Force exit of process if a timeout has occurred

Add ATM 0.4.0 to changelog

.github/workflows/__export-file-baseline-information.yml

@@ -0,0 +1,85 @@
+# Warning: This file is generated automatically, and should not be modified.
+# Instead, please modify the template in the pr-checks directory and run:
+#     pip install ruamel.yaml && python3 sync.py
+# to regenerate this file.
+
+name: PR Check - Export file baseline information
+env:
+  GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+  GO111MODULE: auto
+on:
+  push:
+    branches:
+    - main
+    - releases/v1
+    - releases/v2
+  pull_request:
+    types:
+    - opened
+    - synchronize
+    - reopened
+    - ready_for_review
+  workflow_dispatch: {}
+jobs:
+  export-file-baseline-information:
+    strategy:
+      matrix:
+        include:
+        - os: ubuntu-latest
+          version: nightly-latest
+        - os: macos-latest
+          version: nightly-latest
+        - os: windows-latest
+          version: nightly-latest
+    name: Export file baseline information
+    timeout-minutes: 45
+    runs-on: ${{ matrix.os }}
+    steps:
+    - name: Check out repository
+      uses: actions/checkout@v3
+    - name: Prepare test
+      id: prepare-test
+      uses: ./.github/prepare-test
+      with:
+        version: ${{ matrix.version }}
+    - uses: ./../action/init
+      with:
+        languages: javascript
+        tools: ${{ steps.prepare-test.outputs.tools-url }}
+      env:
+        CODEQL_FILE_BASELINE_INFORMATION: true
+        TEST_MODE: true
+    - name: Build code
+      shell: bash
+      run: ./build.sh
+    - uses: ./../action/analyze
+      with:
+        output: ${{ runner.temp }}/results
+      env:
+        CODEQL_FILE_BASELINE_INFORMATION: true
+        TEST_MODE: true
+    - name: Upload SARIF
+      uses: actions/upload-artifact@v3
+      with:
+        name: with-baseline-information-${{ matrix.os }}-${{ matrix.version }}.sarif.json
+        path: ${{ runner.temp }}/results/javascript.sarif
+        retention-days: 7
+    - name: Check results
+      shell: bash
+      run: |
+        cd "$RUNNER_TEMP/results"
+        expected_baseline_languages="cpp csharp go java js python ruby"
+
+        for lang in ${expected_baseline_languages}; do
+          rule_name="${lang}/baseline/expected-extracted-files"
+          found_notification=$(jq --arg rule_name "${rule_name}" '[.runs[0].tool.driver.notifications |
+            select(. != null) | flatten | .[].id] | any(. == $rule_name)' javascript.sarif)
+          if [[ "${found_notification}" != "true" ]]; then
+            echo "Expected SARIF output to contain notification '${rule_name}', but found no such notification."
+            exit 1
+          else
+            echo "Found notification '${rule_name}'."
+          fi
+        done
+    env:
+      INTERNAL_CODEQL_ACTION_DEBUG_LOC: true

.github/workflows/__test-proxy.yml

@@ -51,10 +51,10 @@ jobs:
       https_proxy: http://squid-proxy:3128
       INTERNAL_CODEQL_ACTION_DEBUG_LOC: true
     container:
-      image: ubuntu:18.04
+      image: ubuntu:22.04
       options: --dns 127.0.0.1
     services:
       squid-proxy:
-        image: datadog/squid:latest
+        image: ubuntu/squid:latest
         ports:
         - 3128:3128

CHANGELOG.md

@@ -2,7 +2,15 @@
 
 ## [UNRELEASED]
 
-No user facing changes.
+- Update the ML-powered additional query pack for JavaScript to version 0.4.0.
+
+## 2.1.31 - 04 Nov 2022
+
+- The `rb/weak-cryptographic-algorithm` Ruby query has been updated to no longer report uses of hash functions such as `MD5` and `SHA1` even if they are known to be weak. These hash algorithms are used very often in non-sensitive contexts, making the query too imprecise in practice. For more information, see the corresponding change in the [github/codeql repository](https://github.com/github/codeql/pull/11129). [#1344](https://github.com/github/codeql-action/pull/1344)
+
+## 2.1.30 - 02 Nov 2022
+
+- Improve the error message when using CodeQL bundle version 2.7.2 and earlier in a workflow that runs on a runner image such as `ubuntu-22.04` that uses glibc version 2.34 and later. [#1334](https://github.com/github/codeql-action/pull/1334)
 
 ## 2.1.29 - 26 Oct 2022
 

README.md

@@ -61,7 +61,7 @@ jobs:
         # with:
         #   languages: go, javascript, csharp, python, cpp, java
 
-      # Autobuild attempts to build any compiled languages (C/C++, C#, or Java).
+      # Autobuild attempts to build any compiled languages (C/C++, C#, Go, or Java).
       # If this step fails, then you should remove it and run the build manually (see below).
       - name: Autobuild
         uses: github/codeql-action/autobuild@v2

lib/actions-util.js

@@ -502,6 +502,12 @@ async function createStatusReportBase(actionName, status, actionStartedAt, cause
     const runnerOs = (0, util_1.getRequiredEnvParam)("RUNNER_OS");
     const codeQlCliVersion = (0, util_1.getCachedCodeQlVersion)();
     const actionRef = process.env["GITHUB_ACTION_REF"];
+    const testingEnvironment = process.env[sharedEnv.CODEQL_ACTION_TESTING_ENVIRONMENT] || "";
+    // re-export the testing environment variable so that it is available to subsequent steps,
+    // even if it was only set for this step
+    if (testingEnvironment !== "") {
+        core.exportVariable(sharedEnv.CODEQL_ACTION_TESTING_ENVIRONMENT, testingEnvironment);
+    }
     const statusReport = {
         workflow_run_id: workflowRunID,
         workflow_name: workflowName,
@@ -515,6 +521,7 @@ async function createStatusReportBase(actionName, status, actionStartedAt, cause
         started_at: workflowStartedAt,
         action_started_at: actionStartedAt.toISOString(),
         status,
+        testing_environment: testingEnvironment,
         runner_os: runnerOs,
         action_version: pkg.version,
     };

lib/analyze.js

@@ -227,7 +227,7 @@ async function runQueries(sarifFolder, memoryFlag, addSnippetsFlag, threadsFlag,
     return statusReport;
     async function runInterpretResults(language, queries, sarifFile, enableDebugLogging) {
         const databasePath = util.getCodeQLDatabasePath(config, language);
-        return await codeql.databaseInterpretResults(databasePath, queries, sarifFile, addSnippetsFlag, threadsFlag, enableDebugLogging ? "-vv" : "-v", automationDetailsId);
+        return await codeql.databaseInterpretResults(databasePath, queries, sarifFile, addSnippetsFlag, threadsFlag, enableDebugLogging ? "-vv" : "-v", automationDetailsId, featureEnablement);
     }
     async function cliCanCountLoC() {
         return await util.codeQlVersionAbove(await (0, codeql_1.getCodeQL)(config.codeQLCmd), codeql_1.CODEQL_VERSION_COUNTS_LINES);

