */, - python: "overlay_analysis_python" /* OverlayAnalysisPython */, - ruby: "overlay_analysis_ruby" /* OverlayAnalysisRuby */, - rust: "overlay_analysis_rust" /* OverlayAnalysisRust */, - swift: "overlay_analysis_swift" /* OverlayAnalysisSwift */ -}; -var OVERLAY_ANALYSIS_CODE_SCANNING_FEATURES = { - actions: "overlay_analysis_code_scanning_actions" /* OverlayAnalysisCodeScanningActions */, - cpp: "overlay_analysis_code_scanning_cpp" /* OverlayAnalysisCodeScanningCpp */, - csharp: "overlay_analysis_code_scanning_csharp" /* OverlayAnalysisCodeScanningCsharp */, - go: "overlay_analysis_code_scanning_go" /* OverlayAnalysisCodeScanningGo */, - java: "overlay_analysis_code_scanning_java" /* OverlayAnalysisCodeScanningJava */, - javascript: "overlay_analysis_code_scanning_javascript" /* OverlayAnalysisCodeScanningJavascript */, - python: "overlay_analysis_code_scanning_python" /* OverlayAnalysisCodeScanningPython */, - ruby: "overlay_analysis_code_scanning_ruby" /* OverlayAnalysisCodeScanningRuby */, - rust: "overlay_analysis_code_scanning_rust" /* OverlayAnalysisCodeScanningRust */, - swift: "overlay_analysis_code_scanning_swift" /* OverlayAnalysisCodeScanningSwift */ -}; -var PACK_IDENTIFIER_PATTERN = (function() { - const alphaNumeric = "[a-z0-9]"; - const alphaNumericDash = "[a-z0-9-]"; - const component = `${alphaNumeric}(${alphaNumericDash}*${alphaNumeric})?`; - return new RegExp(`^${component}/${component}$`); -})(); -function getPathToParsedConfigFile(tempDir) { - return path4.join(tempDir, "config"); -} -async function getConfig(tempDir, logger) { - const configFile = getPathToParsedConfigFile(tempDir); - if (!fs4.existsSync(configFile)) { - return void 0; - } - const configString = fs4.readFileSync(configFile, "utf8"); - logger.debug("Loaded config:"); - logger.debug(configString); - return JSON.parse(configString); -} - // src/debug-artifacts.ts var fs5 = __toESM(require("fs")); var path5 = __toESM(require("path")); diff --git a/lib/analyze-action.js b/lib/analyze-action.js index 6b04b1d3e..414f7b7bd 100644 --- a/lib/analyze-action.js +++ b/lib/analyze-action.js @@ -89845,6 +89845,9 @@ function satisfiesGHESVersion(ghesVersion, range, defaultIfInvalid) { semverVersion.prerelease = []; return semver.satisfies(semverVersion, range); } +function cloneObject(obj) { + return JSON.parse(JSON.stringify(obj)); +} async function checkSipEnablement(logger) { if (process.env["CODEQL_ACTION_IS_SIP_ENABLED" /* IS_SIP_ENABLED */] !== void 0 && ["true", "false"].includes(process.env["CODEQL_ACTION_IS_SIP_ENABLED" /* IS_SIP_ENABLED */])) { return process.env["CODEQL_ACTION_IS_SIP_ENABLED" /* IS_SIP_ENABLED */] === "true"; @@ -90284,12 +90287,12 @@ function wrapApiConfigurationError(e) { } // src/autobuild.ts -var core10 = __toESM(require_core()); +var core11 = __toESM(require_core()); // src/codeql.ts -var fs12 = __toESM(require("fs")); -var path12 = __toESM(require("path")); -var core9 = __toESM(require_core()); +var fs14 = __toESM(require("fs")); +var path14 = __toESM(require("path")); +var core10 = __toESM(require_core()); var toolrunner3 = __toESM(require_toolrunner()); // src/cli-errors.ts @@ -90529,6 +90532,27 @@ function wrapCliConfigurationError(cliError) { return new ConfigurationError(errorMessageBuilder); } +// src/config-utils.ts +var fs9 = __toESM(require("fs")); +var path10 = __toESM(require("path")); +var semver4 = __toESM(require_semver2()); + +// src/caching-utils.ts +var core6 = __toESM(require_core()); +async function getTotalCacheSize(paths, logger, quiet = false) { + const sizes = await Promise.all( + paths.map((cacheDir) => tryGetFolderBytes(cacheDir, logger, quiet)) + ); + return sizes.map((a) => a || 0).reduce((a, b) => a + b, 0); +} +function shouldStoreCache(kind) { + return kind === "full" /* Full */ || kind === "store" /* Store */; +} + +// src/diff-informed-analysis-utils.ts +var fs8 = __toESM(require("fs")); +var path9 = __toESM(require("path")); + // src/feature-flags.ts var fs7 = __toESM(require("fs")); var path8 = __toESM(require("path")); @@ -90544,13 +90568,13 @@ var path7 = __toESM(require("path")); var actionsCache = __toESM(require_cache3()); // src/git-utils.ts -var core6 = __toESM(require_core()); +var core7 = __toESM(require_core()); var toolrunner2 = __toESM(require_toolrunner()); var io3 = __toESM(require_io()); var runGitCommand = async function(workingDirectory, args, customErrorMessage) { let stdout = ""; let stderr = ""; - core6.debug(`Running git command: git ${args.join(" ")}`); + core7.debug(`Running git command: git ${args.join(" ")}`); try { await new toolrunner2.ToolRunner(await io3.which("git", true), args, { silent: true, @@ -90570,7 +90594,7 @@ var runGitCommand = async function(workingDirectory, args, customErrorMessage) { if (stderr.includes("not a git repository")) { reason = "The checkout path provided to the action does not appear to be a git repository."; } - core6.info(`git call failed. ${customErrorMessage} Error: ${reason}`); + core7.info(`git call failed. ${customErrorMessage} Error: ${reason}`); throw error2; } }; @@ -90715,7 +90739,7 @@ async function getRef() { ) !== head; if (hasChangedRef) { const newRef = ref.replace(pull_ref_regex, "refs/pull/$1/head"); - core6.debug( + core7.debug( `No longer on merge commit, rewriting ref from ${ref} to ${newRef}.` ); return newRef; @@ -90741,16 +90765,16 @@ async function isAnalyzingDefaultBranch() { } // src/logging.ts -var core7 = __toESM(require_core()); +var core8 = __toESM(require_core()); function getActionsLogger() { - return core7; + return core8; } async function withGroupAsync(groupName, f) { - core7.startGroup(groupName); + core8.startGroup(groupName); try { return await f(); } finally { - core7.endGroup(); + core8.endGroup(); } } function formatDuration(durationMs) { @@ -91352,12 +91376,243 @@ var GitHubFeatureFlags = class { } }; +// src/diff-informed-analysis-utils.ts +async function getDiffInformedAnalysisBranches(codeql, features, logger) { + if (!await features.getValue("diff_informed_queries" /* DiffInformedQueries */, codeql)) { + return void 0; + } + const gitHubVersion = await getGitHubVersion(); + if (gitHubVersion.type === 1 /* GHES */ && satisfiesGHESVersion(gitHubVersion.version, "<3.19", true)) { + return void 0; + } + const branches = getPullRequestBranches(); + if (!branches) { + logger.info( + "Not performing diff-informed analysis because we are not analyzing a pull request." + ); + } + return branches; +} +function getDiffRangesJsonFilePath() { + return path9.join(getTemporaryDirectory(), "pr-diff-range.json"); +} +function writeDiffRangesJsonFile(logger, ranges) { + const jsonContents = JSON.stringify(ranges, null, 2); + const jsonFilePath = getDiffRangesJsonFilePath(); + fs8.writeFileSync(jsonFilePath, jsonContents); + logger.debug( + `Wrote pr-diff-range JSON file to ${jsonFilePath}: +${jsonContents}` + ); +} +function readDiffRangesJsonFile(logger) { + const jsonFilePath = getDiffRangesJsonFilePath(); + if (!fs8.existsSync(jsonFilePath)) { + logger.debug(`Diff ranges JSON file does not exist at ${jsonFilePath}`); + return void 0; + } + const jsonContents = fs8.readFileSync(jsonFilePath, "utf8"); + logger.debug( + `Read pr-diff-range JSON file from ${jsonFilePath}: +${jsonContents}` + ); + return JSON.parse(jsonContents); +} + +// src/trap-caching.ts +var actionsCache2 = __toESM(require_cache3()); +var CACHE_VERSION2 = 1; +var CODEQL_TRAP_CACHE_PREFIX = "codeql-trap"; +var MINIMUM_CACHE_MB_TO_UPLOAD = 10; +var MAX_CACHE_OPERATION_MS2 = 12e4; +async function uploadTrapCaches(codeql, config, logger) { + if (!await isAnalyzingDefaultBranch()) return false; + for (const language of config.languages) { + const cacheDir = config.trapCaches[language]; + if (cacheDir === void 0) continue; + const trapFolderSize = await tryGetFolderBytes(cacheDir, logger); + if (trapFolderSize === void 0) { + logger.info( + `Skipping upload of TRAP cache for ${language} as we couldn't determine its size` + ); + continue; + } + if (trapFolderSize < MINIMUM_CACHE_MB_TO_UPLOAD * 1048576) { + logger.info( + `Skipping upload of TRAP cache for ${language} as it is too small` + ); + continue; + } + const key = await cacheKey( + codeql, + language, + process.env.GITHUB_SHA || "unknown" + ); + logger.info(`Uploading TRAP cache to Actions cache with key ${key}`); + await withTimeout( + MAX_CACHE_OPERATION_MS2, + actionsCache2.saveCache([cacheDir], key), + () => { + logger.info( + `Timed out waiting for TRAP cache for ${language} to upload, will continue without uploading` + ); + } + ); + } + return true; +} +async function cleanupTrapCaches(config, features, logger) { + if (!await features.getValue("cleanup_trap_caches" /* CleanupTrapCaches */)) { + return { + trap_cache_cleanup_skipped_because: "feature disabled" + }; + } + if (!await isAnalyzingDefaultBranch()) { + return { + trap_cache_cleanup_skipped_because: "not analyzing default branch" + }; + } + try { + let totalBytesCleanedUp = 0; + const allCaches = await listActionsCaches( + CODEQL_TRAP_CACHE_PREFIX, + await getRef() + ); + for (const language of config.languages) { + if (config.trapCaches[language]) { + const cachesToRemove = await getTrapCachesForLanguage( + allCaches, + language, + logger + ); + cachesToRemove.sort((a, b) => a.created_at.localeCompare(b.created_at)); + const mostRecentCache = cachesToRemove.pop(); + logger.debug( + `Keeping most recent TRAP cache (${JSON.stringify(mostRecentCache)})` + ); + if (cachesToRemove.length === 0) { + logger.info(`No TRAP caches to clean up for ${language}.`); + continue; + } + for (const cache of cachesToRemove) { + logger.debug(`Cleaning up TRAP cache (${JSON.stringify(cache)})`); + await deleteActionsCache(cache.id); + } + const bytesCleanedUp = cachesToRemove.reduce( + (acc, item) => acc + item.size_in_bytes, + 0 + ); + totalBytesCleanedUp += bytesCleanedUp; + const megabytesCleanedUp = (bytesCleanedUp / (1024 * 1024)).toFixed(2); + logger.info( + `Cleaned up ${megabytesCleanedUp} MiB of old TRAP caches for ${language}.` + ); + } + } + return { trap_cache_cleanup_size_bytes: totalBytesCleanedUp }; + } catch (e) { + if (isHTTPError(e) && e.status === 403) { + logger.warning( + `Could not cleanup TRAP caches as the token did not have the required permissions. To clean up TRAP caches, ensure the token has the "actions:write" permission. See ${"https://docs.github.com/en/actions/using-jobs/assigning-permissions-to-jobs" /* ASSIGNING_PERMISSIONS_TO_JOBS */} for more information.` + ); + } else { + logger.info(`Failed to cleanup TRAP caches, continuing. Details: ${e}`); + } + return { trap_cache_cleanup_error: getErrorMessage(e) }; + } +} +async function getTrapCachesForLanguage(allCaches, language, logger) { + logger.debug(`Listing TRAP caches for ${language}`); + for (const cache of allCaches) { + if (!cache.created_at || !cache.id || !cache.key || !cache.size_in_bytes) { + throw new Error( + `An unexpected cache item was returned from the API that was missing one or more required fields: ${JSON.stringify(cache)}` + ); + } + } + return allCaches.filter((cache) => { + return cache.key?.includes(`-${language}-`); + }); +} +async function cacheKey(codeql, language, baseSha) { + return `${await cachePrefix(codeql, language)}${baseSha}`; +} +async function cachePrefix(codeql, language) { + return `${CODEQL_TRAP_CACHE_PREFIX}-${CACHE_VERSION2}-${(await codeql.getVersion()).version}-${language}-`; +} + +// src/config-utils.ts +var OVERLAY_ANALYSIS_FEATURES = { + actions: "overlay_analysis_actions" /* OverlayAnalysisActions */, + cpp: "overlay_analysis_cpp" /* OverlayAnalysisCpp */, + csharp: "overlay_analysis_csharp" /* OverlayAnalysisCsharp */, + go: "overlay_analysis_go" /* OverlayAnalysisGo */, + java: "overlay_analysis_java" /* OverlayAnalysisJava */, + javascript: "overlay_analysis_javascript" /* OverlayAnalysisJavascript */, + python: "overlay_analysis_python" /* OverlayAnalysisPython */, + ruby: "overlay_analysis_ruby" /* OverlayAnalysisRuby */, + rust: "overlay_analysis_rust" /* OverlayAnalysisRust */, + swift: "overlay_analysis_swift" /* OverlayAnalysisSwift */ +}; +var OVERLAY_ANALYSIS_CODE_SCANNING_FEATURES = { + actions: "overlay_analysis_code_scanning_actions" /* OverlayAnalysisCodeScanningActions */, + cpp: "overlay_analysis_code_scanning_cpp" /* OverlayAnalysisCodeScanningCpp */, + csharp: "overlay_analysis_code_scanning_csharp" /* OverlayAnalysisCodeScanningCsharp */, + go: "overlay_analysis_code_scanning_go" /* OverlayAnalysisCodeScanningGo */, + java: "overlay_analysis_code_scanning_java" /* OverlayAnalysisCodeScanningJava */, + javascript: "overlay_analysis_code_scanning_javascript" /* OverlayAnalysisCodeScanningJavascript */, + python: "overlay_analysis_code_scanning_python" /* OverlayAnalysisCodeScanningPython */, + ruby: "overlay_analysis_code_scanning_ruby" /* OverlayAnalysisCodeScanningRuby */, + rust: "overlay_analysis_code_scanning_rust" /* OverlayAnalysisCodeScanningRust */, + swift: "overlay_analysis_code_scanning_swift" /* OverlayAnalysisCodeScanningSwift */ +}; +var PACK_IDENTIFIER_PATTERN = (function() { + const alphaNumeric = "[a-z0-9]"; + const alphaNumericDash = "[a-z0-9-]"; + const component = `${alphaNumeric}(${alphaNumericDash}*${alphaNumeric})?`; + return new RegExp(`^${component}/${component}$`); +})(); +function getPathToParsedConfigFile(tempDir) { + return path10.join(tempDir, "config"); +} +async function getConfig(tempDir, logger) { + const configFile = getPathToParsedConfigFile(tempDir); + if (!fs9.existsSync(configFile)) { + return void 0; + } + const configString = fs9.readFileSync(configFile, "utf8"); + logger.debug("Loaded config:"); + logger.debug(configString); + return JSON.parse(configString); +} +function appendExtraQueryExclusions(extraQueryExclusions, cliConfig) { + if (extraQueryExclusions.length === 0) { + return cliConfig; + } + const augmentedConfig = cloneObject(cliConfig); + augmentedConfig["query-filters"] = [ + // Ordering matters. If the first filter is an inclusion, it implicitly + // excludes all queries that are not included. If it is an exclusion, + // it implicitly includes all queries that are not excluded. So user + // filters (if any) should always be first to preserve intent. + ...augmentedConfig["query-filters"] || [], + ...extraQueryExclusions + ]; + if (augmentedConfig["query-filters"]?.length === 0) { + delete augmentedConfig["query-filters"]; + } + return augmentedConfig; +} +function isCodeQualityEnabled(config) { + return config.analysisKinds.includes("code-quality" /* CodeQuality */); +} + // src/setup-codeql.ts -var fs10 = __toESM(require("fs")); -var path10 = __toESM(require("path")); +var fs12 = __toESM(require("fs")); +var path12 = __toESM(require("path")); var toolcache3 = __toESM(require_tool_cache()); var import_fast_deep_equal = __toESM(require_fast_deep_equal()); -var semver6 = __toESM(require_semver2()); +var semver7 = __toESM(require_semver2()); // node_modules/uuid/dist/esm/stringify.js var byteToHex = []; @@ -91412,12 +91667,12 @@ var v4_default = v4; // src/tar.ts var import_child_process = require("child_process"); -var fs8 = __toESM(require("fs")); +var fs10 = __toESM(require("fs")); var stream = __toESM(require("stream")); var import_toolrunner = __toESM(require_toolrunner()); var io4 = __toESM(require_io()); var toolcache = __toESM(require_tool_cache()); -var semver4 = __toESM(require_semver2()); +var semver5 = __toESM(require_semver2()); var MIN_REQUIRED_BSD_TAR_VERSION = "3.4.3"; var MIN_REQUIRED_GNU_TAR_VERSION = "1.31"; async function getTarVersion() { @@ -91459,9 +91714,9 @@ async function isZstdAvailable(logger) { case "gnu": return { available: foundZstdBinary && // GNU tar only uses major and minor version numbers - semver4.gte( - semver4.coerce(version), - semver4.coerce(MIN_REQUIRED_GNU_TAR_VERSION) + semver5.gte( + semver5.coerce(version), + semver5.coerce(MIN_REQUIRED_GNU_TAR_VERSION) ), foundZstdBinary, version: tarVersion @@ -91470,7 +91725,7 @@ async function isZstdAvailable(logger) { return { available: foundZstdBinary && // Do a loose comparison since these version numbers don't contain // a patch version number. - semver4.gte(version, MIN_REQUIRED_BSD_TAR_VERSION), + semver5.gte(version, MIN_REQUIRED_BSD_TAR_VERSION), foundZstdBinary, version: tarVersion }; @@ -91485,7 +91740,7 @@ async function isZstdAvailable(logger) { } } async function extract(tarPath, dest, compressionMethod, tarVersion, logger) { - fs8.mkdirSync(dest, { recursive: true }); + fs10.mkdirSync(dest, { recursive: true }); switch (compressionMethod) { case "gzip": return await toolcache.extractTar(tarPath, dest); @@ -91569,15 +91824,15 @@ function inferCompressionMethod(tarPath) { } // src/tools-download.ts -var fs9 = __toESM(require("fs")); +var fs11 = __toESM(require("fs")); var os2 = __toESM(require("os")); -var path9 = __toESM(require("path")); +var path11 = __toESM(require("path")); var import_perf_hooks = require("perf_hooks"); -var core8 = __toESM(require_core()); +var core9 = __toESM(require_core()); var import_http_client = __toESM(require_lib()); var toolcache2 = __toESM(require_tool_cache()); var import_follow_redirects = __toESM(require_follow_redirects()); -var semver5 = __toESM(require_semver2()); +var semver6 = __toESM(require_semver2()); var STREAMING_HIGH_WATERMARK_BYTES = 4 * 1024 * 1024; var TOOLCACHE_TOOL_NAME = "CodeQL"; function makeDownloadFirstToolsDownloadDurations(downloadDurationMs, extractionDurationMs) { @@ -91627,10 +91882,10 @@ async function downloadAndExtract(codeqlURL, compressionMethod, dest, authorizat }; } } catch (e) { - core8.warning( + core9.warning( `Failed to download and extract CodeQL bundle using streaming with error: ${getErrorMessage(e)}` ); - core8.warning(`Falling back to downloading the bundle before extracting.