github/codeql-action
1
0
Fork 0
mirror of https://github.com/github/codeql-action.git synced 2025-12-27 01:30:10 +08:00
Code Issues Packages Projects Releases Wiki Activity
1,193 Commits 297 Branches 500 Tags
codeql-bundle-20210503
Commit Graph

1193 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
Henning Makholm
cb5810848d Merge pull request #470 from github/hmakholm/pr/2.5.3 
update bundle to 20210430
codeql-bundle-20210503 		2021-04-30 19:02:00 +02:00
Henning Makholm
7ab95f642d update bundle to 20210430 2021-04-30 18:26:08 +02:00
Chris Gavin
33bb16c8b4 Merge pull request #457 from github/restrict-permissions 
Restrict Actions token permissions in CodeQL workflow.
codeql-bundle-20210430 		2021-04-30 14:19:45 +01:00
Chris Gavin
d879f4b84e Merge branch 'main' into restrict-permissions 2021-04-30 13:55:34 +01:00
Chris Gavin
e305db89c2 Fix the token permissions for private copies of the CodeQL Action, and for runs that are not from pull requests. 2021-04-30 13:47:54 +01:00
Andrew Eisenberg
1585462c63 Merge pull request #465 from github/aeisenberg/lines-of-code-trim 
Avoid analyzing excluded language files for line counting
codeql-bundle-20210429 		2021-04-28 16:41:55 -07:00
Andrew Eisenberg
ee2346270d Avoid analyzing excluded language files for line counting 
This change passes in a list of file types to the line counting
analysis. These are the languages for the databases being analyzed.
Line count analysis is restricted to these files.
 2021-04-28 16:07:55 -07:00
Andrew Eisenberg
5c0a38d7e4 Update github-linguist dependency 
This version adds a larger list of auto-excluded binary files.
And allows for the passing of a list of file types to restrict
analysis to.
 2021-04-28 14:55:17 -07:00
Andrew Eisenberg
03f029c2a1 Merge pull request #459 from github/aeisenberg/add-linguist-data 
Add baseline metrics for lines of code
 2021-04-26 14:23:31 -07:00
Andrew Eisenberg
998f472183 Add baseline metrics for lines of code 
This commit uses a third party library to estimate the lines of code in
a database that is to be analyzed by codeql.

The estimate uses the same includes and excludes globs for determining
which files should be counted.

The lines of code count is returned by language and injected into the
SARIF as `baseline` property in the `${language}/summary/lines-of-code`
metric.
 2021-04-26 14:09:38 -07:00
Andrew Eisenberg
7c5b1287d5 Merge pull request #460 from github/dependabot/npm_and_yarn/runner/ssri-6.0.2 
Bump ssri from 6.0.1 to 6.0.2 in /runner
 2021-04-23 14:19:20 -07:00
dependabot[bot]
e2d70d6a0b Bump ssri from 6.0.1 to 6.0.2 in /runner 
Bumps [ssri](https://github.com/npm/ssri) from 6.0.1 to 6.0.2.
- [Release notes](https://github.com/npm/ssri/releases)
- [Changelog](https://github.com/npm/ssri/blob/v6.0.2/CHANGELOG.md)
- [Commits](https://github.com/npm/ssri/compare/v6.0.1...v6.0.2)

