Merge pull request #452 from github/daverlo/category

Ignore non-string values in populateRunAutomationDetails

.github/workflows/codeql.yml

@@ -7,10 +7,56 @@ on:
     branches: [main, v1]
 
 jobs:
+  # Identify the CodeQL tool versions to use in the analysis job.
+  check-codeql-versions:
+    runs-on: ubuntu-latest
+    outputs:
+      versions: ${{ steps.compare.outputs.versions }}
+
+    steps:
+    - uses: actions/checkout@v2
+    - name: Init with default CodeQL bundle from the VM image
+      id: init-default
+      uses: ./init
+      with:
+        languages: javascript
+    - name: Remove empty database
+      # allows us to run init a second time
+      run: |
+        rm -rf "$RUNNER_TEMP/codeql_databases"
+    - name: Init with latest CodeQL bundle
+      id: init-latest
+      uses: ./init
+      with:
+        tools: latest
+        languages: javascript
+    - name: Compare default and latest CodeQL bundle versions
+      id: compare
+      env:
+        CODEQL_DEFAULT: ${{ steps.init-default.outputs.codeql-path }}
+        CODEQL_LATEST: ${{ steps.init-latest.outputs.codeql-path }}
+      run: |
+        CODEQL_VERSION_DEFAULT="$("$CODEQL_DEFAULT" version --format terse)"
+        CODEQL_VERSION_LATEST="$("$CODEQL_LATEST" version --format terse)"
+        echo "Default CodeQL bundle version is $CODEQL_VERSION_DEFAULT"
+        echo "Latest CodeQL bundle version is $CODEQL_VERSION_LATEST"
+        if [[ "$CODEQL_VERSION_DEFAULT" == "$CODEQL_VERSION_LATEST" ]]; then
+          # Just use `tools: null` to avoid duplication in the analysis job.
+          VERSIONS_JSON='[null]'
+        else
+          # Use both `tools: null` and `tools: latest` in the analysis job.
+          VERSIONS_JSON='[null, "latest"]'
+        fi
+        # Output a JSON-encoded list with the distinct versions to test against.
+        echo "Suggested matrix config for analysis job: $VERSIONS_JSON"
+        echo "::set-output name=versions::${VERSIONS_JSON}"
+
   build:
+    needs: [check-codeql-versions]
     strategy:
       matrix:
         os: [ubuntu-latest,windows-latest,macos-latest]
+        tools: ${{ fromJson(needs.check-codeql-versions.outputs.versions) }}
     runs-on: ${{ matrix.os }}
 
     steps:
@@ -20,6 +66,7 @@ jobs:
       with:
         languages: javascript
         config-file: ./.github/codeql/codeql-config.yml
+        tools: ${{ matrix.tools }}
     # confirm steps.init.outputs.codeql-path points to the codeql binary
     - name: Print CodeQL Version
       run: ${{steps.init.outputs.codeql-path}} version --format=json

.github/workflows/pr-checks.yml

@@ -80,13 +80,65 @@ jobs:
           exit 1
         fi
 
-  multi-language-repo_test-custom-queries-and-remote-config:
+  # Identify the CodeQL tool versions to integration test against.
+  check-codeql-versions:
     needs: [check-js, check-node-modules]
+    runs-on: ubuntu-latest
+    outputs:
+      versions: ${{ steps.compare.outputs.versions }}
+
+    steps:
+    - uses: actions/checkout@v2
+    - name: Move codeql-action
+      shell: bash
+      run: |
+        mkdir ../action
+        mv * .github ../action/
+        mv ../action/tests/multi-language-repo/{*,.github} .
+        mv ../action/.github/workflows .github
+    - name: Init with default CodeQL bundle from the VM image
+      id: init-default
+      uses: ./../action/init
+      with:
+        languages: javascript
+    - name: Remove empty database
+      # allows us to run init a second time
+      run: |
+        rm -rf "$RUNNER_TEMP/codeql_databases"
+    - name: Init with latest CodeQL bundle
+      id: init-latest
+      uses: ./../action/init
+      with:
+        tools: latest
+        languages: javascript
+    - name: Compare default and latest CodeQL bundle versions
+      id: compare
+      env:
+        CODEQL_DEFAULT: ${{ steps.init-default.outputs.codeql-path }}
+        CODEQL_LATEST: ${{ steps.init-latest.outputs.codeql-path }}
+      run: |
+        CODEQL_VERSION_DEFAULT="$("$CODEQL_DEFAULT" version --format terse)"
+        CODEQL_VERSION_LATEST="$("$CODEQL_LATEST" version --format terse)"
+        echo "Default CodeQL bundle version is $CODEQL_VERSION_DEFAULT"
+        echo "Latest CodeQL bundle version is $CODEQL_VERSION_LATEST"
+        if [[ "$CODEQL_VERSION_DEFAULT" == "$CODEQL_VERSION_LATEST" ]]; then
+          # Just use `tools: null` to avoid duplication in the integration tests.
+          VERSIONS_JSON='[null]'
+        else
+          # Use both `tools: null` and `tools: latest` in the integration tests.
+          VERSIONS_JSON='[null, "latest"]'
+        fi
+        # Output a JSON-encoded list with the distinct versions to test against.
+        echo "Suggested matrix config for integration tests: $VERSIONS_JSON"
+        echo "::set-output name=versions::${VERSIONS_JSON}"
+
+  multi-language-repo_test-custom-queries-and-remote-config:
+    needs: [check-js, check-node-modules, check-codeql-versions]
     strategy:
       fail-fast: false
       matrix:
         os: [ubuntu-latest, windows-latest, macos-latest]
-        tools: [~, latest]
+        tools: ${{ fromJson(needs.check-codeql-versions.outputs.versions) }}
     runs-on: ${{ matrix.os }}
 
     steps:
@@ -112,11 +164,12 @@ jobs:
 
   # Currently is not possible to analyze Go in conjunction with other languages in macos
   multi-language-repo_test-go-custom-queries:
-    needs: [check-js, check-node-modules]
+    needs: [check-js, check-node-modules, check-codeql-versions]
     strategy:
       fail-fast: false
       matrix:
         os: [ubuntu-latest, windows-latest, macos-latest]
+        tools: ${{ fromJson(needs.check-codeql-versions.outputs.versions) }}
     runs-on: ${{ matrix.os }}
 
     steps:
@@ -136,6 +189,7 @@ jobs:
       with:
         languages: go
         config-file: ./.github/codeql/custom-queries.yml
+        tools: ${{ matrix.tools }}
     - name: Build code
       shell: bash
       run: ./build.sh
@@ -144,11 +198,12 @@ jobs:
         TEST_MODE: true
 
   go-custom-tracing:
-    needs: [check-js, check-node-modules]
+    needs: [check-js, check-node-modules, check-codeql-versions]
     strategy:
       fail-fast: false
       matrix:
         os: [ubuntu-latest, windows-latest, macos-latest]
+        tools: ${{ fromJson(needs.check-codeql-versions.outputs.versions) }}
     runs-on: ${{ matrix.os }}
     env:
       CODEQL_EXTRACTOR_GO_BUILD_TRACING: "on"
@@ -169,6 +224,7 @@ jobs:
     - uses: ./../action/init
       with:
         languages: go
+        tools: ${{ matrix.tools }}
     - name: Build code
       shell: bash
       run: go build main.go
@@ -177,7 +233,11 @@ jobs:
         TEST_MODE: true
 
   go-custom-tracing-autobuild:
-    needs: [check-js, check-node-modules]
+    needs: [check-js, check-node-modules, check-codeql-versions]
+    strategy:
+      fail-fast: false
+      matrix:
+        tools: ${{ fromJson(needs.check-codeql-versions.outputs.versions) }}
     # No need to test Go autobuild on multiple OSes since
     # we're testing Go custom tracing with a manual build on all OSes.
     runs-on: ubuntu-latest
@@ -196,6 +256,7 @@ jobs:
     - uses: ./../action/init
       with:
         languages: go
+        tools: ${{ matrix.tools }}
     - uses: ./../action/autobuild
     - uses: ./../action/analyze
       env:
@@ -235,7 +296,11 @@ jobs:
         TEST_MODE: true
 
   test-proxy:
-    needs: [check-js, check-node-modules]
+    needs: [check-js, check-node-modules, check-codeql-versions]
+    strategy:
+      fail-fast: false
+      matrix:
+        tools: ${{ fromJson(needs.check-codeql-versions.outputs.versions) }}
     runs-on: ubuntu-latest
     container:
       image: ubuntu:18.04
@@ -259,6 +324,7 @@ jobs:
     - uses: ./../action/init
       with:
         languages: javascript
+        tools: ${{ matrix.tools }}
     - uses: ./../action/analyze
       env:
         TEST_MODE: true