lib/codeql.js

@@ -22,7 +22,7 @@ var __importDefault = (this && this.__importDefault) || function (mod) {
     return (mod && mod.__esModule) ? mod : { "default": mod };
 };
 Object.defineProperty(exports, "__esModule", { value: true });
-exports.getExtraOptions = exports.getCodeQLForTesting = exports.getCachedCodeQL = exports.setCodeQL = exports.getCodeQL = exports.convertToSemVer = exports.getCodeQLURLVersion = exports.setupCodeQL = exports.getCodeQLActionRepository = exports.CODEQL_VERSION_BETTER_RESOLVE_LANGUAGES = exports.CODEQL_VERSION_ML_POWERED_QUERIES_WINDOWS = exports.CODEQL_VERSION_NEW_TRACING = exports.CODEQL_VERSION_GHES_PACK_DOWNLOAD = exports.CODEQL_VERSION_CONFIG_FILES = exports.CODEQL_VERSION_COUNTS_LINES = exports.CODEQL_DEFAULT_ACTION_REPOSITORY = exports.CommandInvocationError = void 0;
+exports.getExtraOptions = exports.getCodeQLForTesting = exports.getCachedCodeQL = exports.setCodeQL = exports.getCodeQL = exports.convertToSemVer = exports.getCodeQLURLVersion = exports.setupCodeQL = exports.getCodeQLActionRepository = exports.CODEQL_VERSION_BETTER_RESOLVE_LANGUAGES = exports.CODEQL_VERSION_ML_POWERED_QUERIES_WINDOWS = exports.CODEQL_VERSION_TRACING_GLIBC_2_34 = exports.CODEQL_VERSION_NEW_TRACING = exports.CODEQL_VERSION_GHES_PACK_DOWNLOAD = exports.CODEQL_VERSION_CONFIG_FILES = exports.CODEQL_VERSION_COUNTS_LINES = exports.CODEQL_DEFAULT_ACTION_REPOSITORY = exports.CommandInvocationError = void 0;
 const fs = __importStar(require("fs"));
 const path = __importStar(require("path"));
 const toolrunner = __importStar(require("@actions/exec/lib/toolrunner"));
@@ -43,10 +43,11 @@ const trap_caching_1 = require("./trap-caching");
 const util = __importStar(require("./util"));
 const util_1 = require("./util");
 class CommandInvocationError extends Error {
-    constructor(cmd, args, exitCode, error) {
+    constructor(cmd, args, exitCode, error, output) {
         super(`Failure invoking ${cmd} with arguments ${args}.\n
       Exit code ${exitCode} and error was:\n
       ${error}`);
+        this.output = output;
     }
 }
 exports.CommandInvocationError = CommandInvocationError;
@@ -93,6 +94,11 @@ exports.CODEQL_VERSION_GHES_PACK_DOWNLOAD = "2.10.4";
  * versions above that.
  */
 exports.CODEQL_VERSION_NEW_TRACING = "2.7.0";
+/**
+ * Versions 2.7.3+ of the CodeQL CLI support build tracing with glibc 2.34 on Linux. Versions before
+ * this cannot perform build tracing when running on the Actions `ubuntu-22.04` runner image.
+ */
+exports.CODEQL_VERSION_TRACING_GLIBC_2_34 = "2.7.3";
 /**
  * Versions 2.9.0+ of the CodeQL CLI run machine learning models from a temporary directory, which
  * resolves an issue on Windows where TensorFlow models are not correctly loaded due to the path of
@@ -467,15 +473,32 @@ async function getCodeQLForCmd(cmd, checkVersion) {
             // action/runner has been implemented in `codeql database trace-command`
             // _and_ is present in the latest supported CLI release.)
             const envFile = path.resolve(databasePath, "working", "env.tmp");
-            await runTool(cmd, [
-                "database",
-                "trace-command",
-                databasePath,
-                ...getExtraOptionsFromEnv(["database", "trace-command"]),
-                process.execPath,
-                tracerEnvJs,
-                envFile,
-            ]);
+            try {
+                await runTool(cmd, [
+                    "database",
+                    "trace-command",
+                    databasePath,
+                    ...getExtraOptionsFromEnv(["database", "trace-command"]),
+                    process.execPath,
+                    tracerEnvJs,
+                    envFile,
+                ]);
+            }
+            catch (e) {
+                if (e instanceof CommandInvocationError &&
+                    e.output.includes("undefined symbol: __libc_dlopen_mode, version GLIBC_PRIVATE") &&
+                    process.platform === "linux" &&
+                    !(await util.codeQlVersionAbove(this, exports.CODEQL_VERSION_TRACING_GLIBC_2_34))) {
+                    throw new util.UserError("The CodeQL CLI is incompatible with the version of glibc on your system. " +
+                        `Please upgrade to CodeQL CLI version ${exports.CODEQL_VERSION_TRACING_GLIBC_2_34} or ` +
+                        "later. If you cannot upgrade to a newer version of the CodeQL CLI, you can " +
+                        `alternatively run your workflow on another runner image such as "ubuntu-20.04" ` +
+                        "that has glibc 2.33 or earlier installed.");
+                }
+                else {
+                    throw e;
+                }
+            }
             return JSON.parse(fs.readFileSync(envFile, "utf-8"));
         },
         async databaseInit(databasePath, language, sourceRoot) {
@@ -675,7 +698,7 @@ async function getCodeQLForCmd(cmd, checkVersion) {
             }
             await runTool(cmd, codeqlArgs);
         },
-        async databaseInterpretResults(databasePath, querySuitePaths, sarifFile, addSnippetsFlag, threadsFlag, verbosityFlag, automationDetailsId) {
+        async databaseInterpretResults(databasePath, querySuitePaths, sarifFile, addSnippetsFlag, threadsFlag, verbosityFlag, automationDetailsId, featureEnablement) {
             const codeqlArgs = [
                 "database",
                 "interpret-results",
@@ -698,6 +721,9 @@ async function getCodeQLForCmd(cmd, checkVersion) {
                 (await util.codeQlVersionAbove(this, CODEQL_VERSION_SARIF_GROUP))) {
                 codeqlArgs.push("--sarif-category", automationDetailsId);
             }
+            if (await featureEnablement.getValue(feature_flags_1.Feature.FileBaselineInformationEnabled, this)) {
+                codeqlArgs.push("--sarif-add-baseline-file-info");
+            }
             codeqlArgs.push(databasePath);
             if (querySuitePaths) {
                 codeqlArgs.push(...querySuitePaths);
@@ -864,7 +890,7 @@ async function runTool(cmd, args = []) {
         ignoreReturnCode: true,
     }).exec();
     if (exitCode !== 0)
-        throw new CommandInvocationError(cmd, args, exitCode, error);
+        throw new CommandInvocationError(cmd, args, exitCode, error, output);
     return output;
 }
 /**

lib/codeql.test.js

@@ -308,14 +308,14 @@ for (const [isFeatureEnabled, toolsInput, shouldToolcacheBeBypassed,] of TOOLCAC
     const runnerConstructorStub = stubToolRunnerConstructor();
     const codeqlObject = await codeql.getCodeQLForTesting();
     sinon.stub(codeqlObject, "getVersion").resolves("2.7.0");
-    await codeqlObject.databaseInterpretResults("", [], "", "", "", "-v", "");
+    await codeqlObject.databaseInterpretResults("", [], "", "", "", "-v", "", (0, testing_utils_1.createFeatures)([]));
     t.false(runnerConstructorStub.firstCall.args[1].includes("--sarif-add-query-help"), "--sarif-add-query-help should be absent, but it is present");
 });
 (0, ava_1.default)("databaseInterpretResults() sets --sarif-add-query-help for 2.7.1", async (t) => {
     const runnerConstructorStub = stubToolRunnerConstructor();
     const codeqlObject = await codeql.getCodeQLForTesting();
     sinon.stub(codeqlObject, "getVersion").resolves("2.7.1");
-    await codeqlObject.databaseInterpretResults("", [], "", "", "", "-v", "");
+    await codeqlObject.databaseInterpretResults("", [], "", "", "", "-v", "", (0, testing_utils_1.createFeatures)([]));
     t.true(runnerConstructorStub.firstCall.args[1].includes("--sarif-add-query-help"), "--sarif-add-query-help should be present, but it is absent");
 });
 (0, ava_1.default)("databaseInitCluster() without injected codescanning config", async (t) => {
@@ -564,6 +564,26 @@ const injectedConfigMacro = ava_1.default.macro({
         process.env["CODEQL_PASS_CONFIG_TO_CLI"] = origCODEQL_PASS_CONFIG_TO_CLI;
     }
 });
+(0, ava_1.default)("databaseInterpretResults() sets --sarif-add-baseline-file-info when feature enabled", async (t) => {
+    const runnerConstructorStub = stubToolRunnerConstructor();
+    const codeqlObject = await codeql.getCodeQLForTesting();
+    // We need to set a CodeQL version such that running `databaseInterpretResults` does not crash.
+    // The version of CodeQL is checked separately to determine feature enablement, and does not
+    // otherwise impact this test, so set it to 0.0.0.
+    sinon.stub(codeqlObject, "getVersion").resolves("0.0.0");
+    await codeqlObject.databaseInterpretResults("", [], "", "", "", "-v", "", (0, testing_utils_1.createFeatures)([feature_flags_1.Feature.FileBaselineInformationEnabled]));
+    t.true(runnerConstructorStub.firstCall.args[1].includes("--sarif-add-baseline-file-info"), "--sarif-add-baseline-file-info should be present, but it is absent");
+});
+(0, ava_1.default)("databaseInterpretResults() does not set --sarif-add-baseline-file-info if feature disabled", async (t) => {
+    const runnerConstructorStub = stubToolRunnerConstructor();
+    const codeqlObject = await codeql.getCodeQLForTesting();
+    // We need to set a CodeQL version such that running `databaseInterpretResults` does not crash.
+    // The version of CodeQL is checked upstream to determine feature enablement, so it does not
+    // affect this test.
+    sinon.stub(codeqlObject, "getVersion").resolves("0.0.0");
+    await codeqlObject.databaseInterpretResults("", [], "", "", "", "-v", "", (0, testing_utils_1.createFeatures)([]));
+    t.false(runnerConstructorStub.firstCall.args[1].includes("--sarif-add-baseline-file-info"), "--sarif-add-baseline-file-info must be absent, but it is present");
+});
 function stubToolRunnerConstructor() {
     const runnerObjectStub = sinon.createStubInstance(toolrunner.ToolRunner);
     runnerObjectStub.exec.resolves(0);

lib/config-utils.test.js

@@ -1032,6 +1032,12 @@ const mlPoweredQueriesMacro = ava_1.default.macro({
 // Test that ML-powered queries are run on all platforms running `security-and-quality` on CodeQL
 // CLI 2.9.3+.
 (0, ava_1.default)(mlPoweredQueriesMacro, "2.9.3", true, undefined, "security-and-quality", "~0.3.0");
+// Test that ML-powered queries are run on all platforms running `security-extended` on CodeQL
+// CLI 2.11.3+.
+(0, ava_1.default)(mlPoweredQueriesMacro, "2.11.3", true, undefined, "security-extended", "~0.4.0");
+// Test that ML-powered queries are run on all platforms running `security-and-quality` on CodeQL
+// CLI 2.11.3+.
+(0, ava_1.default)(mlPoweredQueriesMacro, "2.11.3", true, undefined, "security-and-quality", "~0.4.0");
 const calculateAugmentationMacro = ava_1.default.macro({
     exec: async (t, _title, rawPacksInput, rawQueriesInput, languages, expectedAugmentationProperties) => {
         const actualAugmentationProperties = configUtils.calculateAugmentation(rawPacksInput, rawQueriesInput, languages);

lib/feature-flags.js

@@ -26,6 +26,7 @@ var Feature;
 (function (Feature) {
     Feature["BypassToolcacheEnabled"] = "bypass_toolcache_enabled";
     Feature["CliConfigFileEnabled"] = "cli_config_file_enabled";
+    Feature["FileBaselineInformationEnabled"] = "file_baseline_information_enabled";
     Feature["GolangExtractionReconciliationEnabled"] = "golang_extraction_reconciliation_enabled";
     Feature["MlPoweredQueriesEnabled"] = "ml_powered_queries_enabled";
     Feature["TrapCachingEnabled"] = "trap_caching_enabled";
@@ -39,6 +40,10 @@ exports.featureConfig = {
         envVar: "CODEQL_PASS_CONFIG_TO_CLI",
         minimumVersion: "2.11.1",
     },
+    [Feature.FileBaselineInformationEnabled]: {
+        envVar: "CODEQL_FILE_BASELINE_INFORMATION",
+        minimumVersion: "2.11.3",
+    },
     [Feature.GolangExtractionReconciliationEnabled]: {
         envVar: "CODEQL_GOLANG_EXTRACTION_RECONCILIATION",
         minimumVersion: undefined,