`); + core9.warning(`Falling back to downloading the bundle before extracting.`); await cleanUpGlob(dest, "CodeQL bundle", logger); } const toolsDownloadStart = import_perf_hooks.performance.now(); @@ -91676,7 +91931,7 @@ async function downloadAndExtract(codeqlURL, compressionMethod, dest, authorizat }; } async function downloadAndExtractZstdWithStreaming(codeqlURL, dest, authorization, headers, tarVersion, logger) { - fs9.mkdirSync(dest, { recursive: true }); + fs11.mkdirSync(dest, { recursive: true }); const agent = new import_http_client.HttpClient().getAgent(codeqlURL); headers = Object.assign( { "User-Agent": "CodeQL Action" }, @@ -91704,16 +91959,16 @@ async function downloadAndExtractZstdWithStreaming(codeqlURL, dest, authorizatio await extractTarZst(response, dest, tarVersion, logger); } function getToolcacheDirectory(version) { - return path9.join( + return path11.join( getRequiredEnvParam("RUNNER_TOOL_CACHE"), TOOLCACHE_TOOL_NAME, - semver5.clean(version) || version, + semver6.clean(version) || version, os2.arch() || "" ); } function writeToolcacheMarkerFile(extractedPath, logger) { const markerFilePath = `${extractedPath}.complete`; - fs9.writeFileSync(markerFilePath, ""); + fs11.writeFileSync(markerFilePath, ""); logger.info(`Created toolcache marker file ${markerFilePath}`); } function sanitizeUrlForStatusReport(url2) { @@ -91828,13 +92083,13 @@ function tryGetTagNameFromUrl(url2, logger) { return match[1]; } function convertToSemVer(version, logger) { - if (!semver6.valid(version)) { + if (!semver7.valid(version)) { logger.debug( `Bundle version ${version} is not in SemVer format. Will treat it as pre-release 0.0.0-${version}.` ); version = `0.0.0-${version}`; } - const s = semver6.clean(version); + const s = semver7.clean(version); if (!s) { throw new Error(`Bundle version ${version} is not in SemVer format.`); } @@ -91844,7 +92099,7 @@ async function findOverridingToolsInCache(humanReadableVersion, logger) { const candidates = toolcache3.findAllVersions("CodeQL").filter(isGoodVersion).map((version) => ({ folder: toolcache3.find("CodeQL", version), version - })).filter(({ folder }) => fs10.existsSync(path10.join(folder, "pinned-version"))); + })).filter(({ folder }) => fs12.existsSync(path12.join(folder, "pinned-version"))); if (candidates.length === 1) { const candidate = candidates[0]; logger.debug( @@ -91904,7 +92159,7 @@ async function getCodeQLSource(toolsInput, defaultCliVersion, apiDetails, varian url2 = toolsInput; if (tagName) { const bundleVersion3 = tryGetBundleVersionFromTagName(tagName, logger); - if (bundleVersion3 && semver6.valid(bundleVersion3)) { + if (bundleVersion3 && semver7.valid(bundleVersion3)) { cliVersion2 = convertToSemVer(bundleVersion3, logger); } } @@ -92173,16 +92428,16 @@ async function setupCodeQLBundle(toolsInput, apiDetails, tempDir, variant, defau async function useZstdBundle(cliVersion2, tarSupportsZstd) { return ( // In testing, gzip performs better than zstd on Windows. - process.platform !== "win32" && tarSupportsZstd && semver6.gte(cliVersion2, CODEQL_VERSION_ZSTD_BUNDLE) + process.platform !== "win32" && tarSupportsZstd && semver7.gte(cliVersion2, CODEQL_VERSION_ZSTD_BUNDLE) ); } function getTempExtractionDir(tempDir) { - return path10.join(tempDir, v4_default()); + return path12.join(tempDir, v4_default()); } // src/tracer-config.ts -var fs11 = __toESM(require("fs")); -var path11 = __toESM(require("path")); +var fs13 = __toESM(require("fs")); +var path13 = __toESM(require("path")); async function shouldEnableIndirectTracing(codeql, config) { if (config.buildMode === "none" /* None */) { return false; @@ -92197,18 +92452,18 @@ async function endTracingForCluster(codeql, config, logger) { logger.info( "Unsetting build tracing environment variables. Subsequent steps of this job will not be traced." ); - const envVariablesFile = path11.resolve( + const envVariablesFile = path13.resolve( config.dbLocation, "temp/tracingEnvironment/end-tracing.json" ); - if (!fs11.existsSync(envVariablesFile)) { + if (!fs13.existsSync(envVariablesFile)) { throw new Error( `Environment file for ending tracing not found: ${envVariablesFile}` ); } try { const endTracingEnvVariables = JSON.parse( - fs11.readFileSync(envVariablesFile, "utf8") + fs13.readFileSync(envVariablesFile, "utf8") ); for (const [key, value] of Object.entries(endTracingEnvVariables)) { if (value !== null) { @@ -92253,7 +92508,7 @@ async function setupCodeQL(toolsInput, apiDetails, tempDir, variant, defaultCliV toolsDownloadStatusReport )}` ); - let codeqlCmd = path12.join(codeqlFolder, "codeql", "codeql"); + let codeqlCmd = path14.join(codeqlFolder, "codeql", "codeql"); if (process.platform === "win32") { codeqlCmd += ".exe"; } else if (process.platform !== "linux" && process.platform !== "darwin") { @@ -92314,12 +92569,12 @@ async function getCodeQLForCmd(cmd, checkVersion) { }, async isTracedLanguage(language) { const extractorPath = await this.resolveExtractor(language); - const tracingConfigPath = path12.join( + const tracingConfigPath = path14.join( extractorPath, "tools", "tracing-config.lua" ); - return fs12.existsSync(tracingConfigPath); + return fs14.existsSync(tracingConfigPath); }, async isScannedLanguage(language) { return !await this.isTracedLanguage(language); @@ -92390,7 +92645,7 @@ async function getCodeQLForCmd(cmd, checkVersion) { }, async runAutobuild(config, language) { applyAutobuildAzurePipelinesTimeoutFix(); - const autobuildCmd = path12.join( + const autobuildCmd = path14.join( await this.resolveExtractor(language), "tools", process.platform === "win32" ? "autobuild.cmd" : "autobuild.sh" @@ -92711,12 +92966,12 @@ ${output}` ); } else if (checkVersion && process.env["CODEQL_ACTION_SUPPRESS_DEPRECATED_SOON_WARNING" /* SUPPRESS_DEPRECATED_SOON_WARNING */] !== "true" && !await codeQlVersionAtLeast(codeql, CODEQL_NEXT_MINIMUM_VERSION)) { const result = await codeql.getVersion(); - core9.warning( + core10.warning( `CodeQL CLI version ${result.version} was discontinued on ${GHES_MOST_RECENT_DEPRECATION_DATE} alongside GitHub Enterprise Server ${GHES_VERSION_MOST_RECENTLY_DEPRECATED} and will not be supported by the next minor release of the CodeQL Action. Please update to CodeQL CLI version ${CODEQL_NEXT_MINIMUM_VERSION} or later. For instance, if you have specified a custom version of the CLI using the 'tools' input to the 'init' Action, you can remove this input to use the default version. Alternatively, if you want to continue using CodeQL CLI version ${result.version}, you can replace 'github/codeql-action/*@v${getActionVersion().split(".")[0]}' by 'github/codeql-action/*@v${getActionVersion()}' in your code scanning workflow to continue using this version of the CodeQL Action.` ); - core9.exportVariable("CODEQL_ACTION_SUPPRESS_DEPRECATED_SOON_WARNING" /* SUPPRESS_DEPRECATED_SOON_WARNING */, "true"); + core10.exportVariable("CODEQL_ACTION_SUPPRESS_DEPRECATED_SOON_WARNING" /* SUPPRESS_DEPRECATED_SOON_WARNING */, "true"); } return codeql; } @@ -92768,13 +93023,17 @@ async function runCli(cmd, args = [], opts = {}) { } async function writeCodeScanningConfigFile(config, logger) { const codeScanningConfigFile = getGeneratedCodeScanningConfigPath(config); + const augmentedConfig = appendExtraQueryExclusions( + config.extraQueryExclusions, + config.computedConfig + ); logger.info( `Writing augmented user configuration file to ${codeScanningConfigFile}` ); logger.startGroup("Augmented user configuration file contents"); - logger.info(dump(config.computedConfig)); + logger.info(dump(augmentedConfig)); logger.endGroup(); - fs12.writeFileSync(codeScanningConfigFile, dump(config.computedConfig)); + fs14.writeFileSync(codeScanningConfigFile, dump(augmentedConfig)); return codeScanningConfigFile; } var TRAP_CACHE_SIZE_MB = 1024; @@ -92797,7 +93056,7 @@ async function getTrapCachingExtractorConfigArgsForLang(config, language) { ]; } function getGeneratedCodeScanningConfigPath(config) { - return path12.resolve(config.tempDir, "user-config.yaml"); + return path14.resolve(config.tempDir, "user-config.yaml"); } function getExtractionVerbosityArguments(enableDebugLogging) { return enableDebugLogging ? [`--verbosity=${EXTRACTION_DEBUG_MODE_VERBOSITY}`] : []; @@ -92834,16 +93093,16 @@ async function setupCppAutobuild(codeql, logger) { logger.info( `Disabling ${featureName} as we are on a self-hosted runner.${getWorkflowEventName() !== "dynamic" ? ` To override this, set the ${envVar} environment variable to 'true' in your workflow. See ${"https://docs.github.com/en/actions/learn-github-actions/variables#defining-environment-variables-for-a-single-workflow" /* DEFINE_ENV_VARIABLES */} for more information.` : ""}` ); - core10.exportVariable(envVar, "false"); + core11.exportVariable(envVar, "false"); } else { logger.info( `Enabling ${featureName}. This can be disabled by setting the ${envVar} environment variable to 'false'. See ${"https://docs.github.com/en/actions/learn-github-actions/variables#defining-environment-variables-for-a-single-workflow" /* DEFINE_ENV_VARIABLES */} for more information.` ); - core10.exportVariable(envVar, "true"); + core11.exportVariable(envVar, "true"); } } else { logger.info(`Disabling ${featureName}.`); - core10.exportVariable(envVar, "false"); + core11.exportVariable(envVar, "false"); } } async function runAutobuild(config, language, logger) { @@ -92858,243 +93117,11 @@ async function runAutobuild(config, language, logger) { await codeQL.runAutobuild(config, language); } if (language === "go" /* go */) { - core10.exportVariable("CODEQL_ACTION_DID_AUTOBUILD_GOLANG" /* DID_AUTOBUILD_GOLANG */, "true"); + core11.exportVariable("CODEQL_ACTION_DID_AUTOBUILD_GOLANG" /* DID_AUTOBUILD_GOLANG */, "true"); } logger.endGroup(); } -// src/config-utils.ts -var fs14 = __toESM(require("fs")); -var path14 = __toESM(require("path")); -var semver7 = __toESM(require_semver2()); - -// src/caching-utils.ts -var core11 = __toESM(require_core()); -async function getTotalCacheSize(paths, logger, quiet = false) { - const sizes = await Promise.all( - paths.map((cacheDir) => tryGetFolderBytes(cacheDir, logger, quiet)) - ); - return sizes.map((a) => a || 0).reduce((a, b) => a + b, 0); -} -function shouldStoreCache(kind) { - return kind === "full" /* Full */ || kind === "store" /* Store */; -} - -// src/diff-informed-analysis-utils.ts -var fs13 = __toESM(require("fs")); -var path13 = __toESM(require("path")); -async function getDiffInformedAnalysisBranches(codeql, features, logger) { - if (!await features.getValue("diff_informed_queries" /* DiffInformedQueries */, codeql)) { - return void 0; - } - const gitHubVersion = await getGitHubVersion(); - if (gitHubVersion.type === 1 /* GHES */ && satisfiesGHESVersion(gitHubVersion.version, "<3.19", true)) { - return void 0; - } - const branches = getPullRequestBranches(); - if (!branches) { - logger.info( - "Not performing diff-informed analysis because we are not analyzing a pull request." - ); - } - return branches; -} -function getDiffRangesJsonFilePath() { - return path13.join(getTemporaryDirectory(), "pr-diff-range.json"); -} -function writeDiffRangesJsonFile(logger, ranges) { - const jsonContents = JSON.stringify(ranges, null, 2); - const jsonFilePath = getDiffRangesJsonFilePath(); - fs13.writeFileSync(jsonFilePath, jsonContents); - logger.debug( - `Wrote pr-diff-range JSON file to ${jsonFilePath}: -${jsonContents}` - ); -} -function readDiffRangesJsonFile(logger) { - const jsonFilePath = getDiffRangesJsonFilePath(); - if (!fs13.existsSync(jsonFilePath)) { - logger.debug(`Diff ranges JSON file does not exist at ${jsonFilePath}`); - return void 0; - } - const jsonContents = fs13.readFileSync(jsonFilePath, "utf8"); - logger.debug( - `Read pr-diff-range JSON file from ${jsonFilePath}: -${jsonContents}` - ); - return JSON.parse(jsonContents); -} - -// src/trap-caching.ts -var actionsCache2 = __toESM(require_cache3()); -var CACHE_VERSION2 = 1; -var CODEQL_TRAP_CACHE_PREFIX = "codeql-trap"; -var MINIMUM_CACHE_MB_TO_UPLOAD = 10; -var MAX_CACHE_OPERATION_MS2 = 12e4; -async function uploadTrapCaches(codeql, config, logger) { - if (!await isAnalyzingDefaultBranch()) return false; - for (const language of config.languages) { - const cacheDir = config.trapCaches[language]; - if (cacheDir === void 0) continue; - const trapFolderSize = await tryGetFolderBytes(cacheDir, logger); - if (trapFolderSize === void 0) { - logger.info( - `Skipping upload of TRAP cache for ${language} as we couldn't determine its size` - ); - continue; - } - if (trapFolderSize < MINIMUM_CACHE_MB_TO_UPLOAD * 1048576) { - logger.info( - `Skipping upload of TRAP cache for ${language} as it is too small` - ); - continue; - } - const key = await cacheKey( - codeql, - language, - process.env.GITHUB_SHA || "unknown" - ); - logger.info(`Uploading TRAP cache to Actions cache with key ${key}`); - await withTimeout( - MAX_CACHE_OPERATION_MS2, - actionsCache2.saveCache([cacheDir], key), - () => { - logger.info( - `Timed out waiting for TRAP cache for ${language} to upload, will continue without uploading` - ); - } - ); - } - return true; -} -async function cleanupTrapCaches(config, features, logger) { - if (!await features.getValue("cleanup_trap_caches" /* CleanupTrapCaches */)) { - return { - trap_cache_cleanup_skipped_because: "feature disabled" - }; - } - if (!await isAnalyzingDefaultBranch()) { - return { - trap_cache_cleanup_skipped_because: "not analyzing default branch" - }; - } - try { - let totalBytesCleanedUp = 0; - const allCaches = await listActionsCaches( - CODEQL_TRAP_CACHE_PREFIX, - await getRef() - ); - for (const language of config.languages) { - if (config.trapCaches[language]) { - const cachesToRemove = await getTrapCachesForLanguage( - allCaches, - language, - logger - ); - cachesToRemove.sort((a, b) => a.created_at.localeCompare(b.created_at)); - const mostRecentCache = cachesToRemove.pop(); - logger.debug( - `Keeping most recent TRAP cache (${JSON.stringify(mostRecentCache)})` - ); - if (cachesToRemove.length === 0) { - logger.info(`No TRAP caches to clean up for ${language}.`); - continue; - } - for (const cache of cachesToRemove) { - logger.debug(`Cleaning up TRAP cache (${JSON.stringify(cache)})`); - await deleteActionsCache(cache.id); - } - const bytesCleanedUp = cachesToRemove.reduce( - (acc, item) => acc + item.size_in_bytes, - 0 - ); - totalBytesCleanedUp += bytesCleanedUp; - const megabytesCleanedUp = (bytesCleanedUp / (1024 * 1024)).toFixed(2); - logger.info( - `Cleaned up ${megabytesCleanedUp} MiB of old TRAP caches for ${language}.