lib/actions-util.js

@@ -77,7 +77,7 @@ exports.prepareLocalRunEnvironment = prepareLocalRunEnvironment;
 /**
  * Gets the SHA of the commit that is currently checked out.
  */
-exports.getCommitOid = async function () {
+exports.getCommitOid = async function (ref = "HEAD") {
     // Try to use git to get the current commit SHA. If that fails then
     // log but otherwise silently fall back to using the SHA from the environment.
     // The only time these two values will differ is during analysis of a PR when
@@ -87,7 +87,7 @@ exports.getCommitOid = async function () {
     // reported on the merge commit.
     try {
         let commitOid = "";
-        await new toolrunner.ToolRunner(await safeWhich.safeWhich("git"), ["rev-parse", "HEAD"], {
+        await new toolrunner.ToolRunner(await safeWhich.safeWhich("git"), ["rev-parse", ref], {
             silent: true,
             listeners: {
                 stdout: (data) => {
@@ -354,15 +354,28 @@ async function getRef() {
     // Will be in the form "refs/heads/master" on a push event
     // or in the form "refs/pull/N/merge" on a pull_request event
     const ref = getRequiredEnvParam("GITHUB_REF");
+    const sha = getRequiredEnvParam("GITHUB_SHA");
     // For pull request refs we want to detect whether the workflow
     // has run `git checkout HEAD^2` to analyze the 'head' ref rather
     // than the 'merge' ref. If so, we want to convert the ref that
     // we report back.
     const pull_ref_regex = /refs\/pull\/(\d+)\/merge/;
-    const checkoutSha = await exports.getCommitOid();
-    if (pull_ref_regex.test(ref) &&
-        checkoutSha !== getRequiredEnvParam("GITHUB_SHA")) {
-        return ref.replace(pull_ref_regex, "refs/pull/$1/head");
+    if (!pull_ref_regex.test(ref)) {
+        return ref;
+    }
+    const head = await exports.getCommitOid("HEAD");
+    // in actions/checkout@v2 we can check if git rev-parse HEAD == GITHUB_SHA
+    // in actions/checkout@v1 this may not be true as it checks out the repository
+    // using GITHUB_REF. There is a subtle race condition where
+    // git rev-parse GITHUB_REF != GITHUB_SHA, so we must check
+    // git git-parse GITHUB_REF == git rev-parse HEAD instead.
+    const hasChangedRef = sha !== head &&
+        (await exports.getCommitOid(ref.replace(/^refs\/pull\//, "refs/remotes/pull/"))) !==
+            head;
+    if (hasChangedRef) {
+        const newRef = ref.replace(pull_ref_regex, "refs/pull/$1/head");
+        core.debug(`No longer on merge commit, rewriting ref from ${ref} to ${newRef}.`);
+        return newRef;
     }
     else {
         return ref;
@@ -470,7 +483,15 @@ async function sendStatusReport(statusReport) {
         if (isHTTPError(e)) {
             switch (e.status) {
                 case 403:
-                    core.setFailed(e.message || GENERIC_403_MSG);
+                    if (workflowIsTriggeredByPushEvent() && isDependabotActor()) {
+                        core.setFailed('Workflows triggered by Dependabot on the "push" event run with read-only access. ' +
+                            "Uploading Code Scanning results requires write access. " +
+                            'To use Code Scanning with Dependabot, please ensure you are using the "pull_request" event for this workflow and avoid triggering on the "push" event for Dependabot branches. ' +
+                            "See https://docs.github.com/en/code-security/secure-coding/configuring-code-scanning#scanning-on-push for more information on how to configure these events.");
+                    }
+                    else {
+                        core.setFailed(e.message || GENERIC_403_MSG);
+                    }
                     return false;
                 case 404:
                     core.setFailed(GENERIC_404_MSG);
@@ -495,6 +516,14 @@ async function sendStatusReport(statusReport) {
     }
 }
 exports.sendStatusReport = sendStatusReport;
+// Was the workflow run triggered by a `push` event, for example as opposed to a `pull_request` event.
+function workflowIsTriggeredByPushEvent() {
+    return process.env["GITHUB_EVENT_NAME"] === "push";
+}
+// Is dependabot the actor that triggered the current workflow run.
+function isDependabotActor() {
+    return process.env["GITHUB_ACTOR"] === "dependabot[bot]";
+}
 // Is the current action executing a local copy (i.e. we're running a workflow on the codeql-action repo itself)
 // as opposed to running a remote action (i.e. when another repo references us)
 function isRunningLocalAction() {

lib/actions-util.test.js

@@ -28,16 +28,33 @@ ava_1.default("getRef() returns merge PR ref if GITHUB_SHA still checked out", a
     const currentSha = "a".repeat(40);
     process.env["GITHUB_REF"] = expectedRef;
     process.env["GITHUB_SHA"] = currentSha;
-    sinon_1.default.stub(actionsutil, "getCommitOid").resolves(currentSha);
+    const callback = sinon_1.default.stub(actionsutil, "getCommitOid");
+    callback.withArgs("HEAD").resolves(currentSha);
     const actualRef = await actionsutil.getRef();
     t.deepEqual(actualRef, expectedRef);
+    callback.restore();
 });
-ava_1.default("getRef() returns head PR ref if GITHUB_SHA not currently checked out", async (t) => {
+ava_1.default("getRef() returns merge PR ref if GITHUB_REF still checked out but sha has changed (actions checkout@v1)", async (t) => {
+    const expectedRef = "refs/pull/1/merge";
+    process.env["GITHUB_REF"] = expectedRef;
+    process.env["GITHUB_SHA"] = "b".repeat(40);
+    const sha = "a".repeat(40);
+    const callback = sinon_1.default.stub(actionsutil, "getCommitOid");
+    callback.withArgs("refs/remotes/pull/1/merge").resolves(sha);
+    callback.withArgs("HEAD").resolves(sha);
+    const actualRef = await actionsutil.getRef();
+    t.deepEqual(actualRef, expectedRef);
+    callback.restore();
+});
+ava_1.default("getRef() returns head PR ref if GITHUB_REF no longer checked out", async (t) => {
     process.env["GITHUB_REF"] = "refs/pull/1/merge";
     process.env["GITHUB_SHA"] = "a".repeat(40);
-    sinon_1.default.stub(actionsutil, "getCommitOid").resolves("b".repeat(40));
+    const callback = sinon_1.default.stub(actionsutil, "getCommitOid");
+    callback.withArgs("refs/pull/1/merge").resolves("a".repeat(40));
+    callback.withArgs("HEAD").resolves("b".repeat(40));
     const actualRef = await actionsutil.getRef();
     t.deepEqual(actualRef, "refs/pull/1/head");
+    callback.restore();
 });
 ava_1.default("getAnalysisKey() when a local run", async (t) => {
     process.env.CODEQL_LOCAL_RUN = "true";

lib/api-client.js

@@ -20,11 +20,12 @@ var DisallowedAPIVersionReason;
     DisallowedAPIVersionReason[DisallowedAPIVersionReason["ACTION_TOO_OLD"] = 0] = "ACTION_TOO_OLD";
     DisallowedAPIVersionReason[DisallowedAPIVersionReason["ACTION_TOO_NEW"] = 1] = "ACTION_TOO_NEW";
 })(DisallowedAPIVersionReason = exports.DisallowedAPIVersionReason || (exports.DisallowedAPIVersionReason = {}));
-exports.getApiClient = function (apiDetails, allowLocalRun = false) {
+exports.getApiClient = function (apiDetails, { allowLocalRun = false, allowExternal = false } = {}) {
     if (util_1.isLocalRun() && !allowLocalRun) {
         throw new Error("Invalid API call in local run");
     }
-    return new githubUtils.GitHub(githubUtils.getOctokitOptions(apiDetails.auth, {
+    const auth = (allowExternal && apiDetails.externalRepoAuth) || apiDetails.auth;
+    return new githubUtils.GitHub(githubUtils.getOctokitOptions(auth, {
         baseUrl: getApiUrl(apiDetails.url),
         userAgent: "CodeQL Action",
         log: console_log_level_1.default({ level: "debug" }),
@@ -49,7 +50,7 @@ function getActionsApiClient(allowLocalRun = false) {
         auth: actions_util_1.getRequiredInput("token"),
         url: actions_util_1.getRequiredEnvParam("GITHUB_SERVER_URL"),
     };
-    return exports.getApiClient(apiDetails, allowLocalRun);
+    return exports.getApiClient(apiDetails, { allowLocalRun });
 }
 exports.getActionsApiClient = getActionsApiClient;
 //# sourceMappingURL=api-client.js.map