lib/feature-flags.js.map

@@ -1 +1 @@
-{"version":3,"file":"feature-flags.js","sourceRoot":"","sources":["../src/feature-flags.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;;;;;;;;AAAA,6CAA8D;AAI9D,6CAA+B;AAM/B,IAAY,OAMX;AAND,WAAY,OAAO;IACjB,8DAAmD,CAAA;IACnD,2DAAgD,CAAA;IAChD,6FAAkF,CAAA;IAClF,iEAAsD,CAAA;IACtD,sDAA2C,CAAA;AAC7C,CAAC,EANW,OAAO,GAAP,eAAO,KAAP,eAAO,QAMlB;AAEY,QAAA,aAAa,GAGtB;IACF,CAAC,OAAO,CAAC,sBAAsB,CAAC,EAAE;QAChC,MAAM,EAAE,yBAAyB;QACjC,cAAc,EAAE,SAAS;KAC1B;IACD,CAAC,OAAO,CAAC,oBAAoB,CAAC,EAAE;QAC9B,MAAM,EAAE,2BAA2B;QACnC,cAAc,EAAE,QAAQ;KACzB;IACD,CAAC,OAAO,CAAC,qCAAqC,CAAC,EAAE;QAC/C,MAAM,EAAE,yCAAyC;QACjD,cAAc,EAAE,SAAS;KAC1B;IACD,CAAC,OAAO,CAAC,uBAAuB,CAAC,EAAE;QACjC,MAAM,EAAE,2BAA2B;QACnC,cAAc,EAAE,OAAO;KACxB;IACD,CAAC,OAAO,CAAC,kBAAkB,CAAC,EAAE;QAC5B,MAAM,EAAE,qBAAqB;QAC7B,cAAc,EAAE,SAAS;KAC1B;CACF,CAAC;AAUF;;;;GAIG;AACH,MAAa,QAAQ;IAGnB,YACE,aAAiC,EACjC,UAA4B,EAC5B,aAA4B,EAC5B,MAAc;QAEd,IAAI,CAAC,kBAAkB,GAAG,IAAI,kBAAkB,CAC9C,aAAa,EACb,UAAU,EACV,aAAa,EACb,MAAM,CACP,CAAC;IACJ,CAAC;IAED;;;;;;;;;;;OAWG;IACH,KAAK,CAAC,QAAQ,CAAC,OAAgB,EAAE,MAAe;QAC9C,IAAI,CAAC,MAAM,IAAI,qBAAa,CAAC,OAAO,CAAC,CAAC,cAAc,EAAE;YACpD,MAAM,IAAI,KAAK,CACb,8DAA8D,OAAO,2CAA2C,CACjH,CAAC;SACH;QAED,oDAAoD;QACpD,IAAI,OAAO,KAAK,OAAO,CAAC,sBAAsB,IAAI,IAAI,CAAC,YAAY,EAAE,EAAE;YACrE,OAAO,KAAK,CAAC;SACd;QAED,MAAM,MAAM,GAAG,CACb,OAAO,CAAC,GAAG,CAAC,qBAAa,CAAC,OAAO,CAAC,CAAC,MAAM,CAAC,IAAI,EAAE,CACjD,CAAC,iBAAiB,EAAE,CAAC;QAEtB,sFAAsF;QACtF,IAAI,MAAM,KAAK,OAAO,EAAE;YACtB,OAAO,KAAK,CAAC;SACd;QAED,yEAAyE;QACzE,MAAM,cAAc,GAAG,qBAAa,CAAC,OAAO,CAAC,CAAC,cAAc,CAAC;QAC7D,IAAI,MAAM,IAAI,cAAc,EAAE;YAC5B,IAAI,CAAC,CAAC,MAAM,IAAI,CAAC,kBAAkB,CAAC,MAAM,EAAE,cAAc,CAAC,CAAC,EAAE;gBAC5D,OAAO,KAAK,CAAC;aACd;SACF;QAED,8EAA8E;QAC9E,IAAI,MAAM,KAAK,MAAM,EAAE;YACrB,OAAO,IAAI,CAAC;SACb;QAED,gDAAgD;QAChD,OAAO,MAAM,IAAI,CAAC,kBAAkB,CAAC,QAAQ,CAAC,OAAO,CAAC,CAAC;IACzD,CAAC;CACF;AAlED,4BAkEC;AAED,MAAM,kBAAkB;IAGtB,YACU,aAAiC,EACjC,UAA4B,EAC5B,aAA4B,EAC5B,MAAc;QAHd,kBAAa,GAAb,aAAa,CAAoB;QACjC,eAAU,GAAV,UAAU,CAAkB;QAC5B,kBAAa,GAAb,aAAa,CAAe;QAC5B,WAAM,GAAN,MAAM,CAAQ;QAEtB,IAAI;IACN,CAAC;IAED,KAAK,CAAC,QAAQ,CAAC,OAAgB;QAC7B,MAAM,QAAQ,GAAG,MAAM,IAAI,CAAC,cAAc,EAAE,CAAC;QAC7C,IAAI,QAAQ,KAAK,SAAS,EAAE;YAC1B,IAAI,CAAC,MAAM,CAAC,KAAK,CACf,qCAAqC,OAAO,4BAA4B,CACzE,CAAC;YACF,OAAO,KAAK,CAAC;SACd;QACD,MAAM,iBAAiB,GAAG,QAAQ,CAAC,OAAO,CAAC,CAAC;QAC5C,IAAI,iBAAiB,KAAK,SAAS,EAAE;YACnC,IAAI,CAAC,MAAM,CAAC,KAAK,CACf,YAAY,OAAO,uDAAuD,CAC3E,CAAC;YACF,OAAO,KAAK,CAAC;SACd;QACD,OAAO,CAAC,CAAC,iBAAiB,CAAC;IAC7B,CAAC;IAEO,KAAK,CAAC,cAAc;QAC1B,MAAM,WAAW,GACf,IAAI,CAAC,iBAAiB,IAAI,CAAC,MAAM,IAAI,CAAC,eAAe,EAAE,CAAC,CAAC;QAC3D,IAAI,CAAC,iBAAiB,GAAG,WAAW,CAAC;QACrC,OAAO,WAAW,CAAC;IACrB,CAAC;IAEO,KAAK,CAAC,eAAe;QAC3B,iDAAiD;QACjD,IAAI,IAAI,CAAC,aAAa,CAAC,IAAI,KAAK,IAAI,CAAC,aAAa,CAAC,MAAM,EAAE;YACzD,IAAI,CAAC,MAAM,CAAC,KAAK,CACf,oEAAoE,CACrE,CAAC;YACF,OAAO,EAAE,CAAC;SACX;QACD,MAAM,MAAM,GAAG,IAAA,yBAAY,EAAC,IAAI,CAAC,UAAU,CAAC,CAAC;QAC7C,IAAI;YACF,MAAM,QAAQ,GAAG,MAAM,MAAM,CAAC,OAAO,CACnC,8DAA8D,EAC9D;gBACE,KAAK,EAAE,IAAI,CAAC,aAAa,CAAC,KAAK;gBAC/B,IAAI,EAAE,IAAI,CAAC,aAAa,CAAC,IAAI;aAC9B,CACF,CAAC;YACF,OAAO,QAAQ,CAAC,IAAI,CAAC;SACtB;QAAC,OAAO,CAAC,EAAE;YACV,IAAI,IAAI,CAAC,WAAW,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,MAAM,KAAK,GAAG,EAAE;gBAC3C,IAAI,CAAC,MAAM,CAAC,OAAO,CACjB,gGAAgG;oBAC9F,oEAAoE;oBACpE,qFAAqF;oBACrF,kFAAkF,CAAC,EAAE,CACxF,CAAC;aACH;iBAAM;gBACL,kFAAkF;gBAClF,8EAA8E;gBAC9E,2FAA2F;gBAC3F,eAAe;gBACf,MAAM,IAAI,KAAK,CACb,sEAAsE,CAAC,EAAE,CAC1E,CAAC;aACH;SACF;IACH,CAAC;CACF"}
+{"version":3,"file":"feature-flags.js","sourceRoot":"","sources":["../src/feature-flags.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;;;;;;;;AAAA,6CAA8D;AAI9D,6CAA+B;AAM/B,IAAY,OAOX;AAPD,WAAY,OAAO;IACjB,8DAAmD,CAAA;IACnD,2DAAgD,CAAA;IAChD,+EAAoE,CAAA;IACpE,6FAAkF,CAAA;IAClF,iEAAsD,CAAA;IACtD,sDAA2C,CAAA;AAC7C,CAAC,EAPW,OAAO,GAAP,eAAO,KAAP,eAAO,QAOlB;AAEY,QAAA,aAAa,GAGtB;IACF,CAAC,OAAO,CAAC,sBAAsB,CAAC,EAAE;QAChC,MAAM,EAAE,yBAAyB;QACjC,cAAc,EAAE,SAAS;KAC1B;IACD,CAAC,OAAO,CAAC,oBAAoB,CAAC,EAAE;QAC9B,MAAM,EAAE,2BAA2B;QACnC,cAAc,EAAE,QAAQ;KACzB;IACD,CAAC,OAAO,CAAC,8BAA8B,CAAC,EAAE;QACxC,MAAM,EAAE,kCAAkC;QAC1C,cAAc,EAAE,QAAQ;KACzB;IACD,CAAC,OAAO,CAAC,qCAAqC,CAAC,EAAE;QAC/C,MAAM,EAAE,yCAAyC;QACjD,cAAc,EAAE,SAAS;KAC1B;IACD,CAAC,OAAO,CAAC,uBAAuB,CAAC,EAAE;QACjC,MAAM,EAAE,2BAA2B;QACnC,cAAc,EAAE,OAAO;KACxB;IACD,CAAC,OAAO,CAAC,kBAAkB,CAAC,EAAE;QAC5B,MAAM,EAAE,qBAAqB;QAC7B,cAAc,EAAE,SAAS;KAC1B;CACF,CAAC;AAUF;;;;GAIG;AACH,MAAa,QAAQ;IAGnB,YACE,aAAiC,EACjC,UAA4B,EAC5B,aAA4B,EAC5B,MAAc;QAEd,IAAI,CAAC,kBAAkB,GAAG,IAAI,kBAAkB,CAC9C,aAAa,EACb,UAAU,EACV,aAAa,EACb,MAAM,CACP,CAAC;IACJ,CAAC;IAED;;;;;;;;;;;OAWG;IACH,KAAK,CAAC,QAAQ,CAAC,OAAgB,EAAE,MAAe;QAC9C,IAAI,CAAC,MAAM,IAAI,qBAAa,CAAC,OAAO,CAAC,CAAC,cAAc,EAAE;YACpD,MAAM,IAAI,KAAK,CACb,8DAA8D,OAAO,2CAA2C,CACjH,CAAC;SACH;QAED,oDAAoD;QACpD,IAAI,OAAO,KAAK,OAAO,CAAC,sBAAsB,IAAI,IAAI,CAAC,YAAY,EAAE,EAAE;YACrE,OAAO,KAAK,CAAC;SACd;QAED,MAAM,MAAM,GAAG,CACb,OAAO,CAAC,GAAG,CAAC,qBAAa,CAAC,OAAO,CAAC,CAAC,MAAM,CAAC,IAAI,EAAE,CACjD,CAAC,iBAAiB,EAAE,CAAC;QAEtB,sFAAsF;QACtF,IAAI,MAAM,KAAK,OAAO,EAAE;YACtB,OAAO,KAAK,CAAC;SACd;QAED,yEAAyE;QACzE,MAAM,cAAc,GAAG,qBAAa,CAAC,OAAO,CAAC,CAAC,cAAc,CAAC;QAC7D,IAAI,MAAM,IAAI,cAAc,EAAE;YAC5B,IAAI,CAAC,CAAC,MAAM,IAAI,CAAC,kBAAkB,CAAC,MAAM,EAAE,cAAc,CAAC,CAAC,EAAE;gBAC5D,OAAO,KAAK,CAAC;aACd;SACF;QAED,8EAA8E;QAC9E,IAAI,MAAM,KAAK,MAAM,EAAE;YACrB,OAAO,IAAI,CAAC;SACb;QAED,gDAAgD;QAChD,OAAO,MAAM,IAAI,CAAC,kBAAkB,CAAC,QAAQ,CAAC,OAAO,CAAC,CAAC;IACzD,CAAC;CACF;AAlED,4BAkEC;AAED,MAAM,kBAAkB;IAGtB,YACU,aAAiC,EACjC,UAA4B,EAC5B,aAA4B,EAC5B,MAAc;QAHd,kBAAa,GAAb,aAAa,CAAoB;QACjC,eAAU,GAAV,UAAU,CAAkB;QAC5B,kBAAa,GAAb,aAAa,CAAe;QAC5B,WAAM,GAAN,MAAM,CAAQ;QAEtB,IAAI;IACN,CAAC;IAED,KAAK,CAAC,QAAQ,CAAC,OAAgB;QAC7B,MAAM,QAAQ,GAAG,MAAM,IAAI,CAAC,cAAc,EAAE,CAAC;QAC7C,IAAI,QAAQ,KAAK,SAAS,EAAE;YAC1B,IAAI,CAAC,MAAM,CAAC,KAAK,CACf,qCAAqC,OAAO,4BAA4B,CACzE,CAAC;YACF,OAAO,KAAK,CAAC;SACd;QACD,MAAM,iBAAiB,GAAG,QAAQ,CAAC,OAAO,CAAC,CAAC;QAC5C,IAAI,iBAAiB,KAAK,SAAS,EAAE;YACnC,IAAI,CAAC,MAAM,CAAC,KAAK,CACf,YAAY,OAAO,uDAAuD,CAC3E,CAAC;YACF,OAAO,KAAK,CAAC;SACd;QACD,OAAO,CAAC,CAAC,iBAAiB,CAAC;IAC7B,CAAC;IAEO,KAAK,CAAC,cAAc;QAC1B,MAAM,WAAW,GACf,IAAI,CAAC,iBAAiB,IAAI,CAAC,MAAM,IAAI,CAAC,eAAe,EAAE,CAAC,CAAC;QAC3D,IAAI,CAAC,iBAAiB,GAAG,WAAW,CAAC;QACrC,OAAO,WAAW,CAAC;IACrB,CAAC;IAEO,KAAK,CAAC,eAAe;QAC3B,iDAAiD;QACjD,IAAI,IAAI,CAAC,aAAa,CAAC,IAAI,KAAK,IAAI,CAAC,aAAa,CAAC,MAAM,EAAE;YACzD,IAAI,CAAC,MAAM,CAAC,KAAK,CACf,oEAAoE,CACrE,CAAC;YACF,OAAO,EAAE,CAAC;SACX;QACD,MAAM,MAAM,GAAG,IAAA,yBAAY,EAAC,IAAI,CAAC,UAAU,CAAC,CAAC;QAC7C,IAAI;YACF,MAAM,QAAQ,GAAG,MAAM,MAAM,CAAC,OAAO,CACnC,8DAA8D,EAC9D;gBACE,KAAK,EAAE,IAAI,CAAC,aAAa,CAAC,KAAK;gBAC/B,IAAI,EAAE,IAAI,CAAC,aAAa,CAAC,IAAI;aAC9B,CACF,CAAC;YACF,OAAO,QAAQ,CAAC,IAAI,CAAC;SACtB;QAAC,OAAO,CAAC,EAAE;YACV,IAAI,IAAI,CAAC,WAAW,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,MAAM,KAAK,GAAG,EAAE;gBAC3C,IAAI,CAAC,MAAM,CAAC,OAAO,CACjB,gGAAgG;oBAC9F,oEAAoE;oBACpE,qFAAqF;oBACrF,kFAAkF,CAAC,EAAE,CACxF,CAAC;aACH;iBAAM;gBACL,kFAAkF;gBAClF,8EAA8E;gBAC9E,2FAA2F;gBAC3F,eAAe;gBACf,MAAM,IAAI,KAAK,CACb,sEAAsE,CAAC,EAAE,CAC1E,CAAC;aACH;SACF;IACH,CAAC;CACF"}