` - ); - } - } - return { trap_cache_cleanup_size_bytes: totalBytesCleanedUp }; - } catch (e) { - if (isHTTPError(e) && e.status === 403) { - logger.warning( - `Could not cleanup TRAP caches as the token did not have the required permissions. To clean up TRAP caches, ensure the token has the "actions:write" permission. See ${"https://docs.github.com/en/actions/using-jobs/assigning-permissions-to-jobs" /* ASSIGNING_PERMISSIONS_TO_JOBS */} for more information.` - ); - } else { - logger.info(`Failed to cleanup TRAP caches, continuing. Details: ${e}`); - } - return { trap_cache_cleanup_error: getErrorMessage(e) }; - } -} -async function getTrapCachesForLanguage(allCaches, language, logger) { - logger.debug(`Listing TRAP caches for ${language}`); - for (const cache of allCaches) { - if (!cache.created_at || !cache.id || !cache.key || !cache.size_in_bytes) { - throw new Error( - `An unexpected cache item was returned from the API that was missing one or more required fields: ${JSON.stringify(cache)}` - ); - } - } - return allCaches.filter((cache) => { - return cache.key?.includes(`-${language}-`); - }); -} -async function cacheKey(codeql, language, baseSha) { - return `${await cachePrefix(codeql, language)}${baseSha}`; -} -async function cachePrefix(codeql, language) { - return `${CODEQL_TRAP_CACHE_PREFIX}-${CACHE_VERSION2}-${(await codeql.getVersion()).version}-${language}-`; -} - -// src/config-utils.ts -var OVERLAY_ANALYSIS_FEATURES = { - actions: "overlay_analysis_actions" /* OverlayAnalysisActions */, - cpp: "overlay_analysis_cpp" /* OverlayAnalysisCpp */, - csharp: "overlay_analysis_csharp" /* OverlayAnalysisCsharp */, - go: "overlay_analysis_go" /* OverlayAnalysisGo */, - java: "overlay_analysis_java" /* OverlayAnalysisJava */, - javascript: "overlay_analysis_javascript" /* OverlayAnalysisJavascript */, - python: "overlay_analysis_python" /* OverlayAnalysisPython */, - ruby: "overlay_analysis_ruby" /* OverlayAnalysisRuby */, - rust: "overlay_analysis_rust" /* OverlayAnalysisRust */, - swift: "overlay_analysis_swift" /* OverlayAnalysisSwift */ -}; -var OVERLAY_ANALYSIS_CODE_SCANNING_FEATURES = { - actions: "overlay_analysis_code_scanning_actions" /* OverlayAnalysisCodeScanningActions */, - cpp: "overlay_analysis_code_scanning_cpp" /* OverlayAnalysisCodeScanningCpp */, - csharp: "overlay_analysis_code_scanning_csharp" /* OverlayAnalysisCodeScanningCsharp */, - go: "overlay_analysis_code_scanning_go" /* OverlayAnalysisCodeScanningGo */, - java: "overlay_analysis_code_scanning_java" /* OverlayAnalysisCodeScanningJava */, - javascript: "overlay_analysis_code_scanning_javascript" /* OverlayAnalysisCodeScanningJavascript */, - python: "overlay_analysis_code_scanning_python" /* OverlayAnalysisCodeScanningPython */, - ruby: "overlay_analysis_code_scanning_ruby" /* OverlayAnalysisCodeScanningRuby */, - rust: "overlay_analysis_code_scanning_rust" /* OverlayAnalysisCodeScanningRust */, - swift: "overlay_analysis_code_scanning_swift" /* OverlayAnalysisCodeScanningSwift */ -}; -var PACK_IDENTIFIER_PATTERN = (function() { - const alphaNumeric = "[a-z0-9]"; - const alphaNumericDash = "[a-z0-9-]"; - const component = `${alphaNumeric}(${alphaNumericDash}*${alphaNumeric})?`; - return new RegExp(`^${component}/${component}$`); -})(); -function getPathToParsedConfigFile(tempDir) { - return path14.join(tempDir, "config"); -} -async function getConfig(tempDir, logger) { - const configFile = getPathToParsedConfigFile(tempDir); - if (!fs14.existsSync(configFile)) { - return void 0; - } - const configString = fs14.readFileSync(configFile, "utf8"); - logger.debug("Loaded config:"); - logger.debug(configString); - return JSON.parse(configString); -} -function isCodeQualityEnabled(config) { - return config.analysisKinds.includes("code-quality" /* CodeQuality */); -} - // src/dependency-caching.ts var os3 = __toESM(require("os")); var import_path = require("path"); diff --git a/lib/autobuild-action.js b/lib/autobuild-action.js index a1f0c90f0..bf381bbd6 100644 --- a/lib/autobuild-action.js +++ b/lib/autobuild-action.js @@ -77708,6 +77708,9 @@ function checkActionVersion(version, githubVersion) { } } } +function cloneObject(obj) { + return JSON.parse(JSON.stringify(obj)); +} async function checkSipEnablement(logger) { if (process.env["CODEQL_ACTION_IS_SIP_ENABLED" /* IS_SIP_ENABLED */] !== void 0 && ["true", "false"].includes(process.env["CODEQL_ACTION_IS_SIP_ENABLED" /* IS_SIP_ENABLED */])) { return process.env["CODEQL_ACTION_IS_SIP_ENABLED" /* IS_SIP_ENABLED */] === "true"; @@ -77979,12 +77982,12 @@ async function getAnalysisKey() { } // src/autobuild.ts -var core10 = __toESM(require_core()); +var core11 = __toESM(require_core()); // src/codeql.ts -var fs5 = __toESM(require("fs")); -var path5 = __toESM(require("path")); -var core9 = __toESM(require_core()); +var fs6 = __toESM(require("fs")); +var path6 = __toESM(require("path")); +var core10 = __toESM(require_core()); var toolrunner3 = __toESM(require_toolrunner()); // src/cli-errors.ts @@ -78224,6 +78227,22 @@ function wrapCliConfigurationError(cliError) { return new ConfigurationError(errorMessageBuilder); } +// src/config-utils.ts +var fs4 = __toESM(require("fs")); +var path4 = __toESM(require("path")); +var semver4 = __toESM(require_semver2()); + +// src/analyses.ts +var AnalysisKind = /* @__PURE__ */ ((AnalysisKind2) => { + AnalysisKind2["CodeScanning"] = "code-scanning"; + AnalysisKind2["CodeQuality"] = "code-quality"; + return AnalysisKind2; +})(AnalysisKind || {}); +var supportedAnalysisKinds = new Set(Object.values(AnalysisKind)); + +// src/caching-utils.ts +var core6 = __toESM(require_core()); + // src/feature-flags.ts var fs3 = __toESM(require("fs")); var path3 = __toESM(require("path")); @@ -78239,13 +78258,13 @@ var path2 = __toESM(require("path")); var actionsCache = __toESM(require_cache3()); // src/git-utils.ts -var core6 = __toESM(require_core()); +var core7 = __toESM(require_core()); var toolrunner2 = __toESM(require_toolrunner()); var io3 = __toESM(require_io()); var runGitCommand = async function(workingDirectory, args, customErrorMessage) { let stdout = ""; let stderr = ""; - core6.debug(`Running git command: git ${args.join(" ")}`); + core7.debug(`Running git command: git ${args.join(" ")}`); try { await new toolrunner2.ToolRunner(await io3.which("git", true), args, { silent: true, @@ -78265,7 +78284,7 @@ var runGitCommand = async function(workingDirectory, args, customErrorMessage) { if (stderr.includes("not a git repository")) { reason = "The checkout path provided to the action does not appear to be a git repository."; } - core6.info(`git call failed. ${customErrorMessage} Error: ${reason}`); + core7.info(`git call failed. ${customErrorMessage} Error: ${reason}`); throw error2; } }; @@ -78376,7 +78395,7 @@ async function getRef() { ) !== head; if (hasChangedRef) { const newRef = ref.replace(pull_ref_regex, "refs/pull/$1/head"); - core6.debug( + core7.debug( `No longer on merge commit, rewriting ref from ${ref} to ${newRef}.` ); return newRef; @@ -78402,9 +78421,9 @@ async function isAnalyzingDefaultBranch() { } // src/logging.ts -var core7 = __toESM(require_core()); +var core8 = __toESM(require_core()); function getActionsLogger() { - return core7; + return core8; } // src/overlay-database-utils.ts @@ -78900,28 +78919,94 @@ var GitHubFeatureFlags = class { } }; +// src/trap-caching.ts +var actionsCache2 = __toESM(require_cache3()); + +// src/config-utils.ts +var OVERLAY_ANALYSIS_FEATURES = { + actions: "overlay_analysis_actions" /* OverlayAnalysisActions */, + cpp: "overlay_analysis_cpp" /* OverlayAnalysisCpp */, + csharp: "overlay_analysis_csharp" /* OverlayAnalysisCsharp */, + go: "overlay_analysis_go" /* OverlayAnalysisGo */, + java: "overlay_analysis_java" /* OverlayAnalysisJava */, + javascript: "overlay_analysis_javascript" /* OverlayAnalysisJavascript */, + python: "overlay_analysis_python" /* OverlayAnalysisPython */, + ruby: "overlay_analysis_ruby" /* OverlayAnalysisRuby */, + rust: "overlay_analysis_rust" /* OverlayAnalysisRust */, + swift: "overlay_analysis_swift" /* OverlayAnalysisSwift */ +}; +var OVERLAY_ANALYSIS_CODE_SCANNING_FEATURES = { + actions: "overlay_analysis_code_scanning_actions" /* OverlayAnalysisCodeScanningActions */, + cpp: "overlay_analysis_code_scanning_cpp" /* OverlayAnalysisCodeScanningCpp */, + csharp: "overlay_analysis_code_scanning_csharp" /* OverlayAnalysisCodeScanningCsharp */, + go: "overlay_analysis_code_scanning_go" /* OverlayAnalysisCodeScanningGo */, + java: "overlay_analysis_code_scanning_java" /* OverlayAnalysisCodeScanningJava */, + javascript: "overlay_analysis_code_scanning_javascript" /* OverlayAnalysisCodeScanningJavascript */, + python: "overlay_analysis_code_scanning_python" /* OverlayAnalysisCodeScanningPython */, + ruby: "overlay_analysis_code_scanning_ruby" /* OverlayAnalysisCodeScanningRuby */, + rust: "overlay_analysis_code_scanning_rust" /* OverlayAnalysisCodeScanningRust */, + swift: "overlay_analysis_code_scanning_swift" /* OverlayAnalysisCodeScanningSwift */ +}; +var PACK_IDENTIFIER_PATTERN = (function() { + const alphaNumeric = "[a-z0-9]"; + const alphaNumericDash = "[a-z0-9-]"; + const component = `${alphaNumeric}(${alphaNumericDash}*${alphaNumeric})?`; + return new RegExp(`^${component}/${component}$`); +})(); +function getPathToParsedConfigFile(tempDir) { + return path4.join(tempDir, "config"); +} +async function getConfig(tempDir, logger) { + const configFile = getPathToParsedConfigFile(tempDir); + if (!fs4.existsSync(configFile)) { + return void 0; + } + const configString = fs4.readFileSync(configFile, "utf8"); + logger.debug("Loaded config:"); + logger.debug(configString); + return JSON.parse(configString); +} +function appendExtraQueryExclusions(extraQueryExclusions, cliConfig) { + if (extraQueryExclusions.length === 0) { + return cliConfig; + } + const augmentedConfig = cloneObject(cliConfig); + augmentedConfig["query-filters"] = [ + // Ordering matters. If the first filter is an inclusion, it implicitly + // excludes all queries that are not included. If it is an exclusion, + // it implicitly includes all queries that are not excluded. So user + // filters (if any) should always be first to preserve intent. + ...augmentedConfig["query-filters"] || [], + ...extraQueryExclusions + ]; + if (augmentedConfig["query-filters"]?.length === 0) { + delete augmentedConfig["query-filters"]; + } + return augmentedConfig; +} + // src/setup-codeql.ts var toolcache3 = __toESM(require_tool_cache()); var import_fast_deep_equal = __toESM(require_fast_deep_equal()); -var semver6 = __toESM(require_semver2()); +var semver7 = __toESM(require_semver2()); // src/tar.ts var import_toolrunner = __toESM(require_toolrunner()); var io4 = __toESM(require_io()); var toolcache = __toESM(require_tool_cache()); -var semver4 = __toESM(require_semver2()); +var semver5 = __toESM(require_semver2()); // src/tools-download.ts -var core8 = __toESM(require_core()); +var core9 = __toESM(require_core()); var import_http_client = __toESM(require_lib()); var toolcache2 = __toESM(require_tool_cache()); var import_follow_redirects = __toESM(require_follow_redirects()); -var semver5 = __toESM(require_semver2()); +var semver6 = __toESM(require_semver2()); var STREAMING_HIGH_WATERMARK_BYTES = 4 * 1024 * 1024; // src/tracer-config.ts -var fs4 = __toESM(require("fs")); -var path4 = __toESM(require("path")); +var fs5 = __toESM(require("fs")); +var path5 = __toESM(require("path")); async function shouldEnableIndirectTracing(codeql, config) { if (config.buildMode === "none" /* None */) { return false; @@ -78936,18 +79021,18 @@ async function endTracingForCluster(codeql, config, logger) { logger.info( "Unsetting build tracing environment variables. Subsequent steps of this job will not be traced." ); - const envVariablesFile = path4.resolve( + const envVariablesFile = path5.resolve( config.dbLocation, "temp/tracingEnvironment/end-tracing.json" ); - if (!fs4.existsSync(envVariablesFile)) { + if (!fs5.existsSync(envVariablesFile)) { throw new Error( `Environment file for ending tracing not found: ${envVariablesFile}` ); } try { const endTracingEnvVariables = JSON.parse( - fs4.readFileSync(envVariablesFile, "utf8") + fs5.readFileSync(envVariablesFile, "utf8") ); for (const [key, value] of Object.entries(endTracingEnvVariables)) { if (value !== null) { @@ -79007,12 +79092,12 @@ async function getCodeQLForCmd(cmd, checkVersion) { }, async isTracedLanguage(language) { const extractorPath = await this.resolveExtractor(language); - const tracingConfigPath = path5.join( + const tracingConfigPath = path6.join( extractorPath, "tools", "tracing-config.lua" ); - return fs5.existsSync(tracingConfigPath); + return fs6.existsSync(tracingConfigPath); }, async isScannedLanguage(language) { return !await this.isTracedLanguage(language); @@ -79083,7 +79168,7 @@ async function getCodeQLForCmd(cmd, checkVersion) { }, async runAutobuild(config, language) { applyAutobuildAzurePipelinesTimeoutFix(); - const autobuildCmd = path5.join( + const autobuildCmd = path6.join( await this.resolveExtractor(language), "tools", process.platform === "win32" ? "autobuild.cmd" : "autobuild.sh" @@ -79404,12 +79489,12 @@ ${output}` ); } else if (checkVersion && process.env["CODEQL_ACTION_SUPPRESS_DEPRECATED_SOON_WARNING" /* SUPPRESS_DEPRECATED_SOON_WARNING */] !== "true" && !await codeQlVersionAtLeast(codeql, CODEQL_NEXT_MINIMUM_VERSION)) { const result = await codeql.getVersion(); - core9.warning( + core10.warning( `CodeQL CLI version ${result.version} was discontinued on ${GHES_MOST_RECENT_DEPRECATION_DATE} alongside GitHub Enterprise Server ${GHES_VERSION_MOST_RECENTLY_DEPRECATED} and will not be supported by the next minor release of the CodeQL Action. Please update to CodeQL CLI version ${CODEQL_NEXT_MINIMUM_VERSION} or later. For instance, if you have specified a custom version of the CLI using the 'tools' input to the 'init' Action, you can remove this input to use the default version. Alternatively, if you want to continue using CodeQL CLI version ${result.version}, you can replace 'github/codeql-action/*@v${getActionVersion().split(".")[0]}' by 'github/codeql-action/*@v${getActionVersion()}' in your code scanning workflow to continue using this version of the CodeQL Action.` ); - core9.exportVariable("CODEQL_ACTION_SUPPRESS_DEPRECATED_SOON_WARNING" /* SUPPRESS_DEPRECATED_SOON_WARNING */, "true"); + core10.exportVariable("CODEQL_ACTION_SUPPRESS_DEPRECATED_SOON_WARNING" /* SUPPRESS_DEPRECATED_SOON_WARNING */, "true"); } return codeql; } @@ -79461,13 +79546,17 @@ async function runCli(cmd, args = [], opts = {}) { } async function writeCodeScanningConfigFile(config, logger) { const codeScanningConfigFile = getGeneratedCodeScanningConfigPath(config); + const augmentedConfig = appendExtraQueryExclusions( + config.extraQueryExclusions, + config.computedConfig + ); logger.info( `Writing augmented user configuration file to ${codeScanningConfigFile}` ); logger.startGroup("Augmented user configuration file contents"); - logger.info(dump(config.computedConfig)); + logger.info(dump(augmentedConfig)); logger.endGroup(); - fs5.writeFileSync(codeScanningConfigFile, dump(config.computedConfig)); + fs6.writeFileSync(codeScanningConfigFile, dump(augmentedConfig)); return codeScanningConfigFile; } var TRAP_CACHE_SIZE_MB = 1024; @@ -79490,7 +79579,7 @@ async function getTrapCachingExtractorConfigArgsForLang(config, language) { ]; } function getGeneratedCodeScanningConfigPath(config) { - return path5.resolve(config.tempDir, "user-config.yaml"); + return path6.resolve(config.tempDir, "user-config.yaml"); } function getExtractionVerbosityArguments(enableDebugLogging) { return enableDebugLogging ? [`--verbosity=${EXTRACTION_DEBUG_MODE_VERBOSITY}`] : []; @@ -79566,16 +79655,16 @@ async function setupCppAutobuild(codeql, logger) { logger.info( `Disabling ${featureName} as we are on a self-hosted runner.${getWorkflowEventName() !== "dynamic" ? ` To override this, set the ${envVar} environment variable to 'true' in your workflow. See ${"https://docs.github.com/en/actions/learn-github-actions/variables#defining-environment-variables-for-a-single-workflow" /* DEFINE_ENV_VARIABLES */} for more information.