lib/api-client.js.map

@@ -1 +1 @@
-{"version":3,"file":"api-client.js","sourceRoot":"","sources":["../src/api-client.ts"],"names":[],"mappings":";;;;;;;;;;;;AAAA,2CAA6B;AAE7B,uEAAyD;AACzD,0EAAgD;AAEhD,iDAAuE;AACvE,iCAAoC;AAEpC,IAAY,0BAGX;AAHD,WAAY,0BAA0B;IACpC,+FAAc,CAAA;IACd,+FAAc,CAAA;AAChB,CAAC,EAHW,0BAA0B,GAA1B,kCAA0B,KAA1B,kCAA0B,QAGrC;AAeY,QAAA,YAAY,GAAG,UAC1B,UAA4B,EAC5B,aAAa,GAAG,KAAK;IAErB,IAAI,iBAAU,EAAE,IAAI,CAAC,aAAa,EAAE;QAClC,MAAM,IAAI,KAAK,CAAC,+BAA+B,CAAC,CAAC;KAClD;IACD,OAAO,IAAI,WAAW,CAAC,MAAM,CAC3B,WAAW,CAAC,iBAAiB,CAAC,UAAU,CAAC,IAAI,EAAE;QAC7C,OAAO,EAAE,SAAS,CAAC,UAAU,CAAC,GAAG,CAAC;QAClC,SAAS,EAAE,eAAe;QAC1B,GAAG,EAAE,2BAAe,CAAC,EAAE,KAAK,EAAE,OAAO,EAAE,CAAC;KACzC,CAAC,CACH,CAAC;AACJ,CAAC,CAAC;AAEF,SAAS,SAAS,CAAC,SAAiB;IAClC,MAAM,GAAG,GAAG,IAAI,GAAG,CAAC,SAAS,CAAC,CAAC;IAE/B,uDAAuD;IACvD,0CAA0C;IAC1C,IAAI,GAAG,CAAC,QAAQ,KAAK,YAAY,IAAI,GAAG,CAAC,QAAQ,KAAK,gBAAgB,EAAE;QACtE,OAAO,wBAAwB,CAAC;KACjC;IAED,6BAA6B;IAC7B,GAAG,CAAC,QAAQ,GAAG,IAAI,CAAC,IAAI,CAAC,GAAG,CAAC,QAAQ,EAAE,KAAK,EAAE,IAAI,CAAC,CAAC;IACpD,OAAO,GAAG,CAAC,QAAQ,EAAE,CAAC;AACxB,CAAC;AAED,uFAAuF;AACvF,qFAAqF;AACrF,+CAA+C;AAC/C,SAAgB,mBAAmB,CAAC,aAAa,GAAG,KAAK;IACvD,MAAM,UAAU,GAAG;QACjB,IAAI,EAAE,+BAAgB,CAAC,OAAO,CAAC;QAC/B,GAAG,EAAE,kCAAmB,CAAC,mBAAmB,CAAC;KAC9C,CAAC;IAEF,OAAO,oBAAY,CAAC,UAAU,EAAE,aAAa,CAAC,CAAC;AACjD,CAAC;AAPD,kDAOC"}
+{"version":3,"file":"api-client.js","sourceRoot":"","sources":["../src/api-client.ts"],"names":[],"mappings":";;;;;;;;;;;;AAAA,2CAA6B;AAE7B,uEAAyD;AACzD,0EAAgD;AAEhD,iDAAuE;AACvE,iCAAoC;AAEpC,IAAY,0BAGX;AAHD,WAAY,0BAA0B;IACpC,+FAAc,CAAA;IACd,+FAAc,CAAA;AAChB,CAAC,EAHW,0BAA0B,GAA1B,kCAA0B,KAA1B,kCAA0B,QAGrC;AAeY,QAAA,YAAY,GAAG,UAC1B,UAAoC,EACpC,EAAE,aAAa,GAAG,KAAK,EAAE,aAAa,GAAG,KAAK,EAAE,GAAG,EAAE;IAErD,IAAI,iBAAU,EAAE,IAAI,CAAC,aAAa,EAAE;QAClC,MAAM,IAAI,KAAK,CAAC,+BAA+B,CAAC,CAAC;KAClD;IAED,MAAM,IAAI,GACR,CAAC,aAAa,IAAI,UAAU,CAAC,gBAAgB,CAAC,IAAI,UAAU,CAAC,IAAI,CAAC;IACpE,OAAO,IAAI,WAAW,CAAC,MAAM,CAC3B,WAAW,CAAC,iBAAiB,CAAC,IAAI,EAAE;QAClC,OAAO,EAAE,SAAS,CAAC,UAAU,CAAC,GAAG,CAAC;QAClC,SAAS,EAAE,eAAe;QAC1B,GAAG,EAAE,2BAAe,CAAC,EAAE,KAAK,EAAE,OAAO,EAAE,CAAC;KACzC,CAAC,CACH,CAAC;AACJ,CAAC,CAAC;AAEF,SAAS,SAAS,CAAC,SAAiB;IAClC,MAAM,GAAG,GAAG,IAAI,GAAG,CAAC,SAAS,CAAC,CAAC;IAE/B,uDAAuD;IACvD,0CAA0C;IAC1C,IAAI,GAAG,CAAC,QAAQ,KAAK,YAAY,IAAI,GAAG,CAAC,QAAQ,KAAK,gBAAgB,EAAE;QACtE,OAAO,wBAAwB,CAAC;KACjC;IAED,6BAA6B;IAC7B,GAAG,CAAC,QAAQ,GAAG,IAAI,CAAC,IAAI,CAAC,GAAG,CAAC,QAAQ,EAAE,KAAK,EAAE,IAAI,CAAC,CAAC;IACpD,OAAO,GAAG,CAAC,QAAQ,EAAE,CAAC;AACxB,CAAC;AAED,uFAAuF;AACvF,qFAAqF;AACrF,+CAA+C;AAC/C,SAAgB,mBAAmB,CAAC,aAAa,GAAG,KAAK;IACvD,MAAM,UAAU,GAAG;QACjB,IAAI,EAAE,+BAAgB,CAAC,OAAO,CAAC;QAC/B,GAAG,EAAE,kCAAmB,CAAC,mBAAmB,CAAC;KAC9C,CAAC;IAEF,OAAO,oBAAY,CAAC,UAAU,EAAE,EAAE,aAAa,EAAE,CAAC,CAAC;AACrD,CAAC;AAPD,kDAOC"}

lib/api-client.test.js

@@ -0,0 +1,72 @@
+"use strict";
+var __importStar = (this && this.__importStar) || function (mod) {
+    if (mod && mod.__esModule) return mod;
+    var result = {};
+    if (mod != null) for (var k in mod) if (Object.hasOwnProperty.call(mod, k)) result[k] = mod[k];
+    result["default"] = mod;
+    return result;
+};
+var __importDefault = (this && this.__importDefault) || function (mod) {
+    return (mod && mod.__esModule) ? mod : { "default": mod };
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+const githubUtils = __importStar(require("@actions/github/lib/utils"));
+const ava_1 = __importDefault(require("ava"));
+const sinon_1 = __importDefault(require("sinon"));
+const api_client_1 = require("./api-client");
+const testing_utils_1 = require("./testing-utils");
+testing_utils_1.setupTests(ava_1.default);
+let githubStub;
+ava_1.default.beforeEach(() => {
+    githubStub = sinon_1.default.stub(githubUtils, "GitHub");
+});
+ava_1.default("Get the client API", async (t) => {
+    doTest(t, {
+        auth: "xyz",
+        externalRepoAuth: "abc",
+        url: "http://hucairz",
+    }, undefined, {
+        auth: "token xyz",
+        baseUrl: "http://hucairz/api/v3",
+        userAgent: "CodeQL Action",
+    });
+});
+ava_1.default("Get the client API external", async (t) => {
+    doTest(t, {
+        auth: "xyz",
+        externalRepoAuth: "abc",
+        url: "http://hucairz",
+    }, { allowExternal: true }, {
+        auth: "token abc",
+        baseUrl: "http://hucairz/api/v3",
+        userAgent: "CodeQL Action",
+    });
+});
+ava_1.default("Get the client API external not present", async (t) => {
+    doTest(t, {
+        auth: "xyz",
+        url: "http://hucairz",
+    }, { allowExternal: true }, {
+        auth: "token xyz",
+        baseUrl: "http://hucairz/api/v3",
+        userAgent: "CodeQL Action",
+    });
+});
+ava_1.default("Get the client API with github url", async (t) => {
+    doTest(t, {
+        auth: "xyz",
+        url: "https://github.com/some/invalid/url",
+    }, undefined, {
+        auth: "token xyz",
+        baseUrl: "https://api.github.com",
+        userAgent: "CodeQL Action",
+    });
+});
+function doTest(t, clientArgs, clientOptions, expected) {
+    api_client_1.getApiClient(clientArgs, clientOptions);
+    const firstCallArgs = githubStub.args[0];
+    // log is a function, so we don't need to test for equality of it
+    delete firstCallArgs[0].log;
+    t.deepEqual(firstCallArgs, [expected]);
+}
+//# sourceMappingURL=api-client.test.js.map

lib/api-client.test.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"api-client.test.js","sourceRoot":"","sources":["../src/api-client.test.ts"],"names":[],"mappings":";;;;;;;;;;;;AAAA,uEAAyD;AACzD,8CAA6C;AAC7C,kDAA0B;AAE1B,6CAA4C;AAC5C,mDAA6C;AAE7C,0BAAU,CAAC,aAAI,CAAC,CAAC;AAEjB,IAAI,UAA2B,CAAC;AAEhC,aAAI,CAAC,UAAU,CAAC,GAAG,EAAE;IACnB,UAAU,GAAG,eAAK,CAAC,IAAI,CAAC,WAAW,EAAE,QAAQ,CAAC,CAAC;AACjD,CAAC,CAAC,CAAC;AAEH,aAAI,CAAC,oBAAoB,EAAE,KAAK,EAAE,CAAC,EAAE,EAAE;IACrC,MAAM,CACJ,CAAC,EACD;QACE,IAAI,EAAE,KAAK;QACX,gBAAgB,EAAE,KAAK;QACvB,GAAG,EAAE,gBAAgB;KACtB,EACD,SAAS,EACT;QACE,IAAI,EAAE,WAAW;QACjB,OAAO,EAAE,uBAAuB;QAChC,SAAS,EAAE,eAAe;KAC3B,CACF,CAAC;AACJ,CAAC,CAAC,CAAC;AAEH,aAAI,CAAC,6BAA6B,EAAE,KAAK,EAAE,CAAC,EAAE,EAAE;IAC9C,MAAM,CACJ,CAAC,EACD;QACE,IAAI,EAAE,KAAK;QACX,gBAAgB,EAAE,KAAK;QACvB,GAAG,EAAE,gBAAgB;KACtB,EACD,EAAE,aAAa,EAAE,IAAI,EAAE,EACvB;QACE,IAAI,EAAE,WAAW;QACjB,OAAO,EAAE,uBAAuB;QAChC,SAAS,EAAE,eAAe;KAC3B,CACF,CAAC;AACJ,CAAC,CAAC,CAAC;AAEH,aAAI,CAAC,yCAAyC,EAAE,KAAK,EAAE,CAAC,EAAE,EAAE;IAC1D,MAAM,CACJ,CAAC,EACD;QACE,IAAI,EAAE,KAAK;QACX,GAAG,EAAE,gBAAgB;KACtB,EACD,EAAE,aAAa,EAAE,IAAI,EAAE,EACvB;QACE,IAAI,EAAE,WAAW;QACjB,OAAO,EAAE,uBAAuB;QAChC,SAAS,EAAE,eAAe;KAC3B,CACF,CAAC;AACJ,CAAC,CAAC,CAAC;AAEH,aAAI,CAAC,oCAAoC,EAAE,KAAK,EAAE,CAAC,EAAE,EAAE;IACrD,MAAM,CACJ,CAAC,EACD;QACE,IAAI,EAAE,KAAK;QACX,GAAG,EAAE,qCAAqC;KAC3C,EACD,SAAS,EACT;QACE,IAAI,EAAE,WAAW;QACjB,OAAO,EAAE,wBAAwB;QACjC,SAAS,EAAE,eAAe;KAC3B,CACF,CAAC;AACJ,CAAC,CAAC,CAAC;AAEH,SAAS,MAAM,CACb,CAA4B,EAC5B,UAAe,EACf,aAAkB,EAClB,QAAa;IAEb,yBAAY,CAAC,UAAU,EAAE,aAAa,CAAC,CAAC;IAExC,MAAM,aAAa,GAAG,UAAU,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;IACzC,iEAAiE;IACjE,OAAO,aAAa,CAAC,CAAC,CAAC,CAAC,GAAG,CAAC;IAC5B,CAAC,CAAC,SAAS,CAAC,aAAa,EAAE,CAAC,QAAQ,CAAC,CAAC,CAAC;AACzC,CAAC"}