lib/init-action-post-helper.js

@@ -28,7 +28,7 @@ async function run(uploadDatabaseBundleDebugArtifact, uploadLogsDebugArtifact, p
     const logger = (0, logging_1.getActionsLogger)();
     const config = await (0, config_utils_1.getConfig)(actionsUtil.getTemporaryDirectory(), logger);
     if (config === undefined) {
-        throw new Error("Config file could not be found at expected location. Did the 'init' action fail to start?");
+        logger.warning("Debugging artifacts are unavailable since the 'init' Action failed before it could produce any.");
     }
     // Upload appropriate Actions artifacts for debugging
     if (config === null || config === void 0 ? void 0 : config.debugMode) {

lib/init-action-post-helper.js.map

@@ -1 +1 @@
-{"version":3,"file":"init-action-post-helper.js","sourceRoot":"","sources":["../src/init-action-post-helper.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;;;;;;;;AAAA,oDAAsC;AAEtC,4DAA8C;AAC9C,iDAA2C;AAC3C,uCAA6C;AAEtC,KAAK,UAAU,GAAG,CACvB,iCAA2C,EAC3C,uBAAiC,EACjC,cAAwB;IAExB,MAAM,MAAM,GAAG,IAAA,0BAAgB,GAAE,CAAC;IAElC,MAAM,MAAM,GAAG,MAAM,IAAA,wBAAS,EAAC,WAAW,CAAC,qBAAqB,EAAE,EAAE,MAAM,CAAC,CAAC;IAC5E,IAAI,MAAM,KAAK,SAAS,EAAE;QACxB,MAAM,IAAI,KAAK,CACb,2FAA2F,CAC5F,CAAC;KACH;IAED,qDAAqD;IACrD,IAAI,MAAM,aAAN,MAAM,uBAAN,MAAM,CAAE,SAAS,EAAE;QACrB,IAAI,CAAC,IAAI,CACP,mGAAmG,CACpG,CAAC;QACF,MAAM,iCAAiC,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;QACxD,MAAM,uBAAuB,CAAC,MAAM,CAAC,CAAC;QAEtC,MAAM,cAAc,CAAC,MAAM,CAAC,CAAC;KAC9B;AACH,CAAC;AAxBD,kBAwBC"}
+{"version":3,"file":"init-action-post-helper.js","sourceRoot":"","sources":["../src/init-action-post-helper.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;;;;;;;;AAAA,oDAAsC;AAEtC,4DAA8C;AAC9C,iDAA2C;AAC3C,uCAA6C;AAEtC,KAAK,UAAU,GAAG,CACvB,iCAA2C,EAC3C,uBAAiC,EACjC,cAAwB;IAExB,MAAM,MAAM,GAAG,IAAA,0BAAgB,GAAE,CAAC;IAElC,MAAM,MAAM,GAAG,MAAM,IAAA,wBAAS,EAAC,WAAW,CAAC,qBAAqB,EAAE,EAAE,MAAM,CAAC,CAAC;IAC5E,IAAI,MAAM,KAAK,SAAS,EAAE;QACxB,MAAM,CAAC,OAAO,CACZ,iGAAiG,CAClG,CAAC;KACH;IAED,qDAAqD;IACrD,IAAI,MAAM,aAAN,MAAM,uBAAN,MAAM,CAAE,SAAS,EAAE;QACrB,IAAI,CAAC,IAAI,CACP,mGAAmG,CACpG,CAAC;QACF,MAAM,iCAAiC,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;QACxD,MAAM,uBAAuB,CAAC,MAAM,CAAC,CAAC;QAEtC,MAAM,cAAc,CAAC,MAAM,CAAC,CAAC;KAC9B;AACH,CAAC;AAxBD,kBAwBC"}