` : ""}` ); - core10.exportVariable(envVar, "false"); + core11.exportVariable(envVar, "false"); } else { logger.info( `Enabling ${featureName}. This can be disabled by setting the ${envVar} environment variable to 'false'. See ${"https://docs.github.com/en/actions/learn-github-actions/variables#defining-environment-variables-for-a-single-workflow" /* DEFINE_ENV_VARIABLES */} for more information.` ); - core10.exportVariable(envVar, "true"); + core11.exportVariable(envVar, "true"); } } else { logger.info(`Disabling ${featureName}.`); - core10.exportVariable(envVar, "false"); + core11.exportVariable(envVar, "false"); } } async function runAutobuild(config, language, logger) { @@ -79590,75 +79679,11 @@ async function runAutobuild(config, language, logger) { await codeQL.runAutobuild(config, language); } if (language === "go" /* go */) { - core10.exportVariable("CODEQL_ACTION_DID_AUTOBUILD_GOLANG" /* DID_AUTOBUILD_GOLANG */, "true"); + core11.exportVariable("CODEQL_ACTION_DID_AUTOBUILD_GOLANG" /* DID_AUTOBUILD_GOLANG */, "true"); } logger.endGroup(); } -// src/config-utils.ts -var fs6 = __toESM(require("fs")); -var path6 = __toESM(require("path")); -var semver7 = __toESM(require_semver2()); - -// src/analyses.ts -var AnalysisKind = /* @__PURE__ */ ((AnalysisKind2) => { - AnalysisKind2["CodeScanning"] = "code-scanning"; - AnalysisKind2["CodeQuality"] = "code-quality"; - return AnalysisKind2; -})(AnalysisKind || {}); -var supportedAnalysisKinds = new Set(Object.values(AnalysisKind)); - -// src/caching-utils.ts -var core11 = __toESM(require_core()); - -// src/trap-caching.ts -var actionsCache2 = __toESM(require_cache3()); - -// src/config-utils.ts -var OVERLAY_ANALYSIS_FEATURES = { - actions: "overlay_analysis_actions" /* OverlayAnalysisActions */, - cpp: "overlay_analysis_cpp" /* OverlayAnalysisCpp */, - csharp: "overlay_analysis_csharp" /* OverlayAnalysisCsharp */, - go: "overlay_analysis_go" /* OverlayAnalysisGo */, - java: "overlay_analysis_java" /* OverlayAnalysisJava */, - javascript: "overlay_analysis_javascript" /* OverlayAnalysisJavascript */, - python: "overlay_analysis_python" /* OverlayAnalysisPython */, - ruby: "overlay_analysis_ruby" /* OverlayAnalysisRuby */, - rust: "overlay_analysis_rust" /* OverlayAnalysisRust */, - swift: "overlay_analysis_swift" /* OverlayAnalysisSwift */ -}; -var OVERLAY_ANALYSIS_CODE_SCANNING_FEATURES = { - actions: "overlay_analysis_code_scanning_actions" /* OverlayAnalysisCodeScanningActions */, - cpp: "overlay_analysis_code_scanning_cpp" /* OverlayAnalysisCodeScanningCpp */, - csharp: "overlay_analysis_code_scanning_csharp" /* OverlayAnalysisCodeScanningCsharp */, - go: "overlay_analysis_code_scanning_go" /* OverlayAnalysisCodeScanningGo */, - java: "overlay_analysis_code_scanning_java" /* OverlayAnalysisCodeScanningJava */, - javascript: "overlay_analysis_code_scanning_javascript" /* OverlayAnalysisCodeScanningJavascript */, - python: "overlay_analysis_code_scanning_python" /* OverlayAnalysisCodeScanningPython */, - ruby: "overlay_analysis_code_scanning_ruby" /* OverlayAnalysisCodeScanningRuby */, - rust: "overlay_analysis_code_scanning_rust" /* OverlayAnalysisCodeScanningRust */, - swift: "overlay_analysis_code_scanning_swift" /* OverlayAnalysisCodeScanningSwift */ -}; -var PACK_IDENTIFIER_PATTERN = (function() { - const alphaNumeric = "[a-z0-9]"; - const alphaNumericDash = "[a-z0-9-]"; - const component = `${alphaNumeric}(${alphaNumericDash}*${alphaNumeric})?`; - return new RegExp(`^${component}/${component}$`); -})(); -function getPathToParsedConfigFile(tempDir) { - return path6.join(tempDir, "config"); -} -async function getConfig(tempDir, logger) { - const configFile = getPathToParsedConfigFile(tempDir); - if (!fs6.existsSync(configFile)) { - return void 0; - } - const configString = fs6.readFileSync(configFile, "utf8"); - logger.debug("Loaded config:"); - logger.debug(configString); - return JSON.parse(configString); -} - // src/status-report.ts var os = __toESM(require("os")); var core12 = __toESM(require_core()); diff --git a/lib/init-action-post.js b/lib/init-action-post.js index a360f4d0c..ed9a4e00b 100644 --- a/lib/init-action-post.js +++ b/lib/init-action-post.js @@ -128114,6 +128114,9 @@ function satisfiesGHESVersion(ghesVersion, range, defaultIfInvalid) { semverVersion.prerelease = []; return semver.satisfies(semverVersion, range); } +function cloneObject(obj) { + return JSON.parse(JSON.stringify(obj)); +} async function checkSipEnablement(logger) { if (process.env["CODEQL_ACTION_IS_SIP_ENABLED" /* IS_SIP_ENABLED */] !== void 0 && ["true", "false"].includes(process.env["CODEQL_ACTION_IS_SIP_ENABLED" /* IS_SIP_ENABLED */])) { return process.env["CODEQL_ACTION_IS_SIP_ENABLED" /* IS_SIP_ENABLED */] === "true"; @@ -128499,9 +128502,9 @@ function wrapApiConfigurationError(e) { } // src/codeql.ts -var fs11 = __toESM(require("fs")); -var path11 = __toESM(require("path")); -var core9 = __toESM(require_core()); +var fs13 = __toESM(require("fs")); +var path13 = __toESM(require("path")); +var core10 = __toESM(require_core()); var toolrunner3 = __toESM(require_toolrunner()); // src/cli-errors.ts @@ -128741,6 +128744,26 @@ function wrapCliConfigurationError(cliError) { return new ConfigurationError(errorMessageBuilder); } +// src/config-utils.ts +var fs9 = __toESM(require("fs")); +var path10 = __toESM(require("path")); +var semver4 = __toESM(require_semver2()); + +// src/analyses.ts +var AnalysisKind = /* @__PURE__ */ ((AnalysisKind2) => { + AnalysisKind2["CodeScanning"] = "code-scanning"; + AnalysisKind2["CodeQuality"] = "code-quality"; + return AnalysisKind2; +})(AnalysisKind || {}); +var supportedAnalysisKinds = new Set(Object.values(AnalysisKind)); + +// src/caching-utils.ts +var core6 = __toESM(require_core()); + +// src/diff-informed-analysis-utils.ts +var fs8 = __toESM(require("fs")); +var path9 = __toESM(require("path")); + // src/feature-flags.ts var fs7 = __toESM(require("fs")); var path8 = __toESM(require("path")); @@ -128756,13 +128779,13 @@ var path7 = __toESM(require("path")); var actionsCache = __toESM(require_cache3()); // src/git-utils.ts -var core6 = __toESM(require_core()); +var core7 = __toESM(require_core()); var toolrunner2 = __toESM(require_toolrunner()); var io3 = __toESM(require_io()); var runGitCommand = async function(workingDirectory, args, customErrorMessage) { let stdout = ""; let stderr = ""; - core6.debug(`Running git command: git ${args.join(" ")}`); + core7.debug(`Running git command: git ${args.join(" ")}`); try { await new toolrunner2.ToolRunner(await io3.which("git", true), args, { silent: true, @@ -128782,7 +128805,7 @@ var runGitCommand = async function(workingDirectory, args, customErrorMessage) { if (stderr.includes("not a git repository")) { reason = "The checkout path provided to the action does not appear to be a git repository."; } - core6.info(`git call failed. ${customErrorMessage} Error: ${reason}`); + core7.info(`git call failed. ${customErrorMessage} Error: ${reason}`); throw error2; } }; @@ -128927,7 +128950,7 @@ async function getRef() { ) !== head; if (hasChangedRef) { const newRef = ref.replace(pull_ref_regex, "refs/pull/$1/head"); - core6.debug( + core7.debug( `No longer on merge commit, rewriting ref from ${ref} to ${newRef}.` ); return newRef; @@ -128953,16 +128976,16 @@ async function isAnalyzingDefaultBranch() { } // src/logging.ts -var core7 = __toESM(require_core()); +var core8 = __toESM(require_core()); function getActionsLogger() { - return core7; + return core8; } function withGroup(groupName, f) { - core7.startGroup(groupName); + core8.startGroup(groupName); try { return f(); } finally { - core7.endGroup(); + core8.endGroup(); } } function formatDuration(durationMs) { @@ -129475,12 +129498,96 @@ var GitHubFeatureFlags = class { } }; +// src/diff-informed-analysis-utils.ts +function getDiffRangesJsonFilePath() { + return path9.join(getTemporaryDirectory(), "pr-diff-range.json"); +} +function readDiffRangesJsonFile(logger) { + const jsonFilePath = getDiffRangesJsonFilePath(); + if (!fs8.existsSync(jsonFilePath)) { + logger.debug(`Diff ranges JSON file does not exist at ${jsonFilePath}`); + return void 0; + } + const jsonContents = fs8.readFileSync(jsonFilePath, "utf8"); + logger.debug( + `Read pr-diff-range JSON file from ${jsonFilePath}: +${jsonContents}` + ); + return JSON.parse(jsonContents); +} + +// src/trap-caching.ts +var actionsCache2 = __toESM(require_cache3()); + +// src/config-utils.ts +var OVERLAY_ANALYSIS_FEATURES = { + actions: "overlay_analysis_actions" /* OverlayAnalysisActions */, + cpp: "overlay_analysis_cpp" /* OverlayAnalysisCpp */, + csharp: "overlay_analysis_csharp" /* OverlayAnalysisCsharp */, + go: "overlay_analysis_go" /* OverlayAnalysisGo */, + java: "overlay_analysis_java" /* OverlayAnalysisJava */, + javascript: "overlay_analysis_javascript" /* OverlayAnalysisJavascript */, + python: "overlay_analysis_python" /* OverlayAnalysisPython */, + ruby: "overlay_analysis_ruby" /* OverlayAnalysisRuby */, + rust: "overlay_analysis_rust" /* OverlayAnalysisRust */, + swift: "overlay_analysis_swift" /* OverlayAnalysisSwift */ +}; +var OVERLAY_ANALYSIS_CODE_SCANNING_FEATURES = { + actions: "overlay_analysis_code_scanning_actions" /* OverlayAnalysisCodeScanningActions */, + cpp: "overlay_analysis_code_scanning_cpp" /* OverlayAnalysisCodeScanningCpp */, + csharp: "overlay_analysis_code_scanning_csharp" /* OverlayAnalysisCodeScanningCsharp */, + go: "overlay_analysis_code_scanning_go" /* OverlayAnalysisCodeScanningGo */, + java: "overlay_analysis_code_scanning_java" /* OverlayAnalysisCodeScanningJava */, + javascript: "overlay_analysis_code_scanning_javascript" /* OverlayAnalysisCodeScanningJavascript */, + python: "overlay_analysis_code_scanning_python" /* OverlayAnalysisCodeScanningPython */, + ruby: "overlay_analysis_code_scanning_ruby" /* OverlayAnalysisCodeScanningRuby */, + rust: "overlay_analysis_code_scanning_rust" /* OverlayAnalysisCodeScanningRust */, + swift: "overlay_analysis_code_scanning_swift" /* OverlayAnalysisCodeScanningSwift */ +}; +var PACK_IDENTIFIER_PATTERN = (function() { + const alphaNumeric = "[a-z0-9]"; + const alphaNumericDash = "[a-z0-9-]"; + const component = `${alphaNumeric}(${alphaNumericDash}*${alphaNumeric})?`; + return new RegExp(`^${component}/${component}$`); +})(); +function getPathToParsedConfigFile(tempDir) { + return path10.join(tempDir, "config"); +} +async function getConfig(tempDir, logger) { + const configFile = getPathToParsedConfigFile(tempDir); + if (!fs9.existsSync(configFile)) { + return void 0; + } + const configString = fs9.readFileSync(configFile, "utf8"); + logger.debug("Loaded config:"); + logger.debug(configString); + return JSON.parse(configString); +} +function appendExtraQueryExclusions(extraQueryExclusions, cliConfig) { + if (extraQueryExclusions.length === 0) { + return cliConfig; + } + const augmentedConfig = cloneObject(cliConfig); + augmentedConfig["query-filters"] = [ + // Ordering matters. If the first filter is an inclusion, it implicitly + // excludes all queries that are not included. If it is an exclusion, + // it implicitly includes all queries that are not excluded. So user + // filters (if any) should always be first to preserve intent. + ...augmentedConfig["query-filters"] || [], + ...extraQueryExclusions + ]; + if (augmentedConfig["query-filters"]?.length === 0) { + delete augmentedConfig["query-filters"]; + } + return augmentedConfig; +} + // src/setup-codeql.ts -var fs10 = __toESM(require("fs")); -var path10 = __toESM(require("path")); +var fs12 = __toESM(require("fs")); +var path12 = __toESM(require("path")); var toolcache3 = __toESM(require_tool_cache()); var import_fast_deep_equal = __toESM(require_fast_deep_equal()); -var semver6 = __toESM(require_semver2()); +var semver7 = __toESM(require_semver2()); // node_modules/uuid/dist/esm/stringify.js var byteToHex = []; @@ -129535,12 +129642,12 @@ var v4_default = v4; // src/tar.ts var import_child_process = require("child_process"); -var fs8 = __toESM(require("fs")); +var fs10 = __toESM(require("fs")); var stream = __toESM(require("stream")); var import_toolrunner = __toESM(require_toolrunner()); var io4 = __toESM(require_io()); var toolcache = __toESM(require_tool_cache()); -var semver4 = __toESM(require_semver2()); +var semver5 = __toESM(require_semver2()); var MIN_REQUIRED_BSD_TAR_VERSION = "3.4.3"; var MIN_REQUIRED_GNU_TAR_VERSION = "1.31"; async function getTarVersion() { @@ -129582,9 +129689,9 @@ async function isZstdAvailable(logger) { case "gnu": return { available: foundZstdBinary && // GNU tar only uses major and minor version numbers - semver4.gte( - semver4.coerce(version), - semver4.coerce(MIN_REQUIRED_GNU_TAR_VERSION) + semver5.gte( + semver5.coerce(version), + semver5.coerce(MIN_REQUIRED_GNU_TAR_VERSION) ), foundZstdBinary, version: tarVersion @@ -129593,7 +129700,7 @@ async function isZstdAvailable(logger) { return { available: foundZstdBinary && // Do a loose comparison since these version numbers don't contain // a patch version number. - semver4.gte(version, MIN_REQUIRED_BSD_TAR_VERSION), + semver5.gte(version, MIN_REQUIRED_BSD_TAR_VERSION), foundZstdBinary, version: tarVersion }; @@ -129608,7 +129715,7 @@ async function isZstdAvailable(logger) { } } async function extract(tarPath, dest, compressionMethod, tarVersion, logger) { - fs8.mkdirSync(dest, { recursive: true }); + fs10.mkdirSync(dest, { recursive: true }); switch (compressionMethod) { case "gzip": return await toolcache.extractTar(tarPath, dest); @@ -129692,15 +129799,15 @@ function inferCompressionMethod(tarPath) { } // src/tools-download.ts -var fs9 = __toESM(require("fs")); +var fs11 = __toESM(require("fs")); var os = __toESM(require("os")); -var path9 = __toESM(require("path")); +var path11 = __toESM(require("path")); var import_perf_hooks = require("perf_hooks"); -var core8 = __toESM(require_core()); +var core9 = __toESM(require_core()); var import_http_client = __toESM(require_lib()); var toolcache2 = __toESM(require_tool_cache()); var import_follow_redirects = __toESM(require_follow_redirects()); -var semver5 = __toESM(require_semver2()); +var semver6 = __toESM(require_semver2()); var STREAMING_HIGH_WATERMARK_BYTES = 4 * 1024 * 1024; var TOOLCACHE_TOOL_NAME = "CodeQL"; function makeDownloadFirstToolsDownloadDurations(downloadDurationMs, extractionDurationMs) { @@ -129750,10 +129857,10 @@ async function downloadAndExtract(codeqlURL, compressionMethod, dest, authorizat }; } } catch (e) { - core8.warning( + core9.warning( `Failed to download and extract CodeQL bundle using streaming with error: ${getErrorMessage(e)}` ); - core8.warning(`Falling back to downloading the bundle before extracting.`); + core9.warning(`Falling back to downloading the bundle before extracting.`); await cleanUpGlob(dest, "CodeQL bundle", logger); } const toolsDownloadStart = import_perf_hooks.performance.now(); @@ -129799,7 +129906,7 @@ async function downloadAndExtract(codeqlURL, compressionMethod, dest, authorizat }; } async function downloadAndExtractZstdWithStreaming(codeqlURL, dest, authorization, headers, tarVersion, logger) { - fs9.mkdirSync(dest, { recursive: true }); + fs11.mkdirSync(dest, { recursive: true }); const agent = new import_http_client.HttpClient().getAgent(codeqlURL); headers = Object.assign( { "User-Agent": "CodeQL Action" }, @@ -129827,16 +129934,16 @@ async function downloadAndExtractZstdWithStreaming(codeqlURL, dest, authorizatio await extractTarZst(response, dest, tarVersion, logger); } function getToolcacheDirectory(version) { - return path9.join( + return path11.join( getRequiredEnvParam("RUNNER_TOOL_CACHE"), TOOLCACHE_TOOL_NAME, - semver5.clean(version) || version, + semver6.clean(version) || version, os.arch() || "" ); } function writeToolcacheMarkerFile(extractedPath, logger) { const markerFilePath = `${extractedPath}.complete`; - fs9.writeFileSync(markerFilePath, ""); + fs11.writeFileSync(markerFilePath, ""); logger.info(`Created toolcache marker file ${markerFilePath}`); } function sanitizeUrlForStatusReport(url2) { @@ -129951,13 +130058,13 @@ function tryGetTagNameFromUrl(url2, logger) { return match[1]; } function convertToSemVer(version, logger) { - if (!semver6.valid(version)) { + if (!semver7.valid(version)) { logger.debug( `Bundle version ${version} is not in SemVer format. Will treat it as pre-release 0.0.0-${version}.