lib/config-utils.js

@@ -304,7 +304,7 @@ exports.getUnknownLanguagesError = getUnknownLanguagesError;
 async function getLanguagesInRepo(repository, apiDetails, logger) {
     logger.debug(`GitHub repo ${repository.owner} ${repository.repo}`);
     const response = await api
-        .getApiClient(apiDetails, true)
+        .getApiClient(apiDetails, { allowLocalRun: true })
         .repos.listLanguages({
         owner: repository.owner,
         repo: repository.repo,
@@ -556,7 +556,9 @@ async function getRemoteConfig(configFile, apiDetails) {
     if (pieces === null || pieces.groups === undefined || pieces.length < 5) {
         throw new Error(getConfigFileRepoFormatInvalidMessage(configFile));
     }
-    const response = await api.getApiClient(apiDetails, true).repos.getContent({
+    const response = await api
+        .getApiClient(apiDetails, { allowLocalRun: true, allowExternal: true })
+        .repos.getContent({
         owner: pieces.groups.owner,
         repo: pieces.groups.repo,
         path: pieces.groups.path,

lib/defaults.json

@@ -1,3 +1,3 @@
 {
-    "bundleVersion": "codeql-bundle-20210308"
+    "bundleVersion": "codeql-bundle-20210326"
 }

lib/runner.js

@@ -92,9 +92,8 @@ program
     .option("--tools-dir <dir>", "Directory to use for CodeQL tools and other files to store between runs. Default is a subdirectory of the home directory.")
     .option("--checkout-path <path>", "Checkout path. Default is the current working directory.")
     .option("--debug", "Print more verbose output", false)
-    // This prevents a message like: error: unknown option '--trace-process-level'
-    // Remove this if commander.js starts supporting hidden options.
-    .allowUnknownOption()
+    .option("--trace-process-name <string>", "(Advanced, windows-only) Inject a windows tracer of this process into a process with the given process name.")
+    .option("--trace-process-level <number>", "(Advanced, windows-only) Inject a windows tracer of this process into a parent process <number> levels up.")
     .action(async (cmd) => {
     const logger = logging_1.getRunnerLogger(cmd.debug);
     try {

lib/upload-lib.js

@@ -44,6 +44,38 @@ function combineSarifFiles(sarifFiles) {
     return JSON.stringify(combinedSarif);
 }
 exports.combineSarifFiles = combineSarifFiles;
+// Populates the run.automationDetails.id field using the analysis_key and environment
+// and return an updated sarif file contents.
+function populateRunAutomationDetails(sarifContents, analysis_key, environment) {
+    if (analysis_key === undefined) {
+        return sarifContents;
+    }
+    let automationID = `${analysis_key}/`;
+    // the id has to be deterministic so we sort the fields
+    if (environment !== undefined && environment !== "null") {
+        const environmentObject = JSON.parse(environment);
+        for (const entry of Object.entries(environmentObject).sort()) {
+            if (typeof entry[1] === "string") {
+                automationID += `${entry[0]}:${entry[1]}/`;
+            }
+            else {
+                // In code scanning we just handle the string values,
+                // the rest get converted to the empty string
+                automationID += `${entry[0]}:/`;
+            }
+        }
+    }
+    const sarif = JSON.parse(sarifContents);
+    for (const run of sarif.runs || []) {
+        if (run.automationDetails === undefined) {
+            run.automationDetails = {
+                id: automationID,
+            };
+        }
+    }
+    return JSON.stringify(sarif);
+}
+exports.populateRunAutomationDetails = populateRunAutomationDetails;
 // Upload the given payload.
 // If the request fails then this will retry a small number of times.
 async function uploadPayload(payload, repositoryNwo, apiDetails, mode, logger) {
@@ -215,6 +247,7 @@ async function uploadFiles(sarifFiles, repositoryNwo, commitOid, ref, analysisKe
     }
     let sarifPayload = combineSarifFiles(sarifFiles);
     sarifPayload = fingerprints.addFingerprints(sarifPayload, checkoutPath, logger);
+    sarifPayload = populateRunAutomationDetails(sarifPayload, analysisKey, environment);
     const zippedSarif = zlib_1.default.gzipSync(sarifPayload).toString("base64");
     const checkoutURI = file_url_1.default(checkoutPath);
     const toolNames = util.getToolNames(sarifPayload);

lib/upload-lib.test.js

@@ -82,4 +82,29 @@ ava_1.default("finding SARIF files", async (t) => {
         ]);
     });
 });
+ava_1.default("populateRunAutomationDetails", (t) => {
+    let sarif = '{"runs": [{}]}';
+    const analysisKey = ".github/workflows/codeql-analysis.yml:analyze";
+    let expectedSarif = '{"runs":[{"automationDetails":{"id":".github/workflows/codeql-analysis.yml:analyze/language:javascript/os:linux/"}}]}';
+    let modifiedSarif = uploadLib.populateRunAutomationDetails(sarif, analysisKey, '{"language": "javascript", "os": "linux"}');
+    t.deepEqual(modifiedSarif, expectedSarif);
+    // check the environment sorting
+    modifiedSarif = uploadLib.populateRunAutomationDetails(sarif, analysisKey, '{"os": "linux", "language": "javascript"}');
+    t.deepEqual(modifiedSarif, expectedSarif);
+    // check that an empty environment produces the right results
+    expectedSarif =
+        '{"runs":[{"automationDetails":{"id":".github/workflows/codeql-analysis.yml:analyze/"}}]}';
+    modifiedSarif = uploadLib.populateRunAutomationDetails(sarif, analysisKey, "{}");
+    t.deepEqual(modifiedSarif, expectedSarif);
+    // check non string environment values
+    expectedSarif =
+        '{"runs":[{"automationDetails":{"id":".github/workflows/codeql-analysis.yml:analyze/number:/object:/"}}]}';
+    modifiedSarif = uploadLib.populateRunAutomationDetails(sarif, analysisKey, '{"number": 1, "object": {"language": "javascript"}}');
+    t.deepEqual(modifiedSarif, expectedSarif);
+    // check that the automation details doesn't get overwritten
+    sarif = '{"runs":[{"automationDetails":{"id":"my_id"}}]}';
+    expectedSarif = '{"runs":[{"automationDetails":{"id":"my_id"}}]}';
+    modifiedSarif = uploadLib.populateRunAutomationDetails(sarif, analysisKey, '{"os": "linux", "language": "javascript"}');
+    t.deepEqual(modifiedSarif, expectedSarif);
+});
 //# sourceMappingURL=upload-lib.test.js.map