lib/shared-environment.js

@@ -1,6 +1,6 @@
 "use strict";
 Object.defineProperty(exports, "__esModule", { value: true });
-exports.CODEQL_WORKFLOW_STARTED_AT = exports.ODASA_TRACER_CONFIGURATION = void 0;
+exports.CODEQL_ACTION_TESTING_ENVIRONMENT = exports.CODEQL_WORKFLOW_STARTED_AT = exports.ODASA_TRACER_CONFIGURATION = void 0;
 exports.ODASA_TRACER_CONFIGURATION = "ODASA_TRACER_CONFIGURATION";
 // The time at which the first action (normally init) started executing.
 // If a workflow invokes a different action without first invoking the init
@@ -8,4 +8,5 @@ exports.ODASA_TRACER_CONFIGURATION = "ODASA_TRACER_CONFIGURATION";
 // then this variable will be assigned the start time of the action invoked
 // rather that the init action.
 exports.CODEQL_WORKFLOW_STARTED_AT = "CODEQL_WORKFLOW_STARTED_AT";
+exports.CODEQL_ACTION_TESTING_ENVIRONMENT = "CODEQL_ACTION_TESTING_ENVIRONMENT";
 //# sourceMappingURL=shared-environment.js.map

lib/shared-environment.js.map

@@ -1 +1 @@
-{"version":3,"file":"shared-environment.js","sourceRoot":"","sources":["../src/shared-environment.ts"],"names":[],"mappings":";;;AAAa,QAAA,0BAA0B,GAAG,4BAA4B,CAAC;AACvE,wEAAwE;AACxE,2EAA2E;AAC3E,4EAA4E;AAC5E,2EAA2E;AAC3E,+BAA+B;AAClB,QAAA,0BAA0B,GAAG,4BAA4B,CAAC"}
+{"version":3,"file":"shared-environment.js","sourceRoot":"","sources":["../src/shared-environment.ts"],"names":[],"mappings":";;;AAAa,QAAA,0BAA0B,GAAG,4BAA4B,CAAC;AACvE,wEAAwE;AACxE,2EAA2E;AAC3E,4EAA4E;AAC5E,2EAA2E;AAC3E,+BAA+B;AAClB,QAAA,0BAA0B,GAAG,4BAA4B,CAAC;AAE1D,QAAA,iCAAiC,GAC5C,mCAAmC,CAAC"}

lib/upload-lib.js

@@ -22,9 +22,10 @@ var __importDefault = (this && this.__importDefault) || function (mod) {
     return (mod && mod.__esModule) ? mod : { "default": mod };
 };
 Object.defineProperty(exports, "__esModule", { value: true });
-exports.validateUniqueCategory = exports.waitForProcessing = exports.buildPayload = exports.validateSarifFileSchema = exports.countResultsInSarif = exports.uploadFromRunner = exports.uploadFromActions = exports.findSarifFilesInDir = exports.populateRunAutomationDetails = exports.combineSarifFiles = void 0;
+exports.pruneInvalidResults = exports.validateUniqueCategory = exports.waitForProcessing = exports.buildPayload = exports.validateSarifFileSchema = exports.countResultsInSarif = exports.uploadFromRunner = exports.uploadFromActions = exports.findSarifFilesInDir = exports.populateRunAutomationDetails = exports.combineSarifFiles = void 0;
 const fs = __importStar(require("fs"));
 const path = __importStar(require("path"));
+const process_1 = require("process");
 const zlib_1 = __importDefault(require("zlib"));
 const core = __importStar(require("@actions/core"));
 const file_url_1 = __importDefault(require("file-url"));
@@ -269,6 +270,8 @@ async function uploadFiles(sarifFiles, repositoryNwo, commitOid, ref, analysisKe
     let sarif = combineSarifFiles(sarifFiles);
     sarif = await fingerprints.addFingerprints(sarif, sourceRoot, logger);
     sarif = populateRunAutomationDetails(sarif, category, analysisKey, environment);
+    if (process_1.env["CODEQL_DISABLE_SARIF_PRUNING"] !== "true")
+        sarif = pruneInvalidResults(sarif, logger);
     const toolNames = util.getToolNames(sarif);
     validateUniqueCategory(sarif);
     const sarifPayload = JSON.stringify(sarif);
@@ -376,4 +379,36 @@ exports.validateUniqueCategory = validateUniqueCategory;
 function sanitize(str) {
     return (str !== null && str !== void 0 ? str : "_").replace(/[^a-zA-Z0-9_]/g, "_").toLocaleUpperCase();
 }
+function pruneInvalidResults(sarif, logger) {
+    var _a, _b, _c, _d, _e, _f, _g, _h;
+    let pruned = 0;
+    const newRuns = [];
+    for (const run of sarif.runs || []) {
+        if (((_b = (_a = run.tool) === null || _a === void 0 ? void 0 : _a.driver) === null || _b === void 0 ? void 0 : _b.name) === "CodeQL" &&
+            ((_d = (_c = run.tool) === null || _c === void 0 ? void 0 : _c.driver) === null || _d === void 0 ? void 0 : _d.semanticVersion) === "2.11.2") {
+            // Version 2.11.2 of the CodeQL CLI had many false positives in the
+            // rb/weak-cryptographic-algorithm query which we prune here. The
+            // issue is tracked in https://github.com/github/codeql/issues/11107.
+            const newResults = [];
+            for (const result of run.results || []) {
+                if (result.ruleId === "rb/weak-cryptographic-algorithm" &&
+                    (((_f = (_e = result.message) === null || _e === void 0 ? void 0 : _e.text) === null || _f === void 0 ? void 0 : _f.includes(" MD5 ")) ||
+                        ((_h = (_g = result.message) === null || _g === void 0 ? void 0 : _g.text) === null || _h === void 0 ? void 0 : _h.includes(" SHA1 ")))) {
+                    pruned += 1;
+                    continue;
+                }
+                newResults.push(result);
+            }
+            newRuns.push({ ...run, results: newResults });
+        }
+        else {
+            newRuns.push(run);
+        }
+    }
+    if (pruned > 0) {
+        logger.info(`Pruned ${pruned} results believed to be invalid from SARIF file.`);
+    }
+    return { ...sarif, runs: newRuns };
+}
+exports.pruneInvalidResults = pruneInvalidResults;
 //# sourceMappingURL=upload-lib.js.map

lib/upload-lib.test.js

@@ -28,6 +28,7 @@ const ava_1 = __importDefault(require("ava"));
 const logging_1 = require("./logging");
 const testing_utils_1 = require("./testing-utils");
 const uploadLib = __importStar(require("./upload-lib"));
+const upload_lib_1 = require("./upload-lib");
 const util_1 = require("./util");
 (0, testing_utils_1.setupTests)(ava_1.default);
 ava_1.default.beforeEach(() => {
@@ -200,6 +201,105 @@ ava_1.default.beforeEach(() => {
     t.throws(() => uploadLib.validateUniqueCategory(sarif1));
     t.throws(() => uploadLib.validateUniqueCategory(sarif2));
 });
+(0, ava_1.default)("pruneInvalidResults", (t) => {
+    const loggedMessages = [];
+    const mockLogger = {
+        info: (message) => {
+            loggedMessages.push(message);
+        },
+    };
+    const sarif = {
+        runs: [
+            {
+                tool: otherTool,
+                results: [resultWithBadMessage1, resultWithGoodMessage],
+            },
+            {
+                tool: affectedCodeQLVersion,
+                results: [
+                    resultWithOtherRuleId,
+                    resultWithBadMessage1,
+                    resultWithBadMessage2,
+                    resultWithGoodMessage,
+                ],
+            },
+            {
+                tool: unaffectedCodeQLVersion,
+                results: [resultWithBadMessage1, resultWithGoodMessage],
+            },
+        ],
+    };
+    const result = (0, upload_lib_1.pruneInvalidResults)(sarif, mockLogger);
+    const expected = {
+        runs: [
+            {
+                tool: otherTool,
+                results: [resultWithBadMessage1, resultWithGoodMessage],
+            },
+            {
+                tool: affectedCodeQLVersion,
+                results: [resultWithOtherRuleId, resultWithGoodMessage],
+            },
+            {
+                tool: unaffectedCodeQLVersion,
+                results: [resultWithBadMessage1, resultWithGoodMessage],
+            },
+        ],
+    };
+    t.deepEqual(result, expected);
+    t.deepEqual(loggedMessages.length, 1);
+    t.assert(loggedMessages[0].includes("Pruned 2 results"));
+});
+const affectedCodeQLVersion = {
+    driver: {
+        name: "CodeQL",
+        semanticVersion: "2.11.2",
+    },
+};
+const unaffectedCodeQLVersion = {
+    driver: {
+        name: "CodeQL",
+        semanticVersion: "2.11.3",
+    },
+};
+const otherTool = {
+    driver: {
+        name: "Some other tool",
+        semanticVersion: "2.11.2",
+    },
+};
+const resultWithOtherRuleId = {
+    ruleId: "doNotPrune",
+    message: {
+        text: "should not be pruned even though it says MD5 in it",
+    },
+    locations: [],
+    partialFingerprints: {},
+};
+const resultWithGoodMessage = {
+    ruleId: "rb/weak-cryptographic-algorithm",
+    message: {
+        text: "should not be pruned SHA128 is not a FP",
+    },
+    locations: [],
+    partialFingerprints: {},
+};
+const resultWithBadMessage1 = {
+    ruleId: "rb/weak-cryptographic-algorithm",
+    message: {
+        text: "should be pruned MD5 is a FP",
+    },
+    locations: [],
+    partialFingerprints: {},
+};
+const resultWithBadMessage2 = {
+    ruleId: "rb/weak-cryptographic-algorithm",
+    message: {
+        text: "should be pruned SHA1 is a FP",
+    },
+    locations: [],
+    partialFingerprints: {},
+};
 function createMockSarif(id, tool) {
     return {
         runs: [