` ); version = `0.0.0-${version}`; } - const s = semver6.clean(version); + const s = semver7.clean(version); if (!s) { throw new Error(`Bundle version ${version} is not in SemVer format.`); } @@ -129967,7 +130074,7 @@ async function findOverridingToolsInCache(humanReadableVersion, logger) { const candidates = toolcache3.findAllVersions("CodeQL").filter(isGoodVersion).map((version) => ({ folder: toolcache3.find("CodeQL", version), version - })).filter(({ folder }) => fs10.existsSync(path10.join(folder, "pinned-version"))); + })).filter(({ folder }) => fs12.existsSync(path12.join(folder, "pinned-version"))); if (candidates.length === 1) { const candidate = candidates[0]; logger.debug( @@ -130027,7 +130134,7 @@ async function getCodeQLSource(toolsInput, defaultCliVersion, apiDetails, varian url2 = toolsInput; if (tagName) { const bundleVersion3 = tryGetBundleVersionFromTagName(tagName, logger); - if (bundleVersion3 && semver6.valid(bundleVersion3)) { + if (bundleVersion3 && semver7.valid(bundleVersion3)) { cliVersion2 = convertToSemVer(bundleVersion3, logger); } } @@ -130296,11 +130403,11 @@ async function setupCodeQLBundle(toolsInput, apiDetails, tempDir, variant, defau async function useZstdBundle(cliVersion2, tarSupportsZstd) { return ( // In testing, gzip performs better than zstd on Windows. - process.platform !== "win32" && tarSupportsZstd && semver6.gte(cliVersion2, CODEQL_VERSION_ZSTD_BUNDLE) + process.platform !== "win32" && tarSupportsZstd && semver7.gte(cliVersion2, CODEQL_VERSION_ZSTD_BUNDLE) ); } function getTempExtractionDir(tempDir) { - return path10.join(tempDir, v4_default()); + return path12.join(tempDir, v4_default()); } // src/tracer-config.ts @@ -130343,7 +130450,7 @@ async function setupCodeQL(toolsInput, apiDetails, tempDir, variant, defaultCliV toolsDownloadStatusReport )}` ); - let codeqlCmd = path11.join(codeqlFolder, "codeql", "codeql"); + let codeqlCmd = path13.join(codeqlFolder, "codeql", "codeql"); if (process.platform === "win32") { codeqlCmd += ".exe"; } else if (process.platform !== "linux" && process.platform !== "darwin") { @@ -130404,12 +130511,12 @@ async function getCodeQLForCmd(cmd, checkVersion) { }, async isTracedLanguage(language) { const extractorPath = await this.resolveExtractor(language); - const tracingConfigPath = path11.join( + const tracingConfigPath = path13.join( extractorPath, "tools", "tracing-config.lua" ); - return fs11.existsSync(tracingConfigPath); + return fs13.existsSync(tracingConfigPath); }, async isScannedLanguage(language) { return !await this.isTracedLanguage(language); @@ -130480,7 +130587,7 @@ async function getCodeQLForCmd(cmd, checkVersion) { }, async runAutobuild(config, language) { applyAutobuildAzurePipelinesTimeoutFix(); - const autobuildCmd = path11.join( + const autobuildCmd = path13.join( await this.resolveExtractor(language), "tools", process.platform === "win32" ? "autobuild.cmd" : "autobuild.sh" @@ -130801,12 +130908,12 @@ ${output}` ); } else if (checkVersion && process.env["CODEQL_ACTION_SUPPRESS_DEPRECATED_SOON_WARNING" /* SUPPRESS_DEPRECATED_SOON_WARNING */] !== "true" && !await codeQlVersionAtLeast(codeql, CODEQL_NEXT_MINIMUM_VERSION)) { const result = await codeql.getVersion(); - core9.warning( + core10.warning( `CodeQL CLI version ${result.version} was discontinued on ${GHES_MOST_RECENT_DEPRECATION_DATE} alongside GitHub Enterprise Server ${GHES_VERSION_MOST_RECENTLY_DEPRECATED} and will not be supported by the next minor release of the CodeQL Action. Please update to CodeQL CLI version ${CODEQL_NEXT_MINIMUM_VERSION} or later. For instance, if you have specified a custom version of the CLI using the 'tools' input to the 'init' Action, you can remove this input to use the default version. Alternatively, if you want to continue using CodeQL CLI version ${result.version}, you can replace 'github/codeql-action/*@v${getActionVersion().split(".")[0]}' by 'github/codeql-action/*@v${getActionVersion()}' in your code scanning workflow to continue using this version of the CodeQL Action.` ); - core9.exportVariable("CODEQL_ACTION_SUPPRESS_DEPRECATED_SOON_WARNING" /* SUPPRESS_DEPRECATED_SOON_WARNING */, "true"); + core10.exportVariable("CODEQL_ACTION_SUPPRESS_DEPRECATED_SOON_WARNING" /* SUPPRESS_DEPRECATED_SOON_WARNING */, "true"); } return codeql; } @@ -130858,13 +130965,17 @@ async function runCli(cmd, args = [], opts = {}) { } async function writeCodeScanningConfigFile(config, logger) { const codeScanningConfigFile = getGeneratedCodeScanningConfigPath(config); + const augmentedConfig = appendExtraQueryExclusions( + config.extraQueryExclusions, + config.computedConfig + ); logger.info( `Writing augmented user configuration file to ${codeScanningConfigFile}` ); logger.startGroup("Augmented user configuration file contents"); - logger.info(dump(config.computedConfig)); + logger.info(dump(augmentedConfig)); logger.endGroup(); - fs11.writeFileSync(codeScanningConfigFile, dump(config.computedConfig)); + fs13.writeFileSync(codeScanningConfigFile, dump(augmentedConfig)); return codeScanningConfigFile; } var TRAP_CACHE_SIZE_MB = 1024; @@ -130887,7 +130998,7 @@ async function getTrapCachingExtractorConfigArgsForLang(config, language) { ]; } function getGeneratedCodeScanningConfigPath(config) { - return path11.resolve(config.tempDir, "user-config.yaml"); + return path13.resolve(config.tempDir, "user-config.yaml"); } function getExtractionVerbosityArguments(enableDebugLogging) { return enableDebugLogging ? [`--verbosity=${EXTRACTION_DEBUG_MODE_VERBOSITY}`] : []; @@ -130907,90 +131018,6 @@ async function getJobRunUuidSarifOptions(codeql) { ) ? [`--sarif-run-property=jobRunUuid=${jobRunUuid}`] : []; } -// src/config-utils.ts -var fs13 = __toESM(require("fs")); -var path13 = __toESM(require("path")); -var semver7 = __toESM(require_semver2()); - -// src/analyses.ts -var AnalysisKind = /* @__PURE__ */ ((AnalysisKind2) => { - AnalysisKind2["CodeScanning"] = "code-scanning"; - AnalysisKind2["CodeQuality"] = "code-quality"; - return AnalysisKind2; -})(AnalysisKind || {}); -var supportedAnalysisKinds = new Set(Object.values(AnalysisKind)); - -// src/caching-utils.ts -var core10 = __toESM(require_core()); - -// src/diff-informed-analysis-utils.ts -var fs12 = __toESM(require("fs")); -var path12 = __toESM(require("path")); -function getDiffRangesJsonFilePath() { - return path12.join(getTemporaryDirectory(), "pr-diff-range.json"); -} -function readDiffRangesJsonFile(logger) { - const jsonFilePath = getDiffRangesJsonFilePath(); - if (!fs12.existsSync(jsonFilePath)) { - logger.debug(`Diff ranges JSON file does not exist at ${jsonFilePath}`); - return void 0; - } - const jsonContents = fs12.readFileSync(jsonFilePath, "utf8"); - logger.debug( - `Read pr-diff-range JSON file from ${jsonFilePath}: -${jsonContents}` - ); - return JSON.parse(jsonContents); -} - -// src/trap-caching.ts -var actionsCache2 = __toESM(require_cache3()); - -// src/config-utils.ts -var OVERLAY_ANALYSIS_FEATURES = { - actions: "overlay_analysis_actions" /* OverlayAnalysisActions */, - cpp: "overlay_analysis_cpp" /* OverlayAnalysisCpp */, - csharp: "overlay_analysis_csharp" /* OverlayAnalysisCsharp */, - go: "overlay_analysis_go" /* OverlayAnalysisGo */, - java: "overlay_analysis_java" /* OverlayAnalysisJava */, - javascript: "overlay_analysis_javascript" /* OverlayAnalysisJavascript */, - python: "overlay_analysis_python" /* OverlayAnalysisPython */, - ruby: "overlay_analysis_ruby" /* OverlayAnalysisRuby */, - rust: "overlay_analysis_rust" /* OverlayAnalysisRust */, - swift: "overlay_analysis_swift" /* OverlayAnalysisSwift */ -}; -var OVERLAY_ANALYSIS_CODE_SCANNING_FEATURES = { - actions: "overlay_analysis_code_scanning_actions" /* OverlayAnalysisCodeScanningActions */, - cpp: "overlay_analysis_code_scanning_cpp" /* OverlayAnalysisCodeScanningCpp */, - csharp: "overlay_analysis_code_scanning_csharp" /* OverlayAnalysisCodeScanningCsharp */, - go: "overlay_analysis_code_scanning_go" /* OverlayAnalysisCodeScanningGo */, - java: "overlay_analysis_code_scanning_java" /* OverlayAnalysisCodeScanningJava */, - javascript: "overlay_analysis_code_scanning_javascript" /* OverlayAnalysisCodeScanningJavascript */, - python: "overlay_analysis_code_scanning_python" /* OverlayAnalysisCodeScanningPython */, - ruby: "overlay_analysis_code_scanning_ruby" /* OverlayAnalysisCodeScanningRuby */, - rust: "overlay_analysis_code_scanning_rust" /* OverlayAnalysisCodeScanningRust */, - swift: "overlay_analysis_code_scanning_swift" /* OverlayAnalysisCodeScanningSwift */ -}; -var PACK_IDENTIFIER_PATTERN = (function() { - const alphaNumeric = "[a-z0-9]"; - const alphaNumericDash = "[a-z0-9-]"; - const component = `${alphaNumeric}(${alphaNumericDash}*${alphaNumeric})?`; - return new RegExp(`^${component}/${component}$`); -})(); -function getPathToParsedConfigFile(tempDir) { - return path13.join(tempDir, "config"); -} -async function getConfig(tempDir, logger) { - const configFile = getPathToParsedConfigFile(tempDir); - if (!fs13.existsSync(configFile)) { - return void 0; - } - const configString = fs13.readFileSync(configFile, "utf8"); - logger.debug("Loaded config:"); - logger.debug(configString); - return JSON.parse(configString); -} - // src/debug-artifacts.ts var fs15 = __toESM(require("fs")); var path15 = __toESM(require("path")); diff --git a/lib/init-action.js b/lib/init-action.js index a73a8a6aa..d3fb02689 100644 --- a/lib/init-action.js +++ b/lib/init-action.js @@ -87304,6 +87304,7 @@ async function getDefaultConfig({ trapCaches, trapCacheDownloadTime, dependencyCachingEnabled: getCachingKind(dependencyCachingEnabled), + extraQueryExclusions: [], overlayDatabaseMode: "none" /* None */, useOverlayDatabaseCaching: false }; @@ -87349,8 +87350,7 @@ async function calculateAugmentation(rawPacksInput, rawQueriesInput, languages) packsInputCombines, packsInput: packsInput?.[languages[0]], queriesInput, - queriesInputCombines, - extraQueryExclusions: [] + queriesInputCombines }; } function parseQueriesFromInput(rawQueriesInput, queriesInputCombines) { @@ -87627,10 +87627,7 @@ async function initConfig(inputs) { inputs.features, logger )) { - if (config.computedConfig["query-filters"] === void 0) { - config.computedConfig["query-filters"] = []; - } - config.computedConfig["query-filters"].push({ + config.extraQueryExclusions.push({ exclude: { tags: "exclude-from-incremental" } }); } @@ -87823,13 +87820,20 @@ function generateCodeScanningConfig(originalUserInput, augmentationProperties) { if (Array.isArray(augmentedConfig.packs) && !augmentedConfig.packs.length) { delete augmentedConfig.packs; } + return augmentedConfig; +} +function appendExtraQueryExclusions(extraQueryExclusions, cliConfig) { + if (extraQueryExclusions.length === 0) { + return cliConfig; + } + const augmentedConfig = cloneObject(cliConfig); augmentedConfig["query-filters"] = [ // Ordering matters. If the first filter is an inclusion, it implicitly // excludes all queries that are not included. If it is an exclusion, // it implicitly includes all queries that are not excluded. So user // filters (if any) should always be first to preserve intent. ...augmentedConfig["query-filters"] || [], - ...augmentationProperties.extraQueryExclusions + ...extraQueryExclusions ]; if (augmentedConfig["query-filters"]?.length === 0) { delete augmentedConfig["query-filters"]; @@ -89604,13 +89608,17 @@ async function runCli(cmd, args = [], opts = {}) { } async function writeCodeScanningConfigFile(config, logger) { const codeScanningConfigFile = getGeneratedCodeScanningConfigPath(config); + const augmentedConfig = appendExtraQueryExclusions( + config.extraQueryExclusions, + config.computedConfig + ); logger.info( `Writing augmented user configuration file to ${codeScanningConfigFile}` ); logger.startGroup("Augmented user configuration file contents"); - logger.info(dump(config.computedConfig)); + logger.info(dump(augmentedConfig)); logger.endGroup(); - fs14.writeFileSync(codeScanningConfigFile, dump(config.computedConfig)); + fs14.writeFileSync(codeScanningConfigFile, dump(augmentedConfig)); return codeScanningConfigFile; } var TRAP_CACHE_SIZE_MB = 1024; diff --git a/lib/resolve-environment-action.js b/lib/resolve-environment-action.js index 64f99a017..4cda99c10 100644 --- a/lib/resolve-environment-action.js +++ b/lib/resolve-environment-action.js @@ -77720,6 +77720,9 @@ function checkActionVersion(version, githubVersion) { } } } +function cloneObject(obj) { + return JSON.parse(JSON.stringify(obj)); +} async function checkSipEnablement(logger) { if (process.env["CODEQL_ACTION_IS_SIP_ENABLED" /* IS_SIP_ENABLED */] !== void 0 && ["true", "false"].includes(process.env["CODEQL_ACTION_IS_SIP_ENABLED" /* IS_SIP_ENABLED */])) { return process.env["CODEQL_ACTION_IS_SIP_ENABLED" /* IS_SIP_ENABLED */] === "true"; @@ -78690,6 +78693,24 @@ async function getConfig(tempDir, logger) { logger.debug(configString); return JSON.parse(configString); } +function appendExtraQueryExclusions(extraQueryExclusions, cliConfig) { + if (extraQueryExclusions.length === 0) { + return cliConfig; + } + const augmentedConfig = cloneObject(cliConfig); + augmentedConfig["query-filters"] = [ + // Ordering matters. If the first filter is an inclusion, it implicitly + // excludes all queries that are not included. If it is an exclusion, + // it implicitly includes all queries that are not excluded. So user + // filters (if any) should always be first to preserve intent. + ...augmentedConfig["query-filters"] || [], + ...extraQueryExclusions + ]; + if (augmentedConfig["query-filters"]?.length === 0) { + delete augmentedConfig["query-filters"]; + } + return augmentedConfig; +} // src/codeql.ts var fs4 = __toESM(require("fs")); @@ -79225,13 +79246,17 @@ async function runCli(cmd, args = [], opts = {}) { } async function writeCodeScanningConfigFile(config, logger) { const codeScanningConfigFile = getGeneratedCodeScanningConfigPath(config); + const augmentedConfig = appendExtraQueryExclusions( + config.extraQueryExclusions, + config.computedConfig + ); logger.info( `Writing augmented user configuration file to ${codeScanningConfigFile}` ); logger.startGroup("Augmented user configuration file contents"); - logger.info(dump(config.computedConfig)); + logger.info(dump(augmentedConfig)); logger.endGroup(); - fs4.writeFileSync(codeScanningConfigFile, dump(config.computedConfig)); + fs4.writeFileSync(codeScanningConfigFile, dump(augmentedConfig)); return codeScanningConfigFile; } var TRAP_CACHE_SIZE_MB = 1024; diff --git a/lib/upload-lib.js b/lib/upload-lib.js index ce0643800..b6376ce22 100644 --- a/lib/upload-lib.js +++ b/lib/upload-lib.js @@ -88331,6 +88331,9 @@ function satisfiesGHESVersion(ghesVersion, range, defaultIfInvalid) { semverVersion.prerelease = []; return semver.satisfies(semverVersion, range); } +function cloneObject(obj) { + return JSON.parse(JSON.stringify(obj)); +} async function cleanUpGlob(glob, name, logger) { logger.debug(`Cleaning up ${name}.`); try { @@ -88629,9 +88632,9 @@ function wrapApiConfigurationError(e) { } // src/codeql.ts -var fs9 = __toESM(require("fs")); -var path10 = __toESM(require("path")); -var core9 = __toESM(require_core()); +var fs11 = __toESM(require("fs")); +var path12 = __toESM(require("path")); +var core10 = __toESM(require_core()); var toolrunner3 = __toESM(require_toolrunner()); // src/cli-errors.ts @@ -88871,6 +88874,26 @@ function wrapCliConfigurationError(cliError) { return new ConfigurationError(errorMessageBuilder); } +// src/config-utils.ts +var fs7 = __toESM(require("fs")); +var path9 = __toESM(require("path")); +var semver4 = __toESM(require_semver2()); + +// src/analyses.ts +var AnalysisKind = /* @__PURE__ */ ((AnalysisKind2) => { + AnalysisKind2["CodeScanning"] = "code-scanning"; + AnalysisKind2["CodeQuality"] = "code-quality"; + return AnalysisKind2; +})(AnalysisKind || {}); +var supportedAnalysisKinds = new Set(Object.values(AnalysisKind)); + +// src/caching-utils.ts +var core6 = __toESM(require_core()); + +// src/diff-informed-analysis-utils.ts +var fs6 = __toESM(require("fs")); +var path8 = __toESM(require("path")); + // src/feature-flags.ts var semver3 = __toESM(require_semver2()); @@ -88884,13 +88907,13 @@ var path7 = __toESM(require("path")); var actionsCache = __toESM(require_cache3()); // src/git-utils.ts -var core6 = __toESM(require_core()); +var core7 = __toESM(require_core()); var toolrunner2 = __toESM(require_toolrunner()); var io3 = __toESM(require_io()); var runGitCommand = async function(workingDirectory, args, customErrorMessage) { let stdout = ""; let stderr = ""; - core6.debug(`Running git command: git ${args.join(" ")}`); + core7.debug(`Running git command: git ${args.join(" ")}`); try { await new toolrunner2.ToolRunner(await io3.which("git", true), args, { silent: true, @@ -88910,7 +88933,7 @@ var runGitCommand = async function(workingDirectory, args, customErrorMessage) { if (stderr.includes("not a git repository")) { reason = "The checkout path provided to the action does not appear to be a git repository."; } - core6.info(`git call failed. ${customErrorMessage} Error: ${reason}`); + core7.info(`git call failed. ${customErrorMessage} Error: ${reason}`); throw error2; } }; @@ -89055,7 +89078,7 @@ async function getRef() { ) !