lib/upload-lib.test.js.map

@@ -1 +1 @@
-{"version":3,"file":"upload-lib.test.js","sourceRoot":"","sources":["../src/upload-lib.test.ts"],"names":[],"mappings":";;;;;;;;;;;;AAAA,uCAAyB;AACzB,2CAA6B;AAE7B,8CAAuB;AAEvB,uCAA4C;AAC5C,mDAA6C;AAC7C,wDAA0C;AAC1C,iCAAkE;AAElE,0BAAU,CAAC,aAAI,CAAC,CAAC;AAEjB,aAAI,CAAC,iCAAiC,EAAE,CAAC,CAAC,EAAE,EAAE;IAC5C,MAAM,SAAS,GAAG,GAAG,SAAS,oCAAoC,CAAC;IACnE,CAAC,CAAC,SAAS,CAAC,GAAG,EAAE,CACf,SAAS,CAAC,uBAAuB,CAAC,SAAS,EAAE,yBAAe,CAAC,IAAI,CAAC,CAAC,CACpE,CAAC;AACJ,CAAC,CAAC,CAAC;AAEH,aAAI,CAAC,mCAAmC,EAAE,CAAC,CAAC,EAAE,EAAE;IAC9C,MAAM,SAAS,GAAG,GAAG,SAAS,sCAAsC,CAAC;IACrE,CAAC,CAAC,MAAM,CAAC,GAAG,EAAE,CACZ,SAAS,CAAC,uBAAuB,CAAC,SAAS,EAAE,yBAAe,CAAC,IAAI,CAAC,CAAC,CACpE,CAAC;AACJ,CAAC,CAAC,CAAC;AAEH,aAAI,CAAC,2CAA2C,EAAE,KAAK,EAAE,CAAC,EAAE,EAAE;IAC5D,MAAM,WAAW,GAAoB;QACnC,EAAE,IAAI,EAAE,oBAAa,CAAC,MAAM,EAAE;QAC9B,EAAE,IAAI,EAAE,oBAAa,CAAC,IAAI,EAAE,OAAO,EAAE,OAAO,EAAE;KAC/C,CAAC;IACF,MAAM,WAAW,GAAoB;QACnC,EAAE,IAAI,EAAE,oBAAa,CAAC,IAAI,EAAE,OAAO,EAAE,QAAQ,EAAE;QAC/C,EAAE,IAAI,EAAE,oBAAa,CAAC,IAAI,EAAE,OAAO,EAAE,OAAO,EAAE;KAC/C,CAAC;IACF,MAAM,WAAW,GAAG,WAAW,CAAC,MAAM,CAAC,WAAW,CAAC,CAAC;IAEpD,OAAO,CAAC,GAAG,CAAC,mBAAmB,CAAC,GAAG,MAAM,CAAC;IAC1C,KAAK,MAAM,OAAO,IAAI,WAAW,EAAE;QACjC,MAAM,OAAO,GAAQ,SAAS,CAAC,YAAY,CACzC,QAAQ,EACR,mBAAmB,EACnB,KAAK,EACL,SAAS,EACT,EAAE,EACF,SAAS,EACT,UAAU,EACV,SAAS,EACT,CAAC,QAAQ,EAAE,QAAQ,CAAC,EACpB,OAAO,EACP,SAAS,CACV,CAAC;QACF,kCAAkC;QAClC,CAAC,CAAC,KAAK,CAAC,OAAO,CAAC,QAAQ,CAAC,CAAC;QAC1B,CAAC,CAAC,KAAK,CAAC,OAAO,CAAC,QAAQ,CAAC,CAAC;KAC3B;IAED,OAAO,CAAC,GAAG,CAAC,mBAAmB,CAAC,GAAG,cAAc,CAAC;IAClD,OAAO,CAAC,GAAG,CACT,mBAAmB,CACpB,GAAG,GAAG,SAAS,oCAAoC,CAAC;IACrD,KAAK,MAAM,OAAO,IAAI,WAAW,EAAE;QACjC,MAAM,OAAO,GAAQ,SAAS,CAAC,YAAY,CACzC,QAAQ,EACR,qBAAqB,EACrB,KAAK,EACL,SAAS,EACT,EAAE,EACF,SAAS,EACT,UAAU,EACV,SAAS,EACT,CAAC,QAAQ,EAAE,QAAQ,CAAC,EACpB,OAAO,EACP,SAAS,CACV,CAAC;QACF,CAAC,CAAC,SAAS,CAAC,OAAO,CAAC,QAAQ,EAAE,mBAAmB,CAAC,CAAC;QACnD,CAAC,CAAC,SAAS,CAAC,OAAO,CAAC,QAAQ,EAAE,0CAA0C,CAAC,CAAC;KAC3E;IAED,KAAK,MAAM,OAAO,IAAI,WAAW,EAAE;QACjC,MAAM,OAAO,GAAQ,SAAS,CAAC,YAAY,CACzC,QAAQ,EACR,qBAAqB,EACrB,KAAK,EACL,SAAS,EACT,EAAE,EACF,SAAS,EACT,UAAU,EACV,SAAS,EACT,CAAC,QAAQ,EAAE,QAAQ,CAAC,EACpB,OAAO,EACP,SAAS,CACV,CAAC;QACF,iDAAiD;QACjD,CAAC,CAAC,KAAK,CAAC,OAAO,CAAC,QAAQ,CAAC,CAAC;QAC1B,CAAC,CAAC,KAAK,CAAC,OAAO,CAAC,QAAQ,CAAC,CAAC;KAC3B;AACH,CAAC,CAAC,CAAC;AAEH,aAAI,CAAC,qBAAqB,EAAE,KAAK,EAAE,CAAC,EAAE,EAAE;IACtC,MAAM,iBAAU,CAAC,KAAK,EAAE,MAAM,EAAE,EAAE;QAChC,kCAAkC;QAClC,EAAE,CAAC,aAAa,CAAC,IAAI,CAAC,IAAI,CAAC,MAAM,EAAE,SAAS,CAAC,EAAE,EAAE,CAAC,CAAC;QACnD,EAAE,CAAC,aAAa,CAAC,IAAI,CAAC,IAAI,CAAC,MAAM,EAAE,SAAS,CAAC,EAAE,EAAE,CAAC,CAAC;QAEnD,2CAA2C;QAC3C,EAAE,CAAC,aAAa,CAAC,IAAI,CAAC,IAAI,CAAC,MAAM,EAAE,OAAO,CAAC,EAAE,EAAE,CAAC,CAAC;QAEjD,+CAA+C;QAC/C,EAAE,CAAC,SAAS,CAAC,IAAI,CAAC,IAAI,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC,CAAC;QACxC,EAAE,CAAC,aAAa,CAAC,IAAI,CAAC,IAAI,CAAC,MAAM,EAAE,MAAM,EAAE,SAAS,CAAC,EAAE,EAAE,CAAC,CAAC;QAC3D,EAAE,CAAC,SAAS,CAAC,IAAI,CAAC,IAAI,CAAC,MAAM,EAAE,MAAM,EAAE,MAAM,CAAC,CAAC,CAAC;QAChD,EAAE,CAAC,aAAa,CAAC,IAAI,CAAC,IAAI,CAAC,MAAM,EAAE,MAAM,EAAE,MAAM,EAAE,SAAS,CAAC,EAAE,EAAE,CAAC,CAAC;QAEnE,4BAA4B;QAC5B,EAAE,CAAC,SAAS,CAAC,IAAI,CAAC,IAAI,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC,CAAC;QACxC,EAAE,CAAC,WAAW,CAAC,MAAM,EAAE,IAAI,CAAC,IAAI,CAAC,MAAM,EAAE,MAAM,EAAE,UAAU,CAAC,EAAE,KAAK,CAAC,CAAC;QACrE,EAAE,CAAC,WAAW,CACZ,IAAI,CAAC,IAAI,CAAC,MAAM,EAAE,SAAS,CAAC,EAC5B,IAAI,CAAC,IAAI,CAAC,MAAM,EAAE,MAAM,EAAE,gBAAgB,CAAC,EAC3C,MAAM,CACP,CAAC;QAEF,MAAM,UAAU,GAAG,SAAS,CAAC,mBAAmB,CAAC,MAAM,CAAC,CAAC;QAEzD,CAAC,CAAC,SAAS,CAAC,UAAU,EAAE;YACtB,IAAI,CAAC,IAAI,CAAC,MAAM,EAAE,SAAS,CAAC;YAC5B,IAAI,CAAC,IAAI,CAAC,MAAM,EAAE,SAAS,CAAC;YAC5B,IAAI,CAAC,IAAI,CAAC,MAAM,EAAE,MAAM,EAAE,SAAS,CAAC;YACpC,IAAI,CAAC,IAAI,CAAC,MAAM,EAAE,MAAM,EAAE,MAAM,EAAE,SAAS,CAAC;SAC7C,CAAC,CAAC;IACL,CAAC,CAAC,CAAC;AACL,CAAC,CAAC,CAAC"}