lib/util.js

@@ -553,7 +553,10 @@ exports.ML_POWERED_JS_QUERIES_PACK_NAME = "codeql/javascript-experimental-atm-qu
  */
 async function getMlPoweredJsQueriesPack(codeQL) {
     let version;
-    if (await codeQlVersionAbove(codeQL, "2.9.3")) {
+    if (await codeQlVersionAbove(codeQL, "2.11.3")) {
+        version = "~0.4.0";
+    }
+    else if (await codeQlVersionAbove(codeQL, "2.9.3")) {
         version = `~0.3.0`;
     }
     else if (await codeQlVersionAbove(codeQL, "2.8.4")) {

node_modules/.package-lock.json

@@ -1,6 +1,6 @@
 {
   "name": "codeql",
-  "version": "2.1.30",
+  "version": "2.1.32",
   "lockfileVersion": 2,
   "requires": true,
   "packages": {

package-lock.json

@@ -1,12 +1,12 @@
 {
   "name": "codeql",
-  "version": "2.1.30",
+  "version": "2.1.32",
   "lockfileVersion": 2,
   "requires": true,
   "packages": {
     "": {
       "name": "codeql",
-      "version": "2.1.30",
+      "version": "2.1.32",
       "license": "MIT",
       "dependencies": {
         "@actions/artifact": "^1.1.0",

package.json

@@ -1,6 +1,6 @@
 {
   "name": "codeql",
-  "version": "2.1.30",
+  "version": "2.1.32",
   "private": true,
   "description": "CodeQL action",
   "scripts": {

pr-checks/checks/export-file-baseline-information.yml

@@ -0,0 +1,43 @@
+name: "Export file baseline information"
+description: "Tests that file baseline information is exported when the feature is enabled"
+versions: ["nightly-latest"]
+steps:
+  - uses: ./../action/init
+    with:
+      languages: javascript
+      tools: ${{ steps.prepare-test.outputs.tools-url }}
+    env:
+      CODEQL_FILE_BASELINE_INFORMATION: true
+      TEST_MODE: true
+  - name: Build code
+    shell: bash
+    run: ./build.sh
+  - uses: ./../action/analyze
+    with:
+      output: "${{ runner.temp }}/results"
+    env:
+      CODEQL_FILE_BASELINE_INFORMATION: true
+      TEST_MODE: true
+  - name: Upload SARIF
+    uses: actions/upload-artifact@v3
+    with:
+      name: with-baseline-information-${{ matrix.os }}-${{ matrix.version }}.sarif.json
+      path: "${{ runner.temp }}/results/javascript.sarif"
+      retention-days: 7
+  - name: Check results
+    shell: bash
+    run: |
+      cd "$RUNNER_TEMP/results"
+      expected_baseline_languages="cpp csharp go java js python ruby"
+
+      for lang in ${expected_baseline_languages}; do
+        rule_name="${lang}/baseline/expected-extracted-files"
+        found_notification=$(jq --arg rule_name "${rule_name}" '[.runs[0].tool.driver.notifications |
+          select(. != null) | flatten | .[].id] | any(. == $rule_name)' javascript.sarif)
+        if [[ "${found_notification}" != "true" ]]; then
+          echo "Expected SARIF output to contain notification '${rule_name}', but found no such notification."
+          exit 1
+        else
+          echo "Found notification '${rule_name}'."
+        fi
+      done

pr-checks/checks/test-proxy.yml

@@ -3,11 +3,11 @@ description: "Tests using a proxy specified by the https_proxy environment varia
 versions: ["latest"]
 operatingSystems: ["ubuntu"]
 container:
-  image: ubuntu:18.04
+  image: ubuntu:22.04
   options: --dns 127.0.0.1
 services:
   squid-proxy:
-    image: datadog/squid:latest
+    image: ubuntu/squid:latest
     ports:
       - 3128:3128
 env:

src/actions-util.ts

@@ -600,6 +600,12 @@ export interface StatusReportBase {
   completed_at?: string;
   /** State this action is currently in. */
   status: ActionStatus;
+  /**
+   * Testing environment: Set if non-production environment.
+   * The server accepts one of the following values:
+   *  `["", "qa-rc", "qa-rc-1", "qa-rc-2", "qa-experiment-1", "qa-experiment-2", "qa-experiment-3"]`.
+   */
+  testing_environment: string;
   /**
    * Information about the enablement of the ML-powered JS query pack.
    *
@@ -675,6 +681,16 @@ export async function createStatusReportBase(
   const runnerOs = getRequiredEnvParam("RUNNER_OS");
   const codeQlCliVersion = getCachedCodeQlVersion();
   const actionRef = process.env["GITHUB_ACTION_REF"];
+  const testingEnvironment =
+    process.env[sharedEnv.CODEQL_ACTION_TESTING_ENVIRONMENT] || "";
+  // re-export the testing environment variable so that it is available to subsequent steps,
+  // even if it was only set for this step
+  if (testingEnvironment !== "") {
+    core.exportVariable(
+      sharedEnv.CODEQL_ACTION_TESTING_ENVIRONMENT,
+      testingEnvironment
+    );
+  }
 
   const statusReport: StatusReportBase = {
     workflow_run_id: workflowRunID,
@@ -689,6 +705,7 @@ export async function createStatusReportBase(
     started_at: workflowStartedAt,
     action_started_at: actionStartedAt.toISOString(),
     status,
+    testing_environment: testingEnvironment,
     runner_os: runnerOs,
     action_version: pkg.version,
   };

src/analyze-action.ts

@@ -27,6 +27,7 @@ import { getTotalCacheSize, uploadTrapCaches } from "./trap-caching";
 import * as upload_lib from "./upload-lib";
 import { UploadResult } from "./upload-lib";
 import * as util from "./util";
+import { checkForTimeout } from "./util";
 
 // eslint-disable-next-line import/no-commonjs
 const pkg = require("../package.json");
@@ -402,6 +403,7 @@ async function runWrapper() {
     core.setFailed(`analyze action failed: ${error}`);
     console.log(error);
   }
+  await checkForTimeout();
 }
 
 void runWrapper();

src/analyze.ts

@@ -389,7 +389,8 @@ export async function runQueries(
       addSnippetsFlag,
       threadsFlag,
       enableDebugLogging ? "-vv" : "-v",
-      automationDetailsId
+      automationDetailsId,
+      featureEnablement
     );
   }
 

src/codeql.test.ts

@@ -445,7 +445,16 @@ test("databaseInterpretResults() does not set --sarif-add-query-help for 2.7.0",
   const runnerConstructorStub = stubToolRunnerConstructor();
   const codeqlObject = await codeql.getCodeQLForTesting();
   sinon.stub(codeqlObject, "getVersion").resolves("2.7.0");
-  await codeqlObject.databaseInterpretResults("", [], "", "", "", "-v", "");
+  await codeqlObject.databaseInterpretResults(
+    "",
+    [],
+    "",
+    "",
+    "",
+    "-v",
+    "",
+    createFeatures([])
+  );
   t.false(
     runnerConstructorStub.firstCall.args[1].includes("--sarif-add-query-help"),
     "--sarif-add-query-help should be absent, but it is present"
@@ -456,7 +465,16 @@ test("databaseInterpretResults() sets --sarif-add-query-help for 2.7.1", async (
   const runnerConstructorStub = stubToolRunnerConstructor();
   const codeqlObject = await codeql.getCodeQLForTesting();
   sinon.stub(codeqlObject, "getVersion").resolves("2.7.1");
-  await codeqlObject.databaseInterpretResults("", [], "", "", "", "-v", "");
+  await codeqlObject.databaseInterpretResults(
+    "",
+    [],
+    "",
+    "",
+    "",
+    "-v",
+    "",
+    createFeatures([])
+  );
   t.true(
     runnerConstructorStub.firstCall.args[1].includes("--sarif-add-query-help"),
     "--sarif-add-query-help should be present, but it is absent"
@@ -846,6 +864,56 @@ test("does not use injected config", async (t: ExecutionContext<unknown>) => {
   }
 });
 