Signed-off-by: dependabot[bot] <support@github.com>
 2021-04-23 18:01:34 +00:00
Andrew Eisenberg
e266dfb63e Merge pull request #458 from github/aeisenberg/add-github-linguist 
Add the github-linguist package
 2021-04-23 10:59:56 -07:00
Andrew Eisenberg
b6b197e0ad Merge branch 'main' into aeisenberg/add-github-linguist 2021-04-23 10:54:04 -07:00
Robert
ba64dfb959 Merge pull request #456 from github/robertbrignull/toolcache-interface 
Introduce our own toolcache implementation for use by the runnner
 2021-04-23 16:24:04 +01:00
Robert
27bf3a208d fix typo 2021-04-23 10:01:50 +01:00
Robert
8207018b75 make query more robust 2021-04-23 10:01:28 +01:00
Robert
ce467e7e36 use safeWhich 2021-04-23 09:59:23 +01:00
Andrew Eisenberg
c4a84a93d4 Add the github-linguist package 
This commit only adds a single package and all of its transitive
dependencies. The github-linguist package will be used for counting
lines of code as a baseline for databases we are analyzing.
 2021-04-22 15:59:49 -07:00
Chris Gavin
643bc6e3ed Remove spurious blank line. 2021-04-22 17:26:26 +01:00
Chris Gavin
7e85b5d66a Restrict Actions token permissions in CodeQL workflow. 2021-04-22 17:07:03 +01:00
Robert
8c91ba83e2 Introduce our own toolcache implementation for use by the runnner 2021-04-22 15:31:15 +01:00
Henning Makholm
896b4ff181 Merge pull request #454 from github/hmakholm/pr/2.5.2 
update bundle to 20210421 (CLI 2.5.2)
 2021-04-21 20:24:18 +02:00
Henning Makholm
cb4c96ba60 Merge remote-tracking branch 'origin/main' into hmakholm/pr/2.5.2 2021-04-21 18:56:33 +02:00
Edoardo Pirovano
578f9fc99e Add external git repositories to search path for custom queries 2021-04-21 17:40:56 +01:00
Henning Makholm
46517cfb47 update bundle to 20210421 (CLI 2.5.2) 2021-04-21 17:31:57 +02:00
David Verdeguer
1fa35632f2 Merge pull request #452 from github/daverlo/category 
Ignore non-string values in populateRunAutomationDetails
codeql-bundle-20210421 		2021-04-20 13:31:19 +02:00
David Verdeguer
496bf0ec11 Ignore non-string values in populateRunAutomationDetails 2021-04-20 12:53:16 +02:00
David Verdeguer
8bd2b3516b Merge pull request #446 from github/daverlo/runAutomationDetails 
Add automationdetails id to runs
codeql-bundle-20210419 		2021-04-19 11:30:53 +02:00
David Verdeguer
bc14da99c5 Merge branch 'main' into daverlo/runAutomationDetails 2021-04-19 10:47:18 +02:00
David Verdeguer
351d36fd18 Add test for existing automationDetails 2021-04-19 09:04:58 +02:00
Andrew Eisenberg
c87ee1c65a [Runner] Throw error on unknown option in init command 
And explicitly document the advanced --trace-process-name and
--trace-process-level args.
 2021-04-16 12:09:26 -07:00
David Verdeguer
0ece0d074b Fix populateRunAutomationDetails for null environments 2021-04-16 09:24:34 +02:00
David Verdeguer
de611b2de3 Prevent the automationDetails to be regenerated if it already exists 2021-04-16 07:47:42 +02:00
David Verdeguer
47755f0910 Add automationdetails id to runs 2021-04-15 16:20:49 +02:00
Andrew Eisenberg
6aebd1b98a Fixes a regex for language and locale recognition 
See https://github.com/oasis-tcs/sarif-spec/pull/490
See #418

Note that this changes the sarif spec file. Unless this
change is actually merged in the sarif spec repo, the
version used by the action will be slightly different.
 2021-04-14 08:10:56 -07:00
Aditya Sharad
0c2281fb06 Merge pull request #441 from adityasharad/tests/matrix-tools-latest 
PR checks: Run integration tests against both `tools: null` and `tools: latest`
 2021-04-09 16:24:56 -07:00
Aditya Sharad
fcf0863613 Merge branch 'main' into tests/matrix-tools-latest 2021-04-09 16:11:35 -07:00
Andrew Eisenberg
534192fa05 Use externalRepoAuth when getting a remote config 
This allows users to specify a different token for retrieving the
codeql config from a different repository.