== head; if (hasChangedRef) { const newRef = ref.replace(pull_ref_regex, "refs/pull/$1/head"); - core6.debug( + core7.debug( `No longer on merge commit, rewriting ref from ${ref} to ${newRef}.` ); return newRef; @@ -89081,7 +89104,7 @@ async function isAnalyzingDefaultBranch() { } // src/logging.ts -var core7 = __toESM(require_core()); +var core8 = __toESM(require_core()); function formatDuration(durationMs) { if (durationMs < 1e3) { return `${durationMs}ms`; @@ -89322,12 +89345,96 @@ var featureConfig = { } }; +// src/diff-informed-analysis-utils.ts +function getDiffRangesJsonFilePath() { + return path8.join(getTemporaryDirectory(), "pr-diff-range.json"); +} +function readDiffRangesJsonFile(logger) { + const jsonFilePath = getDiffRangesJsonFilePath(); + if (!fs6.existsSync(jsonFilePath)) { + logger.debug(`Diff ranges JSON file does not exist at ${jsonFilePath}`); + return void 0; + } + const jsonContents = fs6.readFileSync(jsonFilePath, "utf8"); + logger.debug( + `Read pr-diff-range JSON file from ${jsonFilePath}: +${jsonContents}` + ); + return JSON.parse(jsonContents); +} + +// src/trap-caching.ts +var actionsCache2 = __toESM(require_cache3()); + +// src/config-utils.ts +var OVERLAY_ANALYSIS_FEATURES = { + actions: "overlay_analysis_actions" /* OverlayAnalysisActions */, + cpp: "overlay_analysis_cpp" /* OverlayAnalysisCpp */, + csharp: "overlay_analysis_csharp" /* OverlayAnalysisCsharp */, + go: "overlay_analysis_go" /* OverlayAnalysisGo */, + java: "overlay_analysis_java" /* OverlayAnalysisJava */, + javascript: "overlay_analysis_javascript" /* OverlayAnalysisJavascript */, + python: "overlay_analysis_python" /* OverlayAnalysisPython */, + ruby: "overlay_analysis_ruby" /* OverlayAnalysisRuby */, + rust: "overlay_analysis_rust" /* OverlayAnalysisRust */, + swift: "overlay_analysis_swift" /* OverlayAnalysisSwift */ +}; +var OVERLAY_ANALYSIS_CODE_SCANNING_FEATURES = { + actions: "overlay_analysis_code_scanning_actions" /* OverlayAnalysisCodeScanningActions */, + cpp: "overlay_analysis_code_scanning_cpp" /* OverlayAnalysisCodeScanningCpp */, + csharp: "overlay_analysis_code_scanning_csharp" /* OverlayAnalysisCodeScanningCsharp */, + go: "overlay_analysis_code_scanning_go" /* OverlayAnalysisCodeScanningGo */, + java: "overlay_analysis_code_scanning_java" /* OverlayAnalysisCodeScanningJava */, + javascript: "overlay_analysis_code_scanning_javascript" /* OverlayAnalysisCodeScanningJavascript */, + python: "overlay_analysis_code_scanning_python" /* OverlayAnalysisCodeScanningPython */, + ruby: "overlay_analysis_code_scanning_ruby" /* OverlayAnalysisCodeScanningRuby */, + rust: "overlay_analysis_code_scanning_rust" /* OverlayAnalysisCodeScanningRust */, + swift: "overlay_analysis_code_scanning_swift" /* OverlayAnalysisCodeScanningSwift */ +}; +var PACK_IDENTIFIER_PATTERN = (function() { + const alphaNumeric = "[a-z0-9]"; + const alphaNumericDash = "[a-z0-9-]"; + const component = `${alphaNumeric}(${alphaNumericDash}*${alphaNumeric})?`; + return new RegExp(`^${component}/${component}$`); +})(); +function getPathToParsedConfigFile(tempDir) { + return path9.join(tempDir, "config"); +} +async function getConfig(tempDir, logger) { + const configFile = getPathToParsedConfigFile(tempDir); + if (!fs7.existsSync(configFile)) { + return void 0; + } + const configString = fs7.readFileSync(configFile, "utf8"); + logger.debug("Loaded config:"); + logger.debug(configString); + return JSON.parse(configString); +} +function appendExtraQueryExclusions(extraQueryExclusions, cliConfig) { + if (extraQueryExclusions.length === 0) { + return cliConfig; + } + const augmentedConfig = cloneObject(cliConfig); + augmentedConfig["query-filters"] = [ + // Ordering matters. If the first filter is an inclusion, it implicitly + // excludes all queries that are not included. If it is an exclusion, + // it implicitly includes all queries that are not excluded. So user + // filters (if any) should always be first to preserve intent. + ...augmentedConfig["query-filters"] || [], + ...extraQueryExclusions + ]; + if (augmentedConfig["query-filters"]?.length === 0) { + delete augmentedConfig["query-filters"]; + } + return augmentedConfig; +} + // src/setup-codeql.ts -var fs8 = __toESM(require("fs")); -var path9 = __toESM(require("path")); +var fs10 = __toESM(require("fs")); +var path11 = __toESM(require("path")); var toolcache3 = __toESM(require_tool_cache()); var import_fast_deep_equal = __toESM(require_fast_deep_equal()); -var semver6 = __toESM(require_semver2()); +var semver7 = __toESM(require_semver2()); // node_modules/uuid/dist/esm/stringify.js var byteToHex = []; @@ -89382,12 +89489,12 @@ var v4_default = v4; // src/tar.ts var import_child_process = require("child_process"); -var fs6 = __toESM(require("fs")); +var fs8 = __toESM(require("fs")); var stream = __toESM(require("stream")); var import_toolrunner = __toESM(require_toolrunner()); var io4 = __toESM(require_io()); var toolcache = __toESM(require_tool_cache()); -var semver4 = __toESM(require_semver2()); +var semver5 = __toESM(require_semver2()); var MIN_REQUIRED_BSD_TAR_VERSION = "3.4.3"; var MIN_REQUIRED_GNU_TAR_VERSION = "1.31"; async function getTarVersion() { @@ -89429,9 +89536,9 @@ async function isZstdAvailable(logger) { case "gnu": return { available: foundZstdBinary && // GNU tar only uses major and minor version numbers - semver4.gte( - semver4.coerce(version), - semver4.coerce(MIN_REQUIRED_GNU_TAR_VERSION) + semver5.gte( + semver5.coerce(version), + semver5.coerce(MIN_REQUIRED_GNU_TAR_VERSION) ), foundZstdBinary, version: tarVersion @@ -89440,7 +89547,7 @@ async function isZstdAvailable(logger) { return { available: foundZstdBinary && // Do a loose comparison since these version numbers don't contain // a patch version number. - semver4.gte(version, MIN_REQUIRED_BSD_TAR_VERSION), + semver5.gte(version, MIN_REQUIRED_BSD_TAR_VERSION), foundZstdBinary, version: tarVersion }; @@ -89455,7 +89562,7 @@ async function isZstdAvailable(logger) { } } async function extract(tarPath, dest, compressionMethod, tarVersion, logger) { - fs6.mkdirSync(dest, { recursive: true }); + fs8.mkdirSync(dest, { recursive: true }); switch (compressionMethod) { case "gzip": return await toolcache.extractTar(tarPath, dest); @@ -89539,15 +89646,15 @@ function inferCompressionMethod(tarPath) { } // src/tools-download.ts -var fs7 = __toESM(require("fs")); +var fs9 = __toESM(require("fs")); var os = __toESM(require("os")); -var path8 = __toESM(require("path")); +var path10 = __toESM(require("path")); var import_perf_hooks = require("perf_hooks"); -var core8 = __toESM(require_core()); +var core9 = __toESM(require_core()); var import_http_client = __toESM(require_lib()); var toolcache2 = __toESM(require_tool_cache()); var import_follow_redirects = __toESM(require_follow_redirects()); -var semver5 = __toESM(require_semver2()); +var semver6 = __toESM(require_semver2()); var STREAMING_HIGH_WATERMARK_BYTES = 4 * 1024 * 1024; var TOOLCACHE_TOOL_NAME = "CodeQL"; function makeDownloadFirstToolsDownloadDurations(downloadDurationMs, extractionDurationMs) { @@ -89597,10 +89704,10 @@ async function downloadAndExtract(codeqlURL, compressionMethod, dest, authorizat }; } } catch (e) { - core8.warning( + core9.warning( `Failed to download and extract CodeQL bundle using streaming with error: ${getErrorMessage(e)}` ); - core8.warning(`Falling back to downloading the bundle before extracting.`); + core9.warning(`Falling back to downloading the bundle before extracting.`); await cleanUpGlob(dest, "CodeQL bundle", logger); } const toolsDownloadStart = import_perf_hooks.performance.now(); @@ -89646,7 +89753,7 @@ async function downloadAndExtract(codeqlURL, compressionMethod, dest, authorizat }; } async function downloadAndExtractZstdWithStreaming(codeqlURL, dest, authorization, headers, tarVersion, logger) { - fs7.mkdirSync(dest, { recursive: true }); + fs9.mkdirSync(dest, { recursive: true }); const agent = new import_http_client.HttpClient().getAgent(codeqlURL); headers = Object.assign( { "User-Agent": "CodeQL Action" }, @@ -89674,16 +89781,16 @@ async function downloadAndExtractZstdWithStreaming(codeqlURL, dest, authorizatio await extractTarZst(response, dest, tarVersion, logger); } function getToolcacheDirectory(version) { - return path8.join( + return path10.join( getRequiredEnvParam("RUNNER_TOOL_CACHE"), TOOLCACHE_TOOL_NAME, - semver5.clean(version) || version, + semver6.clean(version) || version, os.arch() || "" ); } function writeToolcacheMarkerFile(extractedPath, logger) { const markerFilePath = `${extractedPath}.complete`; - fs7.writeFileSync(markerFilePath, ""); + fs9.writeFileSync(markerFilePath, ""); logger.info(`Created toolcache marker file ${markerFilePath}`); } function sanitizeUrlForStatusReport(url2) { @@ -89798,13 +89905,13 @@ function tryGetTagNameFromUrl(url2, logger) { return match[1]; } function convertToSemVer(version, logger) { - if (!semver6.valid(version)) { + if (!semver7.valid(version)) { logger.debug( `Bundle version ${version} is not in SemVer format. Will treat it as pre-release 0.0.0-${version}.` ); version = `0.0.0-${version}`; } - const s = semver6.clean(version); + const s = semver7.clean(version); if (!s) { throw new Error(`Bundle version ${version} is not in SemVer format.`); } @@ -89814,7 +89921,7 @@ async function findOverridingToolsInCache(humanReadableVersion, logger) { const candidates = toolcache3.findAllVersions("CodeQL").filter(isGoodVersion).map((version) => ({ folder: toolcache3.find("CodeQL", version), version - })).filter(({ folder }) => fs8.existsSync(path9.join(folder, "pinned-version"))); + })).filter(({ folder }) => fs10.existsSync(path11.join(folder, "pinned-version"))); if (candidates.length === 1) { const candidate = candidates[0]; logger.debug( @@ -89874,7 +89981,7 @@ async function getCodeQLSource(toolsInput, defaultCliVersion, apiDetails, varian url2 = toolsInput; if (tagName) { const bundleVersion3 = tryGetBundleVersionFromTagName(tagName, logger); - if (bundleVersion3 && semver6.valid(bundleVersion3)) { + if (bundleVersion3 && semver7.valid(bundleVersion3)) { cliVersion2 = convertToSemVer(bundleVersion3, logger); } } @@ -90143,11 +90250,11 @@ async function setupCodeQLBundle(toolsInput, apiDetails, tempDir, variant, defau async function useZstdBundle(cliVersion2, tarSupportsZstd) { return ( // In testing, gzip performs better than zstd on Windows. - process.platform !== "win32" && tarSupportsZstd && semver6.gte(cliVersion2, CODEQL_VERSION_ZSTD_BUNDLE) + process.platform !== "win32" && tarSupportsZstd && semver7.gte(cliVersion2, CODEQL_VERSION_ZSTD_BUNDLE) ); } function getTempExtractionDir(tempDir) { - return path9.join(tempDir, v4_default()); + return path11.join(tempDir, v4_default()); } // src/tracer-config.ts @@ -90190,7 +90297,7 @@ async function setupCodeQL(toolsInput, apiDetails, tempDir, variant, defaultCliV toolsDownloadStatusReport )}` ); - let codeqlCmd = path10.join(codeqlFolder, "codeql", "codeql"); + let codeqlCmd = path12.join(codeqlFolder, "codeql", "codeql"); if (process.platform === "win32") { codeqlCmd += ".exe"; } else if (process.platform !== "linux" && process.platform !== "darwin") { @@ -90251,12 +90358,12 @@ async function getCodeQLForCmd(cmd, checkVersion) { }, async isTracedLanguage(language) { const extractorPath = await this.resolveExtractor(language); - const tracingConfigPath = path10.join( + const tracingConfigPath = path12.join( extractorPath, "tools", "tracing-config.lua" ); - return fs9.existsSync(tracingConfigPath); + return fs11.existsSync(tracingConfigPath); }, async isScannedLanguage(language) { return !await this.isTracedLanguage(language); @@ -90327,7 +90434,7 @@ async function getCodeQLForCmd(cmd, checkVersion) { }, async runAutobuild(config, language) { applyAutobuildAzurePipelinesTimeoutFix(); - const autobuildCmd = path10.join( + const autobuildCmd = path12.join( await this.resolveExtractor(language), "tools", process.platform === "win32" ? "autobuild.cmd" : "autobuild.sh" @@ -90648,12 +90755,12 @@ ${output}` ); } else if (checkVersion && process.env["CODEQL_ACTION_SUPPRESS_DEPRECATED_SOON_WARNING" /* SUPPRESS_DEPRECATED_SOON_WARNING */] !== "true" && !await codeQlVersionAtLeast(codeql, CODEQL_NEXT_MINIMUM_VERSION)) { const result = await codeql.getVersion(); - core9.warning( + core10.warning( `CodeQL CLI version ${result.version} was discontinued on ${GHES_MOST_RECENT_DEPRECATION_DATE} alongside GitHub Enterprise Server ${GHES_VERSION_MOST_RECENTLY_DEPRECATED} and will not be supported by the next minor release of the CodeQL Action. Please update to CodeQL CLI version ${CODEQL_NEXT_MINIMUM_VERSION} or later. For instance, if you have specified a custom version of the CLI using the 'tools' input to the 'init' Action, you can remove this input to use the default version. Alternatively, if you want to continue using CodeQL CLI version ${result.version}, you can replace 'github/codeql-action/*@v${getActionVersion().split(".")[0]}' by 'github/codeql-action/*@v${getActionVersion()}' in your code scanning workflow to continue using this version of the CodeQL Action.