+{"version":3,"file":"upload-lib.test.js","sourceRoot":"","sources":["../src/upload-lib.test.ts"],"names":[],"mappings":";;;;;;;;;;;;AAAA,uCAAyB;AACzB,2CAA6B;AAE7B,8CAAuB;AAEvB,uCAA4C;AAC5C,mDAA6C;AAC7C,wDAA0C;AAC1C,iCAAkE;AAElE,0BAAU,CAAC,aAAI,CAAC,CAAC;AAEjB,aAAI,CAAC,iCAAiC,EAAE,CAAC,CAAC,EAAE,EAAE;IAC5C,MAAM,SAAS,GAAG,GAAG,SAAS,oCAAoC,CAAC;IACnE,CAAC,CAAC,SAAS,CAAC,GAAG,EAAE,CACf,SAAS,CAAC,uBAAuB,CAAC,SAAS,EAAE,yBAAe,CAAC,IAAI,CAAC,CAAC,CACpE,CAAC;AACJ,CAAC,CAAC,CAAC;AAEH,aAAI,CAAC,mCAAmC,EAAE,CAAC,CAAC,EAAE,EAAE;IAC9C,MAAM,SAAS,GAAG,GAAG,SAAS,sCAAsC,CAAC;IACrE,CAAC,CAAC,MAAM,CAAC,GAAG,EAAE,CACZ,SAAS,CAAC,uBAAuB,CAAC,SAAS,EAAE,yBAAe,CAAC,IAAI,CAAC,CAAC,CACpE,CAAC;AACJ,CAAC,CAAC,CAAC;AAEH,aAAI,CAAC,2CAA2C,EAAE,KAAK,EAAE,CAAC,EAAE,EAAE;IAC5D,MAAM,WAAW,GAAoB;QACnC,EAAE,IAAI,EAAE,oBAAa,CAAC,MAAM,EAAE;QAC9B,EAAE,IAAI,EAAE,oBAAa,CAAC,IAAI,EAAE,OAAO,EAAE,OAAO,EAAE;KAC/C,CAAC;IACF,MAAM,WAAW,GAAoB;QACnC,EAAE,IAAI,EAAE,oBAAa,CAAC,IAAI,EAAE,OAAO,EAAE,QAAQ,EAAE;QAC/C,EAAE,IAAI,EAAE,oBAAa,CAAC,IAAI,EAAE,OAAO,EAAE,OAAO,EAAE;KAC/C,CAAC;IACF,MAAM,WAAW,GAAG,WAAW,CAAC,MAAM,CAAC,WAAW,CAAC,CAAC;IAEpD,OAAO,CAAC,GAAG,CAAC,mBAAmB,CAAC,GAAG,MAAM,CAAC;IAC1C,KAAK,MAAM,OAAO,IAAI,WAAW,EAAE;QACjC,MAAM,OAAO,GAAQ,SAAS,CAAC,YAAY,CACzC,QAAQ,EACR,mBAAmB,EACnB,KAAK,EACL,SAAS,EACT,EAAE,EACF,SAAS,EACT,UAAU,EACV,SAAS,EACT,CAAC,QAAQ,EAAE,QAAQ,CAAC,EACpB,OAAO,EACP,SAAS,CACV,CAAC;QACF,kCAAkC;QAClC,CAAC,CAAC,KAAK,CAAC,OAAO,CAAC,QAAQ,CAAC,CAAC;QAC1B,CAAC,CAAC,KAAK,CAAC,OAAO,CAAC,QAAQ,CAAC,CAAC;KAC3B;IAED,OAAO,CAAC,GAAG,CAAC,mBAAmB,CAAC,GAAG,cAAc,CAAC;IAClD,OAAO,CAAC,GAAG,CACT,mBAAmB,CACpB,GAAG,GAAG,SAAS,oCAAoC,CAAC;IACrD,KAAK,MAAM,OAAO,IAAI,WAAW,EAAE;QACjC,MAAM,OAAO,GAAQ,SAAS,CAAC,YAAY,CACzC,QAAQ,EACR,qBAAqB,EACrB,KAAK,EACL,SAAS,EACT,EAAE,EACF,SAAS,EACT,UAAU,EACV,SAAS,EACT,CAAC,QAAQ,EAAE,QAAQ,CAAC,EACpB,OAAO,EACP,SAAS,CACV,CAAC;QACF,CAAC,CAAC,SAAS,CAAC,OAAO,CAAC,QAAQ,EAAE,mBAAmB,CAAC,CAAC;QACnD,CAAC,CAAC,SAAS,CAAC,OAAO,CAAC,QAAQ,EAAE,0CAA0C,CAAC,CAAC;KAC3E;IAED,KAAK,MAAM,OAAO,IAAI,WAAW,EAAE;QACjC,MAAM,OAAO,GAAQ,SAAS,CAAC,YAAY,CACzC,QAAQ,EACR,qBAAqB,EACrB,KAAK,EACL,SAAS,EACT,EAAE,EACF,SAAS,EACT,UAAU,EACV,SAAS,EACT,CAAC,QAAQ,EAAE,QAAQ,CAAC,EACpB,OAAO,EACP,SAAS,CACV,CAAC;QACF,iDAAiD;QACjD,CAAC,CAAC,KAAK,CAAC,OAAO,CAAC,QAAQ,CAAC,CAAC;QAC1B,CAAC,CAAC,KAAK,CAAC,OAAO,CAAC,QAAQ,CAAC,CAAC;KAC3B;AACH,CAAC,CAAC,CAAC;AAEH,aAAI,CAAC,qBAAqB,EAAE,KAAK,EAAE,CAAC,EAAE,EAAE;IACtC,MAAM,iBAAU,CAAC,KAAK,EAAE,MAAM,EAAE,EAAE;QAChC,kCAAkC;QAClC,EAAE,CAAC,aAAa,CAAC,IAAI,CAAC,IAAI,CAAC,MAAM,EAAE,SAAS,CAAC,EAAE,EAAE,CAAC,CAAC;QACnD,EAAE,CAAC,aAAa,CAAC,IAAI,CAAC,IAAI,CAAC,MAAM,EAAE,SAAS,CAAC,EAAE,EAAE,CAAC,CAAC;QAEnD,2CAA2C;QAC3C,EAAE,CAAC,aAAa,CAAC,IAAI,CAAC,IAAI,CAAC,MAAM,EAAE,OAAO,CAAC,EAAE,EAAE,CAAC,CAAC;QAEjD,+CAA+C;QAC/C,EAAE,CAAC,SAAS,CAAC,IAAI,CAAC,IAAI,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC,CAAC;QACxC,EAAE,CAAC,aAAa,CAAC,IAAI,CAAC,IAAI,CAAC,MAAM,EAAE,MAAM,EAAE,SAAS,CAAC,EAAE,EAAE,CAAC,CAAC;QAC3D,EAAE,CAAC,SAAS,CAAC,IAAI,CAAC,IAAI,CAAC,MAAM,EAAE,MAAM,EAAE,MAAM,CAAC,CAAC,CAAC;QAChD,EAAE,CAAC,aAAa,CAAC,IAAI,CAAC,IAAI,CAAC,MAAM,EAAE,MAAM,EAAE,MAAM,EAAE,SAAS,CAAC,EAAE,EAAE,CAAC,CAAC;QAEnE,4BAA4B;QAC5B,EAAE,CAAC,SAAS,CAAC,IAAI,CAAC,IAAI,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC,CAAC;QACxC,EAAE,CAAC,WAAW,CAAC,MAAM,EAAE,IAAI,CAAC,IAAI,CAAC,MAAM,EAAE,MAAM,EAAE,UAAU,CAAC,EAAE,KAAK,CAAC,CAAC;QACrE,EAAE,CAAC,WAAW,CACZ,IAAI,CAAC,IAAI,CAAC,MAAM,EAAE,SAAS,CAAC,EAC5B,IAAI,CAAC,IAAI,CAAC,MAAM,EAAE,MAAM,EAAE,gBAAgB,CAAC,EAC3C,MAAM,CACP,CAAC;QAEF,MAAM,UAAU,GAAG,SAAS,CAAC,mBAAmB,CAAC,MAAM,CAAC,CAAC;QAEzD,CAAC,CAAC,SAAS,CAAC,UAAU,EAAE;YACtB,IAAI,CAAC,IAAI,CAAC,MAAM,EAAE,SAAS,CAAC;YAC5B,IAAI,CAAC,IAAI,CAAC,MAAM,EAAE,SAAS,CAAC;YAC5B,IAAI,CAAC,IAAI,CAAC,MAAM,EAAE,MAAM,EAAE,SAAS,CAAC;YACpC,IAAI,CAAC,IAAI,CAAC,MAAM,EAAE,MAAM,EAAE,MAAM,EAAE,SAAS,CAAC;SAC7C,CAAC,CAAC;IACL,CAAC,CAAC,CAAC;AACL,CAAC,CAAC,CAAC;AAEH,aAAI,CAAC,8BAA8B,EAAE,CAAC,CAAC,EAAE,EAAE;IACzC,IAAI,KAAK,GAAG,gBAAgB,CAAC;IAC7B,MAAM,WAAW,GAAG,+CAA+C,CAAC;IAEpE,IAAI,aAAa,GACf,uHAAuH,CAAC;IAE1H,IAAI,aAAa,GAAG,SAAS,CAAC,4BAA4B,CACxD,KAAK,EACL,WAAW,EACX,2CAA2C,CAC5C,CAAC;IACF,CAAC,CAAC,SAAS,CAAC,aAAa,EAAE,aAAa,CAAC,CAAC;IAE1C,gCAAgC;IAChC,aAAa,GAAG,SAAS,CAAC,4BAA4B,CACpD,KAAK,EACL,WAAW,EACX,2CAA2C,CAC5C,CAAC;IACF,CAAC,CAAC,SAAS,CAAC,aAAa,EAAE,aAAa,CAAC,CAAC;IAE1C,6DAA6D;IAC7D,aAAa;QACX,0FAA0F,CAAC;IAC7F,aAAa,GAAG,SAAS,CAAC,4BAA4B,CACpD,KAAK,EACL,WAAW,EACX,IAAI,CACL,CAAC;IACF,CAAC,CAAC,SAAS,CAAC,aAAa,EAAE,aAAa,CAAC,CAAC;IAE1C,sCAAsC;IACtC,aAAa;QACX,0GAA0G,CAAC;IAC7G,aAAa,GAAG,SAAS,CAAC,4BAA4B,CACpD,KAAK,EACL,WAAW,EACX,qDAAqD,CACtD,CAAC;IACF,CAAC,CAAC,SAAS,CAAC,aAAa,EAAE,aAAa,CAAC,CAAC;IAE1C,4DAA4D;IAC5D,KAAK,GAAG,iDAAiD,CAAC;IAC1D,aAAa,GAAG,iDAAiD,CAAC;IAClE,aAAa,GAAG,SAAS,CAAC,4BAA4B,CACpD,KAAK,EACL,WAAW,EACX,2CAA2C,CAC5C,CAAC;IACF,CAAC,CAAC,SAAS,CAAC,aAAa,EAAE,aAAa,CAAC,CAAC;AAC5C,CAAC,CAAC,CAAC"}