Fixes https://github.com/github/advanced-security-field/issues/185
 2021-04-09 15:00:57 -07:00
Aditya Sharad
64b50fa2a6 Code scanning: Compare the default and latest CodeQL tools bundles 
Create a prerequisite job that runs the init step twice, with `tools: null` and `tools: latest`.
Use the outputs of these steps to compare the two CodeQL versions.
Pass the list of distinct tool versions for the analysis job to matrix over.
This lets us test the analysis against both versions, while avoiding duplication
when they are actually the same version.
 2021-04-09 14:51:18 -07:00
Aditya Sharad
51b1d7d81f PR checks: Compare the default and latest CodeQL tools bundles 
Create a prerequisite job that runs the init step twice, with `tools: null` and `tools: latest`.
Use the outputs of these steps to compare the two CodeQL versions.
Pass the list of distinct tool versions for the integration tests to use in their matrix strategy.
This avoids redundant test jobs when the default and latest bundles are actually the same version of CodeQL.

`~` is accepted by JSON but not by the Actions context language, so we use `null` to indicate the default version.
 2021-04-09 13:38:30 -07:00
Aditya Sharad
f9a19da7bf PR checks: Run integration tests against both tools: null and tools: latest 
Always test against both the default and latest CodeQL bundle.

This improves test coverage shortly after a CodeQL bundle release, where the latest bundle
may not yet be built into the Actions VM image as the default bundle.

It also saves a manual step during bundle release testing,
since we no longer need to temporarily change the PR checks to `tools: latest`.

There is some redundancy when the latest bundle is the same as the default bundle on the VM image,
but this can be considered a test for the `tools: latest` configuration.
 2021-04-08 13:39:01 -07:00
Aditya Sharad
7f9fb10a74 Merge pull request #437 from github/dependabot/npm_and_yarn/runner/y18n-4.0.1 
Bump y18n from 4.0.0 to 4.0.1 in /runner
 2021-04-01 14:57:41 -07:00
Aditya Sharad
2f9f143d73 Merge branch 'main' into dependabot/npm_and_yarn/runner/y18n-4.0.1 2021-04-01 14:18:52 -07:00
Aditya Sharad
356d7a0637 Merge pull request #436 from github/dependabot/npm_and_yarn/y18n-4.0.1 
Bump y18n from 4.0.0 to 4.0.1
 2021-04-01 14:18:21 -07:00
Robert
def266fc62 update node modules 2021-04-01 10:37:02 +01:00
dependabot[bot]
5c715f3945 Bump y18n from 4.0.0 to 4.0.1 in /runner 
Bumps [y18n](https://github.com/yargs/y18n) from 4.0.0 to 4.0.1.
- [Release notes](https://github.com/yargs/y18n/releases)
- [Changelog](https://github.com/yargs/y18n/blob/master/CHANGELOG.md)
- [Commits](https://github.com/yargs/y18n/commits)

Signed-off-by: dependabot[bot] <support@github.com>
 2021-04-01 06:56:53 +00:00
dependabot[bot]
d0b1259bbe Bump y18n from 4.0.0 to 4.0.1 
Bumps [y18n](https://github.com/yargs/y18n) from 4.0.0 to 4.0.1.
- [Release notes](https://github.com/yargs/y18n/releases)
- [Changelog](https://github.com/yargs/y18n/blob/master/CHANGELOG.md)
- [Commits](https://github.com/yargs/y18n/commits)

Signed-off-by: dependabot[bot] <support@github.com>
 2021-03-31 22:46:11 +00:00
Aditya Sharad
8f0d3f7541 Merge pull request #435 from github/robertbrignull/dependabot_error 
Add special error message case for dependabot
 2021-03-31 07:47:05 -07:00
Robert
ca27066d09 fix grammar / punctuation 2021-03-31 11:05:30 +01:00