+test("databaseInterpretResults() sets --sarif-add-baseline-file-info when feature enabled", async (t) => {
+  const runnerConstructorStub = stubToolRunnerConstructor();
+  const codeqlObject = await codeql.getCodeQLForTesting();
+  // We need to set a CodeQL version such that running `databaseInterpretResults` does not crash.
+  // The version of CodeQL is checked separately to determine feature enablement, and does not
+  // otherwise impact this test, so set it to 0.0.0.
+  sinon.stub(codeqlObject, "getVersion").resolves("0.0.0");
+  await codeqlObject.databaseInterpretResults(
+    "",
+    [],
+    "",
+    "",
+    "",
+    "-v",
+    "",
+    createFeatures([Feature.FileBaselineInformationEnabled])
+  );
+  t.true(
+    runnerConstructorStub.firstCall.args[1].includes(
+      "--sarif-add-baseline-file-info"
+    ),
+    "--sarif-add-baseline-file-info should be present, but it is absent"
+  );
+});
+
+test("databaseInterpretResults() does not set --sarif-add-baseline-file-info if feature disabled", async (t) => {
+  const runnerConstructorStub = stubToolRunnerConstructor();
+  const codeqlObject = await codeql.getCodeQLForTesting();
+  // We need to set a CodeQL version such that running `databaseInterpretResults` does not crash.
+  // The version of CodeQL is checked upstream to determine feature enablement, so it does not
+  // affect this test.
+  sinon.stub(codeqlObject, "getVersion").resolves("0.0.0");
+  await codeqlObject.databaseInterpretResults(
+    "",
+    [],
+    "",
+    "",
+    "",
+    "-v",
+    "",
+    createFeatures([])
+  );
+  t.false(
+    runnerConstructorStub.firstCall.args[1].includes(
+      "--sarif-add-baseline-file-info"
+    ),
+    "--sarif-add-baseline-file-info must be absent, but it is present"
+  );
+});
+
 export function stubToolRunnerConstructor(): sinon.SinonStub<
   any[],
   toolrunner.ToolRunner

src/codeql.ts

@@ -48,7 +48,13 @@ interface ExtraOptions {
 }
 
 export class CommandInvocationError extends Error {
-  constructor(cmd: string, args: string[], exitCode: number, error: string) {
+  constructor(
+    cmd: string,
+    args: string[],
+    exitCode: number,
+    error: string,
+    public output: string
+  ) {
     super(
       `Failure invoking ${cmd} with arguments ${args}.\n
       Exit code ${exitCode} and error was:\n
@@ -167,7 +173,8 @@ export interface CodeQL {
     addSnippetsFlag: string,
     threadsFlag: string,
     verbosityFlag: string | undefined,
-    automationDetailsId: string | undefined
+    automationDetailsId: string | undefined,
+    featureEnablement: FeatureEnablement
   ): Promise<string>;
   /**
    * Run 'codeql database print-baseline'.
@@ -263,6 +270,12 @@ export const CODEQL_VERSION_GHES_PACK_DOWNLOAD = "2.10.4";
  */
 export const CODEQL_VERSION_NEW_TRACING = "2.7.0";
 
+/**
+ * Versions 2.7.3+ of the CodeQL CLI support build tracing with glibc 2.34 on Linux. Versions before
+ * this cannot perform build tracing when running on the Actions `ubuntu-22.04` runner image.
+ */
+export const CODEQL_VERSION_TRACING_GLIBC_2_34 = "2.7.3";
+
 /**
  * Versions 2.9.0+ of the CodeQL CLI run machine learning models from a temporary directory, which
  * resolves an issue on Windows where TensorFlow models are not correctly loaded due to the path of
@@ -742,15 +755,39 @@ async function getCodeQLForCmd(
       // _and_ is present in the latest supported CLI release.)
       const envFile = path.resolve(databasePath, "working", "env.tmp");
 
-      await runTool(cmd, [
-        "database",
-        "trace-command",
-        databasePath,
-        ...getExtraOptionsFromEnv(["database", "trace-command"]),
-        process.execPath,
-        tracerEnvJs,
-        envFile,
-      ]);
+      try {
+        await runTool(cmd, [
+          "database",
+          "trace-command",
+          databasePath,
+          ...getExtraOptionsFromEnv(["database", "trace-command"]),
+          process.execPath,
+          tracerEnvJs,
+          envFile,
+        ]);
+      } catch (e) {
+        if (
+          e instanceof CommandInvocationError &&
+          e.output.includes(
+            "undefined symbol: __libc_dlopen_mode, version GLIBC_PRIVATE"
+          ) &&
+          process.platform === "linux" &&
+          !(await util.codeQlVersionAbove(
+            this,
+            CODEQL_VERSION_TRACING_GLIBC_2_34
+          ))
+        ) {
+          throw new util.UserError(
+            "The CodeQL CLI is incompatible with the version of glibc on your system. " +
+              `Please upgrade to CodeQL CLI version ${CODEQL_VERSION_TRACING_GLIBC_2_34} or ` +
+              "later. If you cannot upgrade to a newer version of the CodeQL CLI, you can " +
+              `alternatively run your workflow on another runner image such as "ubuntu-20.04" ` +
+              "that has glibc 2.33 or earlier installed."
+          );
+        } else {
+          throw e;
+        }
+      }
       return JSON.parse(fs.readFileSync(envFile, "utf-8"));
     },
     async databaseInit(
@@ -1030,7 +1067,8 @@ async function getCodeQLForCmd(
       addSnippetsFlag: string,
       threadsFlag: string,
       verbosityFlag: string,
-      automationDetailsId: string | undefined
+      automationDetailsId: string | undefined,
+      featureEnablement: FeatureEnablement
     ): Promise<string> {
       const codeqlArgs = [
         "database",
@@ -1056,6 +1094,14 @@ async function getCodeQLForCmd(
       ) {
         codeqlArgs.push("--sarif-category", automationDetailsId);
       }
+      if (
+        await featureEnablement.getValue(
+          Feature.FileBaselineInformationEnabled,
+          this
+        )
+      ) {
+        codeqlArgs.push("--sarif-add-baseline-file-info");
+      }
       codeqlArgs.push(databasePath);
       if (querySuitePaths) {
         codeqlArgs.push(...querySuitePaths);
@@ -1259,7 +1305,7 @@ async function runTool(cmd: string, args: string[] = []) {
     ignoreReturnCode: true,
   }).exec();
   if (exitCode !== 0)
-    throw new CommandInvocationError(cmd, args, exitCode, error);
+    throw new CommandInvocationError(cmd, args, exitCode, error, output);
   return output;
 }
 

src/config-utils.test.ts

@@ -2059,6 +2059,27 @@ test(
   "security-and-quality",
   "~0.3.0"
 );
+// Test that ML-powered queries are run on all platforms running `security-extended` on CodeQL
+// CLI 2.11.3+.
+test(
+  mlPoweredQueriesMacro,
+  "2.11.3",
+  true,
+  undefined,
+  "security-extended",
+  "~0.4.0"
+);
+
+// Test that ML-powered queries are run on all platforms running `security-and-quality` on CodeQL
+// CLI 2.11.3+.
+test(
+  mlPoweredQueriesMacro,
+  "2.11.3",
+  true,
+  undefined,
+  "security-and-quality",
+  "~0.4.0"
+);
 
 const calculateAugmentationMacro = test.macro({
   exec: async (

src/feature-flags.ts

@@ -11,6 +11,7 @@ export interface FeatureEnablement {
 export enum Feature {
   BypassToolcacheEnabled = "bypass_toolcache_enabled",
   CliConfigFileEnabled = "cli_config_file_enabled",
+  FileBaselineInformationEnabled = "file_baseline_information_enabled",
   GolangExtractionReconciliationEnabled = "golang_extraction_reconciliation_enabled",
   MlPoweredQueriesEnabled = "ml_powered_queries_enabled",
   TrapCachingEnabled = "trap_caching_enabled",
@@ -28,6 +29,10 @@ export const featureConfig: Record<
     envVar: "CODEQL_PASS_CONFIG_TO_CLI",
     minimumVersion: "2.11.1",
   },
+  [Feature.FileBaselineInformationEnabled]: {
+    envVar: "CODEQL_FILE_BASELINE_INFORMATION",
+    minimumVersion: "2.11.3",
+  },
   [Feature.GolangExtractionReconciliationEnabled]: {
     envVar: "CODEQL_GOLANG_EXTRACTION_RECONCILIATION",
     minimumVersion: undefined,

src/init-action-post-helper.ts

@@ -13,8 +13,8 @@ export async function run(
 
   const config = await getConfig(actionsUtil.getTemporaryDirectory(), logger);
   if (config === undefined) {
-    throw new Error(
-      "Config file could not be found at expected location. Did the 'init' action fail to start?"
+    logger.warning(
+      "Debugging artifacts are unavailable since the 'init' Action failed before it could produce any."
     );
   }
 

src/init-action.ts

@@ -29,6 +29,7 @@ import { parseRepositoryNwo } from "./repository";
 import { getTotalCacheSize } from "./trap-caching";
 import {
   checkActionVersion,
+  checkForTimeout,
   checkGitHubVersionInRange,
   codeQlVersionAbove,
   DEFAULT_DEBUG_ARTIFACT_NAME,
@@ -339,6 +340,7 @@ async function runWrapper() {
     core.setFailed(`init action failed: ${error}`);
     console.log(error);
   }
+  await checkForTimeout();
 }
 
 void runWrapper();

src/shared-environment.ts

@@ -5,3 +5,6 @@ export const ODASA_TRACER_CONFIGURATION = "ODASA_TRACER_CONFIGURATION";
 // then this variable will be assigned the start time of the action invoked
 // rather that the init action.
 export const CODEQL_WORKFLOW_STARTED_AT = "CODEQL_WORKFLOW_STARTED_AT";
+
+export const CODEQL_ACTION_TESTING_ENVIRONMENT =
+  "CODEQL_ACTION_TESTING_ENVIRONMENT";

src/upload-lib.test.ts

@@ -3,14 +3,16 @@ import * as path from "path";
 
 import test from "ava";
 