node_modules/y18n/CHANGELOG.md

@@ -2,6 +2,13 @@
 
 All notable changes to this project will be documented in this file. See [standard-version](https://github.com/conventional-changelog/standard-version) for commit guidelines.
 
+
+### 4.0.1 (2020-11-30)
+
+### Bug Fixes
+
+* address prototype pollution issue ([#108](https://www.github.com/yargs/y18n/issues/108)) ([a9ac604](https://www.github.com/yargs/y18n/commit/a9ac604abf756dec9687be3843e2c93bfe581f25))
+
 <a name="4.0.0"></a>
 # [4.0.0](https://github.com/yargs/y18n/compare/v3.2.1...v4.0.0) (2017-10-10)
 

node_modules/y18n/index.js

@@ -11,7 +11,7 @@ function Y18N (opts) {
   this.fallbackToLanguage = typeof opts.fallbackToLanguage === 'boolean' ? opts.fallbackToLanguage : true
 
   // internal stuff.
-  this.cache = {}
+  this.cache = Object.create(null)
   this.writeQueue = []
 }
 

node_modules/y18n/package.json

@@ -1,6 +1,6 @@
 {
   "name": "y18n",
-  "version": "4.0.0",
+  "version": "4.0.1",
   "description": "the bare-bones internationalization library used by yargs",
   "main": "index.js",
   "scripts": {

package-lock.json

@@ -4506,9 +4506,9 @@
       "dev": true
     },
     "y18n": {
-      "version": "4.0.0",
-      "resolved": "https://registry.npmjs.org/y18n/-/y18n-4.0.0.tgz",
-      "integrity": "sha512-r9S/ZyXu/Xu9q1tYlpsLIsa3EeLXXk0VwlxqTcFRfg9EhMW+17kbt9G0NrgCmhGb5vT2hyhJZLfDGx+7+5Uj/w==",
+      "version": "4.0.1",
+      "resolved": "https://registry.npmjs.org/y18n/-/y18n-4.0.1.tgz",
+      "integrity": "sha512-wNcy4NvjMYL8gogWWYAO7ZFWFfHcbdbE57tZO8e4cbpj8tfUcwrwqSl3ad8HxpYWCdXcJUCeKKZS62Av1affwQ==",
       "dev": true
     },
     "yargs": {

runner/package-lock.json

@@ -4684,9 +4684,9 @@
       "dev": true
     },
     "y18n": {
-      "version": "4.0.0",
-      "resolved": "https://registry.npmjs.org/y18n/-/y18n-4.0.0.tgz",
-      "integrity": "sha512-r9S/ZyXu/Xu9q1tYlpsLIsa3EeLXXk0VwlxqTcFRfg9EhMW+17kbt9G0NrgCmhGb5vT2hyhJZLfDGx+7+5Uj/w==",
+      "version": "4.0.1",
+      "resolved": "https://registry.npmjs.org/y18n/-/y18n-4.0.1.tgz",
+      "integrity": "sha512-wNcy4NvjMYL8gogWWYAO7ZFWFfHcbdbE57tZO8e4cbpj8tfUcwrwqSl3ad8HxpYWCdXcJUCeKKZS62Av1affwQ==",
       "dev": true
     },
     "yallist": {

src/actions-util.test.ts

@@ -25,20 +25,40 @@ test("getRef() returns merge PR ref if GITHUB_SHA still checked out", async (t)
   process.env["GITHUB_REF"] = expectedRef;
   process.env["GITHUB_SHA"] = currentSha;
 
-  sinon.stub(actionsutil, "getCommitOid").resolves(currentSha);
+  const callback = sinon.stub(actionsutil, "getCommitOid");
+  callback.withArgs("HEAD").resolves(currentSha);
 
   const actualRef = await actionsutil.getRef();
   t.deepEqual(actualRef, expectedRef);
+  callback.restore();
 });
 
-test("getRef() returns head PR ref if GITHUB_SHA not currently checked out", async (t) => {
+test("getRef() returns merge PR ref if GITHUB_REF still checked out but sha has changed (actions checkout@v1)", async (t) => {
+  const expectedRef = "refs/pull/1/merge";
+  process.env["GITHUB_REF"] = expectedRef;
+  process.env["GITHUB_SHA"] = "b".repeat(40);
+  const sha = "a".repeat(40);
+
+  const callback = sinon.stub(actionsutil, "getCommitOid");
+  callback.withArgs("refs/remotes/pull/1/merge").resolves(sha);
+  callback.withArgs("HEAD").resolves(sha);
+
+  const actualRef = await actionsutil.getRef();
+  t.deepEqual(actualRef, expectedRef);
+  callback.restore();
+});
+
+test("getRef() returns head PR ref if GITHUB_REF no longer checked out", async (t) => {
   process.env["GITHUB_REF"] = "refs/pull/1/merge";
   process.env["GITHUB_SHA"] = "a".repeat(40);
 
-  sinon.stub(actionsutil, "getCommitOid").resolves("b".repeat(40));
+  const callback = sinon.stub(actionsutil, "getCommitOid");
+  callback.withArgs("refs/pull/1/merge").resolves("a".repeat(40));
+  callback.withArgs("HEAD").resolves("b".repeat(40));
 
   const actualRef = await actionsutil.getRef();
   t.deepEqual(actualRef, "refs/pull/1/head");
+  callback.restore();
 });
 
 test("getAnalysisKey() when a local run", async (t) => {

src/actions-util.ts

@@ -75,7 +75,7 @@ export function prepareLocalRunEnvironment() {
 /**
  * Gets the SHA of the commit that is currently checked out.
  */
-export const getCommitOid = async function (): Promise<string> {
+export const getCommitOid = async function (ref = "HEAD"): Promise<string> {
   // Try to use git to get the current commit SHA. If that fails then
   // log but otherwise silently fall back to using the SHA from the environment.
   // The only time these two values will differ is during analysis of a PR when
@@ -87,7 +87,7 @@ export const getCommitOid = async function (): Promise<string> {
     let commitOid = "";
     await new toolrunner.ToolRunner(
       await safeWhich.safeWhich("git"),
-      ["rev-parse", "HEAD"],
+      ["rev-parse", ref],
       {
         silent: true,
         listeners: {
@@ -425,19 +425,35 @@ export async function getRef(): Promise<string> {
   // Will be in the form "refs/heads/master" on a push event
   // or in the form "refs/pull/N/merge" on a pull_request event
   const ref = getRequiredEnvParam("GITHUB_REF");
+  const sha = getRequiredEnvParam("GITHUB_SHA");
 
   // For pull request refs we want to detect whether the workflow
   // has run `git checkout HEAD^2` to analyze the 'head' ref rather
   // than the 'merge' ref. If so, we want to convert the ref that
   // we report back.
   const pull_ref_regex = /refs\/pull\/(\d+)\/merge/;
-  const checkoutSha = await getCommitOid();
+  if (!pull_ref_regex.test(ref)) {
+    return ref;
+  }
 
-  if (
-    pull_ref_regex.test(ref) &&
-    checkoutSha !== getRequiredEnvParam("GITHUB_SHA")
-  ) {
-    return ref.replace(pull_ref_regex, "refs/pull/$1/head");
+  const head = await getCommitOid("HEAD");
+
+  // in actions/checkout@v2 we can check if git rev-parse HEAD == GITHUB_SHA
+  // in actions/checkout@v1 this may not be true as it checks out the repository
+  // using GITHUB_REF. There is a subtle race condition where
+  // git rev-parse GITHUB_REF != GITHUB_SHA, so we must check
+  // git git-parse GITHUB_REF == git rev-parse HEAD instead.
+  const hasChangedRef =
+    sha !== head &&
+    (await getCommitOid(ref.replace(/^refs\/pull\//, "refs/remotes/pull/"))) !==
+      head;
+
+  if (hasChangedRef) {
+    const newRef = ref.replace(pull_ref_regex, "refs/pull/$1/head");
+    core.debug(
+      `No longer on merge commit, rewriting ref from ${ref} to ${newRef}.`
+    );
+    return newRef;
   } else {
     return ref;
   }
@@ -612,7 +628,16 @@ export async function sendStatusReport<S extends StatusReportBase>(
     if (isHTTPError(e)) {
       switch (e.status) {
         case 403:
-          core.setFailed(e.message || GENERIC_403_MSG);
+          if (workflowIsTriggeredByPushEvent() && isDependabotActor()) {
+            core.setFailed(
+              'Workflows triggered by Dependabot on the "push" event run with read-only access. ' +
+                "Uploading Code Scanning results requires write access. " +
+                'To use Code Scanning with Dependabot, please ensure you are using the "pull_request" event for this workflow and avoid triggering on the "push" event for Dependabot branches. ' +
+                "See https://docs.github.com/en/code-security/secure-coding/configuring-code-scanning#scanning-on-push for more information on how to configure these events."
+            );
+          } else {
+            core.setFailed(e.message || GENERIC_403_MSG);
+          }
           return false;
         case 404:
           core.setFailed(GENERIC_404_MSG);
@@ -639,6 +664,16 @@ export async function sendStatusReport<S extends StatusReportBase>(
   }
 }
 
+// Was the workflow run triggered by a `push` event, for example as opposed to a `pull_request` event.
+function workflowIsTriggeredByPushEvent() {
+  return process.env["GITHUB_EVENT_NAME"] === "push";
+}
+
+// Is dependabot the actor that triggered the current workflow run.
+function isDependabotActor() {
+  return process.env["GITHUB_ACTOR"] === "dependabot[bot]";
+}
+
 // Is the current action executing a local copy (i.e. we're running a workflow on the codeql-action repo itself)
 // as opposed to running a remote action (i.e. when another repo references us)
 export function isRunningLocalAction(): boolean {

src/api-client.test.ts

@@ -0,0 +1,94 @@
+import * as githubUtils from "@actions/github/lib/utils";
+import test, { ExecutionContext } from "ava";
+import sinon from "sinon";
+
+import { getApiClient } from "./api-client";
+import { setupTests } from "./testing-utils";
+
+setupTests(test);
+
+let githubStub: sinon.SinonStub;
+
+test.beforeEach(() => {
+  githubStub = sinon.stub(githubUtils, "GitHub");
+});
+
+test("Get the client API", async (t) => {
+  doTest(
+    t,
+    {
+      auth: "xyz",
+      externalRepoAuth: "abc",
+      url: "http://hucairz",
+    },
+    undefined,
+    {
+      auth: "token xyz",
+      baseUrl: "http://hucairz/api/v3",
+      userAgent: "CodeQL Action",
+    }
+  );
+});
+
+test("Get the client API external", async (t) => {
+  doTest(
+    t,
+    {
+      auth: "xyz",
+      externalRepoAuth: "abc",
+      url: "http://hucairz",
+    },
+    { allowExternal: true },
+    {
+      auth: "token abc",
+      baseUrl: "http://hucairz/api/v3",
+      userAgent: "CodeQL Action",
+    }
+  );
+});
+
+test("Get the client API external not present", async (t) => {
+  doTest(
+    t,
+    {
+      auth: "xyz",
+      url: "http://hucairz",
+    },
+    { allowExternal: true },
+    {
+      auth: "token xyz",
+      baseUrl: "http://hucairz/api/v3",
+      userAgent: "CodeQL Action",
+    }
+  );
+});
+
+test("Get the client API with github url", async (t) => {
+  doTest(
+    t,
+    {
+      auth: "xyz",
+      url: "https://github.com/some/invalid/url",
+    },
+    undefined,
+    {
+      auth: "token xyz",
+      baseUrl: "https://api.github.com",
+      userAgent: "CodeQL Action",
+    }
+  );
+});
+
+function doTest(
+  t: ExecutionContext<unknown>,
+  clientArgs: any,
+  clientOptions: any,
+  expected: any
+) {
+  getApiClient(clientArgs, clientOptions);
+
+  const firstCallArgs = githubStub.args[0];
+  // log is a function, so we don't need to test for equality of it
+  delete firstCallArgs[0].log;
+  t.deepEqual(firstCallArgs, [expected]);
+}