` ); - core9.exportVariable("CODEQL_ACTION_SUPPRESS_DEPRECATED_SOON_WARNING" /* SUPPRESS_DEPRECATED_SOON_WARNING */, "true"); + core10.exportVariable("CODEQL_ACTION_SUPPRESS_DEPRECATED_SOON_WARNING" /* SUPPRESS_DEPRECATED_SOON_WARNING */, "true"); } return codeql; } @@ -90705,13 +90812,17 @@ async function runCli(cmd, args = [], opts = {}) { } async function writeCodeScanningConfigFile(config, logger) { const codeScanningConfigFile = getGeneratedCodeScanningConfigPath(config); + const augmentedConfig = appendExtraQueryExclusions( + config.extraQueryExclusions, + config.computedConfig + ); logger.info( `Writing augmented user configuration file to ${codeScanningConfigFile}` ); logger.startGroup("Augmented user configuration file contents"); - logger.info(dump(config.computedConfig)); + logger.info(dump(augmentedConfig)); logger.endGroup(); - fs9.writeFileSync(codeScanningConfigFile, dump(config.computedConfig)); + fs11.writeFileSync(codeScanningConfigFile, dump(augmentedConfig)); return codeScanningConfigFile; } var TRAP_CACHE_SIZE_MB = 1024; @@ -90734,7 +90845,7 @@ async function getTrapCachingExtractorConfigArgsForLang(config, language) { ]; } function getGeneratedCodeScanningConfigPath(config) { - return path10.resolve(config.tempDir, "user-config.yaml"); + return path12.resolve(config.tempDir, "user-config.yaml"); } function getExtractionVerbosityArguments(enableDebugLogging) { return enableDebugLogging ? [`--verbosity=${EXTRACTION_DEBUG_MODE_VERBOSITY}`] : []; @@ -90754,90 +90865,6 @@ async function getJobRunUuidSarifOptions(codeql) { ) ? [`--sarif-run-property=jobRunUuid=${jobRunUuid}`] : []; } -// src/config-utils.ts -var fs11 = __toESM(require("fs")); -var path12 = __toESM(require("path")); -var semver7 = __toESM(require_semver2()); - -// src/analyses.ts -var AnalysisKind = /* @__PURE__ */ ((AnalysisKind2) => { - AnalysisKind2["CodeScanning"] = "code-scanning"; - AnalysisKind2["CodeQuality"] = "code-quality"; - return AnalysisKind2; -})(AnalysisKind || {}); -var supportedAnalysisKinds = new Set(Object.values(AnalysisKind)); - -// src/caching-utils.ts -var core10 = __toESM(require_core()); - -// src/diff-informed-analysis-utils.ts -var fs10 = __toESM(require("fs")); -var path11 = __toESM(require("path")); -function getDiffRangesJsonFilePath() { - return path11.join(getTemporaryDirectory(), "pr-diff-range.json"); -} -function readDiffRangesJsonFile(logger) { - const jsonFilePath = getDiffRangesJsonFilePath(); - if (!fs10.existsSync(jsonFilePath)) { - logger.debug(`Diff ranges JSON file does not exist at ${jsonFilePath}`); - return void 0; - } - const jsonContents = fs10.readFileSync(jsonFilePath, "utf8"); - logger.debug( - `Read pr-diff-range JSON file from ${jsonFilePath}: -${jsonContents}` - ); - return JSON.parse(jsonContents); -} - -// src/trap-caching.ts -var actionsCache2 = __toESM(require_cache3()); - -// src/config-utils.ts -var OVERLAY_ANALYSIS_FEATURES = { - actions: "overlay_analysis_actions" /* OverlayAnalysisActions */, - cpp: "overlay_analysis_cpp" /* OverlayAnalysisCpp */, - csharp: "overlay_analysis_csharp" /* OverlayAnalysisCsharp */, - go: "overlay_analysis_go" /* OverlayAnalysisGo */, - java: "overlay_analysis_java" /* OverlayAnalysisJava */, - javascript: "overlay_analysis_javascript" /* OverlayAnalysisJavascript */, - python: "overlay_analysis_python" /* OverlayAnalysisPython */, - ruby: "overlay_analysis_ruby" /* OverlayAnalysisRuby */, - rust: "overlay_analysis_rust" /* OverlayAnalysisRust */, - swift: "overlay_analysis_swift" /* OverlayAnalysisSwift */ -}; -var OVERLAY_ANALYSIS_CODE_SCANNING_FEATURES = { - actions: "overlay_analysis_code_scanning_actions" /* OverlayAnalysisCodeScanningActions */, - cpp: "overlay_analysis_code_scanning_cpp" /* OverlayAnalysisCodeScanningCpp */, - csharp: "overlay_analysis_code_scanning_csharp" /* OverlayAnalysisCodeScanningCsharp */, - go: "overlay_analysis_code_scanning_go" /* OverlayAnalysisCodeScanningGo */, - java: "overlay_analysis_code_scanning_java" /* OverlayAnalysisCodeScanningJava */, - javascript: "overlay_analysis_code_scanning_javascript" /* OverlayAnalysisCodeScanningJavascript */, - python: "overlay_analysis_code_scanning_python" /* OverlayAnalysisCodeScanningPython */, - ruby: "overlay_analysis_code_scanning_ruby" /* OverlayAnalysisCodeScanningRuby */, - rust: "overlay_analysis_code_scanning_rust" /* OverlayAnalysisCodeScanningRust */, - swift: "overlay_analysis_code_scanning_swift" /* OverlayAnalysisCodeScanningSwift */ -}; -var PACK_IDENTIFIER_PATTERN = (function() { - const alphaNumeric = "[a-z0-9]"; - const alphaNumericDash = "[a-z0-9-]"; - const component = `${alphaNumeric}(${alphaNumericDash}*${alphaNumeric})?`; - return new RegExp(`^${component}/${component}$`); -})(); -function getPathToParsedConfigFile(tempDir) { - return path12.join(tempDir, "config"); -} -async function getConfig(tempDir, logger) { - const configFile = getPathToParsedConfigFile(tempDir); - if (!fs11.existsSync(configFile)) { - return void 0; - } - const configString = fs11.readFileSync(configFile, "utf8"); - logger.debug("Loaded config:"); - logger.debug(configString); - return JSON.parse(configString); -} - // src/fingerprints.ts var fs12 = __toESM(require("fs")); var import_path = __toESM(require("path")); diff --git a/lib/upload-sarif-action-post.js b/lib/upload-sarif-action-post.js index 5c58c2e3d..cb13fd3c6 100644 --- a/lib/upload-sarif-action-post.js +++ b/lib/upload-sarif-action-post.js @@ -117149,10 +117149,10 @@ var AnalysisKind = /* @__PURE__ */ ((AnalysisKind2) => { var supportedAnalysisKinds = new Set(Object.values(AnalysisKind)); // src/autobuild.ts -var core10 = __toESM(require_core()); +var core11 = __toESM(require_core()); // src/codeql.ts -var core9 = __toESM(require_core()); +var core10 = __toESM(require_core()); var toolrunner3 = __toESM(require_toolrunner()); // src/cli-errors.ts @@ -117288,6 +117288,12 @@ var cliErrorsConfig = { } }; +// src/config-utils.ts +var semver4 = __toESM(require_semver2()); + +// src/caching-utils.ts +var core6 = __toESM(require_core()); + // src/feature-flags.ts var semver3 = __toESM(require_semver2()); @@ -117295,21 +117301,21 @@ var semver3 = __toESM(require_semver2()); var actionsCache = __toESM(require_cache3()); // src/git-utils.ts -var core6 = __toESM(require_core()); +var core7 = __toESM(require_core()); var toolrunner2 = __toESM(require_toolrunner()); var io3 = __toESM(require_io()); // src/logging.ts -var core7 = __toESM(require_core()); +var core8 = __toESM(require_core()); function getActionsLogger() { - return core7; + return core8; } function withGroup(groupName, f) { - core7.startGroup(groupName); + core8.startGroup(groupName); try { return f(); } finally { - core7.endGroup(); + core8.endGroup(); } } @@ -117485,31 +117491,6 @@ var featureConfig = { } }; -// src/setup-codeql.ts -var toolcache3 = __toESM(require_tool_cache()); -var import_fast_deep_equal = __toESM(require_fast_deep_equal()); -var semver6 = __toESM(require_semver2()); - -// src/tar.ts -var import_toolrunner = __toESM(require_toolrunner()); -var io4 = __toESM(require_io()); -var toolcache = __toESM(require_tool_cache()); -var semver4 = __toESM(require_semver2()); - -// src/tools-download.ts -var core8 = __toESM(require_core()); -var import_http_client = __toESM(require_lib()); -var toolcache2 = __toESM(require_tool_cache()); -var import_follow_redirects = __toESM(require_follow_redirects()); -var semver5 = __toESM(require_semver2()); -var STREAMING_HIGH_WATERMARK_BYTES = 4 * 1024 * 1024; - -// src/config-utils.ts -var semver7 = __toESM(require_semver2()); - -// src/caching-utils.ts -var core11 = __toESM(require_core()); - // src/trap-caching.ts var actionsCache2 = __toESM(require_cache3()); @@ -117545,6 +117526,25 @@ var PACK_IDENTIFIER_PATTERN = (function() { return new RegExp(`^${component}/${component}$`); })(); +// src/setup-codeql.ts +var toolcache3 = __toESM(require_tool_cache()); +var import_fast_deep_equal = __toESM(require_fast_deep_equal()); +var semver7 = __toESM(require_semver2()); + +// src/tar.ts +var import_toolrunner = __toESM(require_toolrunner()); +var io4 = __toESM(require_io()); +var toolcache = __toESM(require_tool_cache()); +var semver5 = __toESM(require_semver2()); + +// src/tools-download.ts +var core9 = __toESM(require_core()); +var import_http_client = __toESM(require_lib()); +var toolcache2 = __toESM(require_tool_cache()); +var import_follow_redirects = __toESM(require_follow_redirects()); +var semver6 = __toESM(require_semver2()); +var STREAMING_HIGH_WATERMARK_BYTES = 4 * 1024 * 1024; + // src/dependency-caching.ts var actionsCache3 = __toESM(require_cache3()); var glob = __toESM(require_glob3()); diff --git a/lib/upload-sarif-action.js b/lib/upload-sarif-action.js index 357d43a54..0d4da2cfc 100644 --- a/lib/upload-sarif-action.js +++ b/lib/upload-sarif-action.js @@ -88491,6 +88491,9 @@ function satisfiesGHESVersion(ghesVersion, range, defaultIfInvalid) { semverVersion.prerelease = []; return semver.satisfies(semverVersion, range); } +function cloneObject(obj) { + return JSON.parse(JSON.stringify(obj)); +} async function checkSipEnablement(logger) { if (process.env["CODEQL_ACTION_IS_SIP_ENABLED" /* IS_SIP_ENABLED */] !== void 0 && ["true", "false"].includes(process.env["CODEQL_ACTION_IS_SIP_ENABLED" /* IS_SIP_ENABLED */])) { return process.env["CODEQL_ACTION_IS_SIP_ENABLED" /* IS_SIP_ENABLED */] === "true"; @@ -89762,9 +89765,9 @@ var core12 = __toESM(require_core()); var jsonschema = __toESM(require_lib2()); // src/codeql.ts -var fs10 = __toESM(require("fs")); -var path11 = __toESM(require("path")); -var core10 = __toESM(require_core()); +var fs12 = __toESM(require("fs")); +var path13 = __toESM(require("path")); +var core11 = __toESM(require_core()); var toolrunner3 = __toESM(require_toolrunner()); // src/cli-errors.ts @@ -90004,12 +90007,114 @@ function wrapCliConfigurationError(cliError) { return new ConfigurationError(errorMessageBuilder); } -// src/setup-codeql.ts -var fs9 = __toESM(require("fs")); +// src/config-utils.ts +var fs8 = __toESM(require("fs")); var path10 = __toESM(require("path")); +var semver4 = __toESM(require_semver2()); + +// src/analyses.ts +var AnalysisKind = /* @__PURE__ */ ((AnalysisKind2) => { + AnalysisKind2["CodeScanning"] = "code-scanning"; + AnalysisKind2["CodeQuality"] = "code-quality"; + return AnalysisKind2; +})(AnalysisKind || {}); +var supportedAnalysisKinds = new Set(Object.values(AnalysisKind)); + +// src/caching-utils.ts +var core9 = __toESM(require_core()); + +// src/diff-informed-analysis-utils.ts +var fs7 = __toESM(require("fs")); +var path9 = __toESM(require("path")); +function getDiffRangesJsonFilePath() { + return path9.join(getTemporaryDirectory(), "pr-diff-range.json"); +} +function readDiffRangesJsonFile(logger) { + const jsonFilePath = getDiffRangesJsonFilePath(); + if (!fs7.existsSync(jsonFilePath)) { + logger.debug(`Diff ranges JSON file does not exist at ${jsonFilePath}`); + return void 0; + } + const jsonContents = fs7.readFileSync(jsonFilePath, "utf8"); + logger.debug( + `Read pr-diff-range JSON file from ${jsonFilePath}: +${jsonContents}` + ); + return JSON.parse(jsonContents); +} + +// src/trap-caching.ts +var actionsCache2 = __toESM(require_cache3()); + +// src/config-utils.ts +var OVERLAY_ANALYSIS_FEATURES = { + actions: "overlay_analysis_actions" /* OverlayAnalysisActions */, + cpp: "overlay_analysis_cpp" /* OverlayAnalysisCpp */, + csharp: "overlay_analysis_csharp" /* OverlayAnalysisCsharp */, + go: "overlay_analysis_go" /* OverlayAnalysisGo */, + java: "overlay_analysis_java" /* OverlayAnalysisJava */, + javascript: "overlay_analysis_javascript" /* OverlayAnalysisJavascript */, + python: "overlay_analysis_python" /* OverlayAnalysisPython */, + ruby: "overlay_analysis_ruby" /* OverlayAnalysisRuby */, + rust: "overlay_analysis_rust" /* OverlayAnalysisRust */, + swift: "overlay_analysis_swift" /* OverlayAnalysisSwift */ +}; +var OVERLAY_ANALYSIS_CODE_SCANNING_FEATURES = { + actions: "overlay_analysis_code_scanning_actions" /* OverlayAnalysisCodeScanningActions */, + cpp: "overlay_analysis_code_scanning_cpp" /* OverlayAnalysisCodeScanningCpp */, + csharp: "overlay_analysis_code_scanning_csharp" /* OverlayAnalysisCodeScanningCsharp */, + go: "overlay_analysis_code_scanning_go" /* OverlayAnalysisCodeScanningGo */, + java: "overlay_analysis_code_scanning_java" /* OverlayAnalysisCodeScanningJava */, + javascript: "overlay_analysis_code_scanning_javascript" /* OverlayAnalysisCodeScanningJavascript */, + python: "overlay_analysis_code_scanning_python" /* OverlayAnalysisCodeScanningPython */, + ruby: "overlay_analysis_code_scanning_ruby" /* OverlayAnalysisCodeScanningRuby */, + rust: "overlay_analysis_code_scanning_rust" /* OverlayAnalysisCodeScanningRust */, + swift: "overlay_analysis_code_scanning_swift" /* OverlayAnalysisCodeScanningSwift */ +}; +var PACK_IDENTIFIER_PATTERN = (function() { + const alphaNumeric = "[a-z0-9]"; + const alphaNumericDash = "[a-z0-9-]"; + const component = `${alphaNumeric}(${alphaNumericDash}*${alphaNumeric})?`; + return new RegExp(`^${component}/${component}$`); +})(); +function getPathToParsedConfigFile(tempDir) { + return path10.join(tempDir, "config"); +} +async function getConfig(tempDir, logger) { + const configFile = getPathToParsedConfigFile(tempDir); + if (!fs8.existsSync(configFile)) { + return void 0; + } + const configString = fs8.readFileSync(configFile, "utf8"); + logger.debug("Loaded config:"); + logger.debug(configString); + return JSON.parse(configString); +} +function appendExtraQueryExclusions(extraQueryExclusions, cliConfig) { + if (extraQueryExclusions.length === 0) { + return cliConfig; + } + const augmentedConfig = cloneObject(cliConfig); + augmentedConfig["query-filters"] = [ + // Ordering matters. If the first filter is an inclusion, it implicitly + // excludes all queries that are not included. If it is an exclusion, + // it implicitly includes all queries that are not excluded. So user + // filters (if any) should always be first to preserve intent. + ...augmentedConfig["query-filters"] || [], + ...extraQueryExclusions + ]; + if (augmentedConfig["query-filters"]?.length === 0) { + delete augmentedConfig["query-filters"]; + } + return augmentedConfig; +} + +// src/setup-codeql.ts +var fs11 = __toESM(require("fs")); +var path12 = __toESM(require("path")); var toolcache3 = __toESM(require_tool_cache()); var import_fast_deep_equal = __toESM(require_fast_deep_equal()); -var semver6 = __toESM(require_semver2()); +var semver7 = __toESM(require_semver2()); // node_modules/uuid/dist/esm/stringify.js var byteToHex = []; @@ -90064,12 +90169,12 @@ var v4_default = v4; // src/tar.ts var import_child_process = require("child_process"); -var fs7 = __toESM(require("fs")); +var fs9 = __toESM(require("fs")); var stream = __toESM(require("stream")); var import_toolrunner = __toESM(require_toolrunner()); var io4 = __toESM(require_io()); var toolcache = __toESM(require_tool_cache()); -var semver4 = __toESM(require_semver2()); +var semver5 = __toESM(require_semver2()); var MIN_REQUIRED_BSD_TAR_VERSION = "3.4.3"; var MIN_REQUIRED_GNU_TAR_VERSION = "1.31"; async function getTarVersion() { @@ -90111,9 +90216,9 @@ async function isZstdAvailable(logger) { case "gnu": return { available: foundZstdBinary && // GNU tar only uses major and minor version numbers - semver4.gte( - semver4.coerce(version), - semver4.coerce(MIN_REQUIRED_GNU_TAR_VERSION) + semver5.gte( + semver5.coerce(version), + semver5.coerce(MIN_REQUIRED_GNU_TAR_VERSION) ), foundZstdBinary, version: tarVersion @@ -90122,7 +90227,7 @@ async function isZstdAvailable(logger) { return { available: foundZstdBinary && // Do a loose comparison since these version numbers don't contain // a patch version number. - semver4.gte(version, MIN_REQUIRED_BSD_TAR_VERSION), + semver5.gte(version, MIN_REQUIRED_BSD_TAR_VERSION), foundZstdBinary, version: tarVersion }; @@ -90137,7 +90242,7 @@ async function isZstdAvailable(logger) { } } async function extract(tarPath, dest, compressionMethod, tarVersion, logger) { - fs7.mkdirSync(dest, { recursive: true }); + fs9.mkdirSync(dest, { recursive: true }); switch (compressionMethod) { case "gzip": return await toolcache.extractTar(tarPath, dest); @@ -90221,15 +90326,15 @@ function inferCompressionMethod(tarPath) { } // src/tools-download.ts -var fs8 = __toESM(require("fs")); +var fs10 = __toESM(require("fs")); var os2 = __toESM(require("os")); -var path9 = __toESM(require("path")); +var path11 = __toESM(require("path")); var import_perf_hooks = require("perf_hooks"); -var core9 = __toESM(require_core()); +var core10 = __toESM(require_core()); var import_http_client = __toESM(require_lib()); var toolcache2 = __toESM(require_tool_cache()); var import_follow_redirects = __toESM(require_follow_redirects()); -var semver5 = __toESM(require_semver2()); +var semver6 = __toESM(require_semver2()); var STREAMING_HIGH_WATERMARK_BYTES = 4 * 1024 * 1024; var TOOLCACHE_TOOL_NAME = "CodeQL"; function makeDownloadFirstToolsDownloadDurations(downloadDurationMs, extractionDurationMs) { @@ -90279,10 +90384,10 @@ async function downloadAndExtract(codeqlURL, compressionMethod, dest, authorizat }; } } catch (e) { - core9.warning( + core10.warning( `Failed to download and extract CodeQL bundle using streaming with error: ${getErrorMessage(e)}` ); - core9.warning(`Falling back to downloading the bundle before extracting.`); + core10.warning(`Falling back to downloading the bundle before extracting.`); await cleanUpGlob(dest, "CodeQL bundle", logger); } const toolsDownloadStart = import_perf_hooks.performance.now(); @@ -90328,7 +90433,7 @@ async function downloadAndExtract(codeqlURL, compressionMethod, dest, authorizat }; } async function downloadAndExtractZstdWithStreaming(codeqlURL, dest, authorization, headers, tarVersion, logger) { - fs8.mkdirSync(dest, { recursive: true }); + fs10.mkdirSync(dest, { recursive: true }); const agent = new import_http_client.HttpClient().getAgent(codeqlURL); headers = Object.assign( { "User-Agent": "CodeQL Action" }, @@ -90356,16 +90461,16 @@ async function downloadAndExtractZstdWithStreaming(codeqlURL, dest, authorizatio await extractTarZst(response, dest, tarVersion, logger); } function getToolcacheDirectory(version) { - return path9.join( + return path11.join( getRequiredEnvParam("RUNNER_TOOL_CACHE"), TOOLCACHE_TOOL_NAME, - semver5.clean(version) || version, + semver6.clean(version) || version, os2.arch() || "" ); } function writeToolcacheMarkerFile(extractedPath, logger) { const markerFilePath = `${extractedPath}.complete`; - fs8.writeFileSync(markerFilePath, ""); + fs10.writeFileSync(markerFilePath, ""); logger.info(`Created toolcache marker file ${markerFilePath}`); } function sanitizeUrlForStatusReport(url2) { @@ -90480,13 +90585,13 @@ function tryGetTagNameFromUrl(url2, logger) { return match[1]; } function convertToSemVer(version, logger) { - if (!semver6.valid(version)) { + if (!semver7.valid(version)) { logger.debug( `Bundle version ${version} is not in SemVer format. Will treat it as pre-release 0.0.0-${version}.