-import { getRunnerLogger } from "./logging";
+import { getRunnerLogger, Logger } from "./logging";
 import { setupTests } from "./testing-utils";
 import * as uploadLib from "./upload-lib";
+import { pruneInvalidResults } from "./upload-lib";
 import {
+  GitHubVariant,
+  GitHubVersion,
   initializeEnvironment,
   Mode,
-  GitHubVersion,
-  GitHubVariant,
+  SarifFile,
   withTmpDir,
 } from "./util";
 
@@ -344,6 +346,116 @@ test("validateUniqueCategory for multiple runs", (t) => {
   t.throws(() => uploadLib.validateUniqueCategory(sarif2));
 });
 
+test("pruneInvalidResults", (t) => {
+  const loggedMessages: string[] = [];
+  const mockLogger = {
+    info: (message: string) => {
+      loggedMessages.push(message);
+    },
+  } as Logger;
+
+  const sarif: SarifFile = {
+    runs: [
+      {
+        tool: otherTool,
+        results: [resultWithBadMessage1, resultWithGoodMessage],
+      },
+      {
+        tool: affectedCodeQLVersion,
+        results: [
+          resultWithOtherRuleId,
+          resultWithBadMessage1,
+          resultWithBadMessage2,
+          resultWithGoodMessage,
+        ],
+      },
+      {
+        tool: unaffectedCodeQLVersion,
+        results: [resultWithBadMessage1, resultWithGoodMessage],
+      },
+    ],
+  };
+  const result = pruneInvalidResults(sarif, mockLogger);
+
+  const expected: SarifFile = {
+    runs: [
+      {
+        tool: otherTool,
+        results: [resultWithBadMessage1, resultWithGoodMessage],
+      },
+      {
+        tool: affectedCodeQLVersion,
+        results: [resultWithOtherRuleId, resultWithGoodMessage],
+      },
+      {
+        tool: unaffectedCodeQLVersion,
+        results: [resultWithBadMessage1, resultWithGoodMessage],
+      },
+    ],
+  };
+
+  t.deepEqual(result, expected);
+  t.deepEqual(loggedMessages.length, 1);
+  t.assert(loggedMessages[0].includes("Pruned 2 results"));
+});
+
+const affectedCodeQLVersion = {
+  driver: {
+    name: "CodeQL",
+    semanticVersion: "2.11.2",
+  },
+};
+
+const unaffectedCodeQLVersion = {
+  driver: {
+    name: "CodeQL",
+    semanticVersion: "2.11.3",
+  },
+};
+
+const otherTool = {
+  driver: {
+    name: "Some other tool",
+    semanticVersion: "2.11.2",
+  },
+};
+
+const resultWithOtherRuleId = {
+  ruleId: "doNotPrune",
+  message: {
+    text: "should not be pruned even though it says MD5 in it",
+  },
+  locations: [],
+  partialFingerprints: {},
+};
+
+const resultWithGoodMessage = {
+  ruleId: "rb/weak-cryptographic-algorithm",
+  message: {
+    text: "should not be pruned SHA128 is not a FP",
+  },
+  locations: [],
+  partialFingerprints: {},
+};
+
+const resultWithBadMessage1 = {
+  ruleId: "rb/weak-cryptographic-algorithm",
+  message: {
+    text: "should be pruned MD5 is a FP",
+  },
+  locations: [],
+  partialFingerprints: {},
+};
+
+const resultWithBadMessage2 = {
+  ruleId: "rb/weak-cryptographic-algorithm",
+  message: {
+    text: "should be pruned SHA1 is a FP",
+  },
+  locations: [],
+  partialFingerprints: {},
+};
+
 function createMockSarif(id?: string, tool?: string) {
   return {
     runs: [

src/upload-lib.ts

@@ -1,5 +1,6 @@
 import * as fs from "fs";
 import * as path from "path";
+import { env } from "process";
 import zlib from "zlib";
 
 import * as core from "@actions/core";
@@ -15,7 +16,7 @@ import { Logger } from "./logging";
 import { parseRepositoryNwo, RepositoryNwo } from "./repository";
 import * as sharedEnv from "./shared-environment";
 import * as util from "./util";
-import { SarifFile } from "./util";
+import { SarifFile, SarifResult, SarifRun } from "./util";
 
 // Takes a list of paths to sarif files and combines them together,
 // returning the contents of the combined sarif file.
@@ -396,6 +397,9 @@ async function uploadFiles(
     environment
   );
 
+  if (env["CODEQL_DISABLE_SARIF_PRUNING"] !== "true")
+    sarif = pruneInvalidResults(sarif, logger);
+
   const toolNames = util.getToolNames(sarif);
 
   validateUniqueCategory(sarif);
@@ -546,3 +550,42 @@ export function validateUniqueCategory(sarif: SarifFile): void {
 function sanitize(str?: string) {
   return (str ?? "_").replace(/[^a-zA-Z0-9_]/g, "_").toLocaleUpperCase();
 }
+
+export function pruneInvalidResults(
+  sarif: SarifFile,
+  logger: Logger
+): SarifFile {
+  let pruned = 0;
+  const newRuns: SarifRun[] = [];
+  for (const run of sarif.runs || []) {
+    if (
+      run.tool?.driver?.name === "CodeQL" &&
+      run.tool?.driver?.semanticVersion === "2.11.2"
+    ) {
+      // Version 2.11.2 of the CodeQL CLI had many false positives in the
+      // rb/weak-cryptographic-algorithm query which we prune here. The
+      // issue is tracked in https://github.com/github/codeql/issues/11107.
+      const newResults: SarifResult[] = [];
+      for (const result of run.results || []) {
+        if (
+          result.ruleId === "rb/weak-cryptographic-algorithm" &&
+          (result.message?.text?.includes(" MD5 ") ||
+            result.message?.text?.includes(" SHA1 "))
+        ) {
+          pruned += 1;
+          continue;
+        }
+        newResults.push(result);
+      }
+      newRuns.push({ ...run, results: newResults });
+    } else {
+      newRuns.push(run);
+    }
+  }
+  if (pruned > 0) {
+    logger.info(
+      `Pruned ${pruned} results believed to be invalid from SARIF file.`
+    );
+  }
+  return { ...sarif, runs: newRuns };
+}

src/util.ts

@@ -52,21 +52,28 @@ export const DID_AUTOBUILD_GO_ENV_VAR_NAME =
 
 export interface SarifFile {
   version?: string | null;
-  runs: Array<{
-    tool?: {
-      driver?: {
-        name?: string;
-      };
+  runs: SarifRun[];
+}
+
+export interface SarifRun {
+  tool?: {
+    driver?: {
+      name?: string;
+      semanticVersion?: string;
     };
-    automationDetails?: {
-      id?: string;
-    };
-    artifacts?: string[];
-    results?: SarifResult[];
-  }>;
+  };
+  automationDetails?: {
+    id?: string;
+  };
+  artifacts?: string[];
+  results?: SarifResult[];
 }
 
 export interface SarifResult {
+  ruleId?: string;
+  message?: {
+    text?: string;
+  };
   locations: Array<{
     physicalLocation: {
       artifactLocation: {
@@ -665,7 +672,9 @@ export async function getMlPoweredJsQueriesPack(
   codeQL: CodeQL
 ): Promise<string> {
   let version;
-  if (await codeQlVersionAbove(codeQL, "2.9.3")) {
+  if (await codeQlVersionAbove(codeQL, "2.11.3")) {
+    version = "~0.4.0";
+  } else if (await codeQlVersionAbove(codeQL, "2.9.3")) {
     version = `~0.3.0`;
   } else if (await codeQlVersionAbove(codeQL, "2.8.4")) {
     version = `~0.2.0`;
@@ -851,11 +860,17 @@ export async function tryGetFolderBytes(
 
 /**
  * Run a promise for a given amount of time, and if it doesn't resolve within
- * that time, call the provided callback and then return undefined.
+ * that time, call the provided callback and then return undefined. Due to the
+ * limitation outlined below, using this helper function is not recommended
+ * unless there is no other option for adding a timeout (e.g. the code that
+ * would need the timeout added is an external library).
  *
  * Important: This does NOT cancel the original promise, so that promise will
  * continue in the background even after the timeout has expired. If the
  * original promise hangs, then this will prevent the process terminating.
+ * If a timeout has occurred then the global hadTimeout variable will get set
+ * to true, and the caller is responsible for forcing the process to exit
+ * if this is the case by calling the `checkForTimeout` function.
  *
  * @param timeoutMs The timeout in milliseconds.
  * @param promise The promise to run.
@@ -875,7 +890,14 @@ export async function withTimeout<T>(
   };
   const timeout: Promise<undefined> = new Promise((resolve) => {
     setTimeout(() => {
-      if (!finished) onTimeout();
+      if (!finished) {
+        // Workaround: While the promise racing below will allow the main code
+        // to continue, the process won't normally exit until the asynchronous
+        // task in the background has finished. We set this variable to force
+        // an exit at the end of our code.
+        globalThis.hadTimeout = true;
+        onTimeout();
+      }
       resolve(undefined);
     }, timeoutMs);
   });
@@ -883,6 +905,22 @@ export async function withTimeout<T>(
   return await Promise.race([mainTask(), timeout]);
 }
 
+/**
+ * Check if the global hadTimeout variable has been set, and if so then
+ * exit the process to ensure any background tasks that are still running
+ * are killed. This should be called at the end of execution if the
+ * `withTimeout` function has been used.
+ */
+export async function checkForTimeout() {
+  if (globalThis.hadTimeout === true) {
+    core.info(
+      "A timeout occurred, force exiting the process after 30 seconds to prevent hanging."
+    );
+    await delay(30_000);
+    process.exit();
+  }
+}
+
 /**
  * This function implements a heuristic to determine whether the
  * runner we are on is hosted by GitHub. It does this by checking