` ); version = `0.0.0-${version}`; } - const s = semver6.clean(version); + const s = semver7.clean(version); if (!s) { throw new Error(`Bundle version ${version} is not in SemVer format.`); } @@ -90496,7 +90601,7 @@ async function findOverridingToolsInCache(humanReadableVersion, logger) { const candidates = toolcache3.findAllVersions("CodeQL").filter(isGoodVersion).map((version) => ({ folder: toolcache3.find("CodeQL", version), version - })).filter(({ folder }) => fs9.existsSync(path10.join(folder, "pinned-version"))); + })).filter(({ folder }) => fs11.existsSync(path12.join(folder, "pinned-version"))); if (candidates.length === 1) { const candidate = candidates[0]; logger.debug( @@ -90556,7 +90661,7 @@ async function getCodeQLSource(toolsInput, defaultCliVersion, apiDetails, varian url2 = toolsInput; if (tagName) { const bundleVersion3 = tryGetBundleVersionFromTagName(tagName, logger); - if (bundleVersion3 && semver6.valid(bundleVersion3)) { + if (bundleVersion3 && semver7.valid(bundleVersion3)) { cliVersion2 = convertToSemVer(bundleVersion3, logger); } } @@ -90825,11 +90930,11 @@ async function setupCodeQLBundle(toolsInput, apiDetails, tempDir, variant, defau async function useZstdBundle(cliVersion2, tarSupportsZstd) { return ( // In testing, gzip performs better than zstd on Windows. - process.platform !== "win32" && tarSupportsZstd && semver6.gte(cliVersion2, CODEQL_VERSION_ZSTD_BUNDLE) + process.platform !== "win32" && tarSupportsZstd && semver7.gte(cliVersion2, CODEQL_VERSION_ZSTD_BUNDLE) ); } function getTempExtractionDir(tempDir) { - return path10.join(tempDir, v4_default()); + return path12.join(tempDir, v4_default()); } // src/tracer-config.ts @@ -90872,7 +90977,7 @@ async function setupCodeQL(toolsInput, apiDetails, tempDir, variant, defaultCliV toolsDownloadStatusReport )}` ); - let codeqlCmd = path11.join(codeqlFolder, "codeql", "codeql"); + let codeqlCmd = path13.join(codeqlFolder, "codeql", "codeql"); if (process.platform === "win32") { codeqlCmd += ".exe"; } else if (process.platform !== "linux" && process.platform !== "darwin") { @@ -90933,12 +91038,12 @@ async function getCodeQLForCmd(cmd, checkVersion) { }, async isTracedLanguage(language) { const extractorPath = await this.resolveExtractor(language); - const tracingConfigPath = path11.join( + const tracingConfigPath = path13.join( extractorPath, "tools", "tracing-config.lua" ); - return fs10.existsSync(tracingConfigPath); + return fs12.existsSync(tracingConfigPath); }, async isScannedLanguage(language) { return !await this.isTracedLanguage(language); @@ -91009,7 +91114,7 @@ async function getCodeQLForCmd(cmd, checkVersion) { }, async runAutobuild(config, language) { applyAutobuildAzurePipelinesTimeoutFix(); - const autobuildCmd = path11.join( + const autobuildCmd = path13.join( await this.resolveExtractor(language), "tools", process.platform === "win32" ? "autobuild.cmd" : "autobuild.sh" @@ -91330,12 +91435,12 @@ ${output}` ); } else if (checkVersion && process.env["CODEQL_ACTION_SUPPRESS_DEPRECATED_SOON_WARNING" /* SUPPRESS_DEPRECATED_SOON_WARNING */] !== "true" && !await codeQlVersionAtLeast(codeql, CODEQL_NEXT_MINIMUM_VERSION)) { const result = await codeql.getVersion(); - core10.warning( + core11.warning( `CodeQL CLI version ${result.version} was discontinued on ${GHES_MOST_RECENT_DEPRECATION_DATE} alongside GitHub Enterprise Server ${GHES_VERSION_MOST_RECENTLY_DEPRECATED} and will not be supported by the next minor release of the CodeQL Action. Please update to CodeQL CLI version ${CODEQL_NEXT_MINIMUM_VERSION} or later. For instance, if you have specified a custom version of the CLI using the 'tools' input to the 'init' Action, you can remove this input to use the default version. Alternatively, if you want to continue using CodeQL CLI version ${result.version}, you can replace 'github/codeql-action/*@v${getActionVersion().split(".")[0]}' by 'github/codeql-action/*@v${getActionVersion()}' in your code scanning workflow to continue using this version of the CodeQL Action.` ); - core10.exportVariable("CODEQL_ACTION_SUPPRESS_DEPRECATED_SOON_WARNING" /* SUPPRESS_DEPRECATED_SOON_WARNING */, "true"); + core11.exportVariable("CODEQL_ACTION_SUPPRESS_DEPRECATED_SOON_WARNING" /* SUPPRESS_DEPRECATED_SOON_WARNING */, "true"); } return codeql; } @@ -91387,13 +91492,17 @@ async function runCli(cmd, args = [], opts = {}) { } async function writeCodeScanningConfigFile(config, logger) { const codeScanningConfigFile = getGeneratedCodeScanningConfigPath(config); + const augmentedConfig = appendExtraQueryExclusions( + config.extraQueryExclusions, + config.computedConfig + ); logger.info( `Writing augmented user configuration file to ${codeScanningConfigFile}` ); logger.startGroup("Augmented user configuration file contents"); - logger.info(dump(config.computedConfig)); + logger.info(dump(augmentedConfig)); logger.endGroup(); - fs10.writeFileSync(codeScanningConfigFile, dump(config.computedConfig)); + fs12.writeFileSync(codeScanningConfigFile, dump(augmentedConfig)); return codeScanningConfigFile; } var TRAP_CACHE_SIZE_MB = 1024; @@ -91416,7 +91525,7 @@ async function getTrapCachingExtractorConfigArgsForLang(config, language) { ]; } function getGeneratedCodeScanningConfigPath(config) { - return path11.resolve(config.tempDir, "user-config.yaml"); + return path13.resolve(config.tempDir, "user-config.yaml"); } function getExtractionVerbosityArguments(enableDebugLogging) { return enableDebugLogging ? [`--verbosity=${EXTRACTION_DEBUG_MODE_VERBOSITY}`] : []; @@ -91436,90 +91545,6 @@ async function getJobRunUuidSarifOptions(codeql) { ) ? [`--sarif-run-property=jobRunUuid=${jobRunUuid}`] : []; } -// src/config-utils.ts -var fs12 = __toESM(require("fs")); -var path13 = __toESM(require("path")); -var semver7 = __toESM(require_semver2()); - -// src/analyses.ts -var AnalysisKind = /* @__PURE__ */ ((AnalysisKind2) => { - AnalysisKind2["CodeScanning"] = "code-scanning"; - AnalysisKind2["CodeQuality"] = "code-quality"; - return AnalysisKind2; -})(AnalysisKind || {}); -var supportedAnalysisKinds = new Set(Object.values(AnalysisKind)); - -// src/caching-utils.ts -var core11 = __toESM(require_core()); - -// src/diff-informed-analysis-utils.ts -var fs11 = __toESM(require("fs")); -var path12 = __toESM(require("path")); -function getDiffRangesJsonFilePath() { - return path12.join(getTemporaryDirectory(), "pr-diff-range.json"); -} -function readDiffRangesJsonFile(logger) { - const jsonFilePath = getDiffRangesJsonFilePath(); - if (!fs11.existsSync(jsonFilePath)) { - logger.debug(`Diff ranges JSON file does not exist at ${jsonFilePath}`); - return void 0; - } - const jsonContents = fs11.readFileSync(jsonFilePath, "utf8"); - logger.debug( - `Read pr-diff-range JSON file from ${jsonFilePath}: -${jsonContents}` - ); - return JSON.parse(jsonContents); -} - -// src/trap-caching.ts -var actionsCache2 = __toESM(require_cache3()); - -// src/config-utils.ts -var OVERLAY_ANALYSIS_FEATURES = { - actions: "overlay_analysis_actions" /* OverlayAnalysisActions */, - cpp: "overlay_analysis_cpp" /* OverlayAnalysisCpp */, - csharp: "overlay_analysis_csharp" /* OverlayAnalysisCsharp */, - go: "overlay_analysis_go" /* OverlayAnalysisGo */, - java: "overlay_analysis_java" /* OverlayAnalysisJava */, - javascript: "overlay_analysis_javascript" /* OverlayAnalysisJavascript */, - python: "overlay_analysis_python" /* OverlayAnalysisPython */, - ruby: "overlay_analysis_ruby" /* OverlayAnalysisRuby */, - rust: "overlay_analysis_rust" /* OverlayAnalysisRust */, - swift: "overlay_analysis_swift" /* OverlayAnalysisSwift */ -}; -var OVERLAY_ANALYSIS_CODE_SCANNING_FEATURES = { - actions: "overlay_analysis_code_scanning_actions" /* OverlayAnalysisCodeScanningActions */, - cpp: "overlay_analysis_code_scanning_cpp" /* OverlayAnalysisCodeScanningCpp */, - csharp: "overlay_analysis_code_scanning_csharp" /* OverlayAnalysisCodeScanningCsharp */, - go: "overlay_analysis_code_scanning_go" /* OverlayAnalysisCodeScanningGo */, - java: "overlay_analysis_code_scanning_java" /* OverlayAnalysisCodeScanningJava */, - javascript: "overlay_analysis_code_scanning_javascript" /* OverlayAnalysisCodeScanningJavascript */, - python: "overlay_analysis_code_scanning_python" /* OverlayAnalysisCodeScanningPython */, - ruby: "overlay_analysis_code_scanning_ruby" /* OverlayAnalysisCodeScanningRuby */, - rust: "overlay_analysis_code_scanning_rust" /* OverlayAnalysisCodeScanningRust */, - swift: "overlay_analysis_code_scanning_swift" /* OverlayAnalysisCodeScanningSwift */ -}; -var PACK_IDENTIFIER_PATTERN = (function() { - const alphaNumeric = "[a-z0-9]"; - const alphaNumericDash = "[a-z0-9-]"; - const component = `${alphaNumeric}(${alphaNumericDash}*${alphaNumeric})?`; - return new RegExp(`^${component}/${component}$`); -})(); -function getPathToParsedConfigFile(tempDir) { - return path13.join(tempDir, "config"); -} -async function getConfig(tempDir, logger) { - const configFile = getPathToParsedConfigFile(tempDir); - if (!fs12.existsSync(configFile)) { - return void 0; - } - const configString = fs12.readFileSync(configFile, "utf8"); - logger.debug("Loaded config:"); - logger.debug(configString); - return JSON.parse(configString); -} - // src/fingerprints.ts var fs13 = __toESM(require("fs")); var import_path = __toESM(require("path")); diff --git a/src/codeql.ts b/src/codeql.ts index 7fb899470..567eb8087 100644 --- a/src/codeql.ts +++ b/src/codeql.ts @@ -13,7 +13,7 @@ import { } from "./actions-util"; import * as api from "./api-client"; import { CliError, wrapCliConfigurationError } from "./cli-errors"; -import { type Config } from "./config-utils"; +import { appendExtraQueryExclusions, type Config } from "./config-utils"; import { DocUrl } from "./doc-url"; import { EnvVar } from "./environment"; import { @@ -1149,11 +1149,11 @@ async function runCli( } /** - * Generates a code scanning configuration that is to be used for a scan. + * Writes the code scanning configuration that is to be used by the CLI. * * @param codeql The CodeQL object to use. - * @param config The configuration to use. - * @returns the path to the generated user configuration file. + * @param config The CodeQL Action state to use. + * @returns The path to the generated user configuration file. */ async function writeCodeScanningConfigFile( config: Config, @@ -1161,14 +1161,24 @@ async function writeCodeScanningConfigFile( ): Promise { const codeScanningConfigFile = getGeneratedCodeScanningConfigPath(config); + // Apply the `extraQueryExclusions` from the CodeQL Action state to the CLI configuration. + // We do this here at the latest possible point before passing the CLI configuration on to + // the CLI so that the `extraQueryExclusions` appear after all user-configured `query-filters`. + // See the comment in `applyExtraQueryExclusions` for more information, as well as + // https://github.com/github/codeql-action/pull/2938 + const augmentedConfig = appendExtraQueryExclusions( + config.extraQueryExclusions, + config.computedConfig, + ); + logger.info( `Writing augmented user configuration file to ${codeScanningConfigFile}`, ); logger.startGroup("Augmented user configuration file contents"); - logger.info(yaml.dump(config.computedConfig)); + logger.info(yaml.dump(augmentedConfig)); logger.endGroup(); - fs.writeFileSync(codeScanningConfigFile, yaml.dump(config.computedConfig)); + fs.writeFileSync(codeScanningConfigFile, yaml.dump(augmentedConfig)); return codeScanningConfigFile; } diff --git a/src/config-utils.test.ts b/src/config-utils.test.ts index d3bfb62b8..b133f500b 100644 --- a/src/config-utils.test.ts +++ b/src/config-utils.test.ts @@ -348,6 +348,7 @@ test("load non-empty input", async (t) => { trapCaches: {}, trapCacheDownloadTime: 0, dependencyCachingEnabled: CachingKind.None, + extraQueryExclusions: [], overlayDatabaseMode: OverlayDatabaseMode.None, useOverlayDatabaseCaching: false, }; diff --git a/src/config-utils.ts b/src/config-utils.ts index 9c0d535a4..40d1da687 100644 --- a/src/config-utils.ts +++ b/src/config-utils.ts @@ -170,6 +170,11 @@ export interface Config { /** A value indicating how dependency caching should be used. */ dependencyCachingEnabled: CachingKind; + /** + * Extra query exclusions to append to the config. + */ + extraQueryExclusions: ExcludeQueryFilter[]; + /** * The overlay database mode to use. */ @@ -218,11 +223,6 @@ export interface AugmentationProperties { * The packs input from the `with` block of the action declaration */ packsInput?: string[]; - - /** - * Extra query exclusions to append to the config. - */ - extraQueryExclusions: ExcludeQueryFilter[]; } /** @@ -234,7 +234,6 @@ export const defaultAugmentationProperties: AugmentationProperties = { packsInputCombines: false, packsInput: undefined, queriesInput: undefined, - extraQueryExclusions: [], }; export type Packs = Partial>; @@ -595,6 +594,7 @@ export async function getDefaultConfig({ trapCaches, trapCacheDownloadTime, dependencyCachingEnabled: getCachingKind(dependencyCachingEnabled), + extraQueryExclusions: [], overlayDatabaseMode: OverlayDatabaseMode.None, useOverlayDatabaseCaching: false, }; @@ -683,7 +683,6 @@ export async function calculateAugmentation( packsInput: packsInput?.[languages[0]], queriesInput, queriesInputCombines, - extraQueryExclusions: [], }; } @@ -1145,10 +1144,7 @@ export async function initConfig(inputs: InitConfigInputs): Promise { logger, )) ) { - if (config.computedConfig["query-filters"] === undefined) { - config.computedConfig["query-filters"] = []; - } - config.computedConfig["query-filters"].push({ + config.extraQueryExclusions.push({ exclude: { tags: "exclude-from-incremental" }, }); } @@ -1478,17 +1474,41 @@ export function generateCodeScanningConfig( delete augmentedConfig.packs; } + return augmentedConfig; +} + +/** + * Appends `extraQueryExclusions` to `cliConfig`'s `query-filters`. + * + * @param extraQueryExclusions The extra query exclusions to append to the `query-filters`. + * @param cliConfig The CodeQL CLI configuration to extend. + * @returns Returns `cliConfig` if there are no extra query exclusions + * or a copy of `cliConfig` where the extra query exclusions + * have been appended to `query-filters`. + */ +export function appendExtraQueryExclusions( + extraQueryExclusions: ExcludeQueryFilter[], + cliConfig: UserConfig, +): UserConfig { + if (extraQueryExclusions.length === 0) { + return cliConfig; + } + + // make a copy so we can modify it + const augmentedConfig = cloneObject(cliConfig); + augmentedConfig["query-filters"] = [ // Ordering matters. If the first filter is an inclusion, it implicitly // excludes all queries that are not included. If it is an exclusion, // it implicitly includes all queries that are not excluded. So user // filters (if any) should always be first to preserve intent. ...(augmentedConfig["query-filters"] || []), - ...augmentationProperties.extraQueryExclusions, + ...extraQueryExclusions, ]; if (augmentedConfig["query-filters"]?.length === 0) { delete augmentedConfig["query-filters"]; } + return augmentedConfig; } diff --git a/src/testing-utils.ts b/src/testing-utils.ts index 943c4be34..6e1763b00 100644 --- a/src/testing-utils.ts +++ b/src/testing-utils.ts @@ -373,11 +373,11 @@ export function createTestConfig(overrides: Partial): Config { augmentationProperties: { packsInputCombines: false, queriesInputCombines: false, - extraQueryExclusions: [], } satisfies AugmentationProperties, trapCaches: {}, trapCacheDownloadTime: 0, dependencyCachingEnabled: CachingKind.None, + extraQueryExclusions: [], overlayDatabaseMode: OverlayDatabaseMode.None, useOverlayDatabaseCaching: false, } satisfies Config,