src/api-client.ts

@@ -25,14 +25,17 @@ export interface GitHubApiExternalRepoDetails {
 }
 
 export const getApiClient = function (
-  apiDetails: GitHubApiDetails,
-  allowLocalRun = false
+  apiDetails: GitHubApiCombinedDetails,
+  { allowLocalRun = false, allowExternal = false } = {}
 ) {
   if (isLocalRun() && !allowLocalRun) {
     throw new Error("Invalid API call in local run");
   }
+
+  const auth =
+    (allowExternal && apiDetails.externalRepoAuth) || apiDetails.auth;
   return new githubUtils.GitHub(
-    githubUtils.getOctokitOptions(apiDetails.auth, {
+    githubUtils.getOctokitOptions(auth, {
       baseUrl: getApiUrl(apiDetails.url),
       userAgent: "CodeQL Action",
       log: consoleLogLevel({ level: "debug" }),
@@ -63,5 +66,5 @@ export function getActionsApiClient(allowLocalRun = false) {
     url: getRequiredEnvParam("GITHUB_SERVER_URL"),
   };
 
-  return getApiClient(apiDetails, allowLocalRun);
+  return getApiClient(apiDetails, { allowLocalRun });
 }

src/config-utils.ts

@@ -601,7 +601,7 @@ async function getLanguagesInRepo(
 ): Promise<Language[]> {
   logger.debug(`GitHub repo ${repository.owner} ${repository.repo}`);
   const response = await api
-    .getApiClient(apiDetails, true)
+    .getApiClient(apiDetails, { allowLocalRun: true })
     .repos.listLanguages({
       owner: repository.owner,
       repo: repository.repo,
@@ -1013,7 +1013,7 @@ function getLocalConfig(configFile: string, checkoutPath: string): UserConfig {
 
 async function getRemoteConfig(
   configFile: string,
-  apiDetails: api.GitHubApiDetails
+  apiDetails: api.GitHubApiCombinedDetails
 ): Promise<UserConfig> {
   // retrieve the various parts of the config location, and ensure they're present
   const format = new RegExp(
@@ -1025,12 +1025,14 @@ async function getRemoteConfig(
     throw new Error(getConfigFileRepoFormatInvalidMessage(configFile));
   }
 
-  const response = await api.getApiClient(apiDetails, true).repos.getContent({
-    owner: pieces.groups.owner,
-    repo: pieces.groups.repo,
-    path: pieces.groups.path,
-    ref: pieces.groups.ref,
-  });
+  const response = await api
+    .getApiClient(apiDetails, { allowLocalRun: true, allowExternal: true })
+    .repos.getContent({
+      owner: pieces.groups.owner,
+      repo: pieces.groups.repo,
+      path: pieces.groups.path,
+      ref: pieces.groups.ref,
+    });
 
   let fileContents: string;
   if ("content" in response.data && response.data.content !== undefined) {

src/defaults.json

@@ -1,3 +1,3 @@
 {
-	"bundleVersion": "codeql-bundle-20210308"
+	"bundleVersion": "codeql-bundle-20210326"
 }

src/runner.ts

@@ -141,9 +141,14 @@ program
     "Checkout path. Default is the current working directory."
   )
   .option("--debug", "Print more verbose output", false)
-  // This prevents a message like: error: unknown option '--trace-process-level'
-  // Remove this if commander.js starts supporting hidden options.
-  .allowUnknownOption()
+  .option(
+    "--trace-process-name <string>",
+    "(Advanced, windows-only) Inject a windows tracer of this process into a process with the given process name."
+  )
+  .option(
+    "--trace-process-level <number>",
+    "(Advanced, windows-only) Inject a windows tracer of this process into a parent process <number> levels up."
+  )
   .action(async (cmd: InitArgs) => {
     const logger = getRunnerLogger(cmd.debug);
     try {

src/sarif_v2.1.0_schema.json

@@ -2339,9 +2339,8 @@
           "description": "The language of the messages emitted into the log file during this run (expressed as an ISO 639-1 two-letter lowercase culture code) and an optional region (expressed as an ISO 3166-1 two-letter uppercase subculture code associated with a country or region). The casing is recommended but not required (in order for this data to conform to RFC5646).",
           "type": "string",
           "default": "en-US",
-          "pattern": "^[a-zA-Z]{2}|^[a-zA-Z]{2}-[a-zA-Z]{2}]?$"
+          "pattern": "^[a-zA-Z]{2}(-[a-zA-Z]{2})?$"
         },
-
         "versionControlProvenance": {
           "description": "Specifies the revision in version control of the artifacts that were scanned.",
           "type": "array",
@@ -3040,7 +3039,7 @@
           "description": "The language of the messages emitted into the log file during this run (expressed as an ISO 639-1 two-letter lowercase language code) and an optional region (expressed as an ISO 3166-1 two-letter uppercase subculture code associated with a country or region). The casing is recommended but not required (in order for this data to conform to RFC5646).",
           "type": "string",
           "default": "en-US",
-          "pattern": "^[a-zA-Z]{2}|^[a-zA-Z]{2}-[a-zA-Z]{2}]?$"
+          "pattern": "^[a-zA-Z]{2}(-[a-zA-Z]{2})?$"
         },
 
         "contents": {

src/upload-lib.test.ts

@@ -131,3 +131,56 @@ test("finding SARIF files", async (t) => {
     ]);
   });
 });
+
+test("populateRunAutomationDetails", (t) => {
+  let sarif = '{"runs": [{}]}';
+  const analysisKey = ".github/workflows/codeql-analysis.yml:analyze";
+
+  let expectedSarif =
+    '{"runs":[{"automationDetails":{"id":".github/workflows/codeql-analysis.yml:analyze/language:javascript/os:linux/"}}]}';
+
+  let modifiedSarif = uploadLib.populateRunAutomationDetails(
+    sarif,
+    analysisKey,
+    '{"language": "javascript", "os": "linux"}'
+  );
+  t.deepEqual(modifiedSarif, expectedSarif);
+
+  // check the environment sorting
+  modifiedSarif = uploadLib.populateRunAutomationDetails(
+    sarif,
+    analysisKey,
+    '{"os": "linux", "language": "javascript"}'
+  );
+  t.deepEqual(modifiedSarif, expectedSarif);
+
+  // check that an empty environment produces the right results
+  expectedSarif =
+    '{"runs":[{"automationDetails":{"id":".github/workflows/codeql-analysis.yml:analyze/"}}]}';
+  modifiedSarif = uploadLib.populateRunAutomationDetails(
+    sarif,
+    analysisKey,
+    "{}"
+  );
+  t.deepEqual(modifiedSarif, expectedSarif);
+
+  // check non string environment values
+  expectedSarif =
+    '{"runs":[{"automationDetails":{"id":".github/workflows/codeql-analysis.yml:analyze/number:/object:/"}}]}';
+  modifiedSarif = uploadLib.populateRunAutomationDetails(
+    sarif,
+    analysisKey,
+    '{"number": 1, "object": {"language": "javascript"}}'
+  );
+  t.deepEqual(modifiedSarif, expectedSarif);
+
+  // check that the automation details doesn't get overwritten
+  sarif = '{"runs":[{"automationDetails":{"id":"my_id"}}]}';
+  expectedSarif = '{"runs":[{"automationDetails":{"id":"my_id"}}]}';
+  modifiedSarif = uploadLib.populateRunAutomationDetails(
+    sarif,
+    analysisKey,
+    '{"os": "linux", "language": "javascript"}'
+  );
+  t.deepEqual(modifiedSarif, expectedSarif);
+});

src/upload-lib.ts

@@ -40,6 +40,44 @@ export function combineSarifFiles(sarifFiles: string[]): string {
   return JSON.stringify(combinedSarif);
 }
 
+// Populates the run.automationDetails.id field using the analysis_key and environment
+// and return an updated sarif file contents.
+export function populateRunAutomationDetails(
+  sarifContents: string,
+  analysis_key: string | undefined,
+  environment: string | undefined
+): string {
+  if (analysis_key === undefined) {
+    return sarifContents;
+  }
+  let automationID = `${analysis_key}/`;
+
+  // the id has to be deterministic so we sort the fields
+  if (environment !== undefined && environment !== "null") {
+    const environmentObject = JSON.parse(environment);
+    for (const entry of Object.entries(environmentObject).sort()) {
+      if (typeof entry[1] === "string") {
+        automationID += `${entry[0]}:${entry[1]}/`;
+      } else {
+        // In code scanning we just handle the string values,
+        // the rest get converted to the empty string
+        automationID += `${entry[0]}:/`;
+      }
+    }
+  }
+
+  const sarif = JSON.parse(sarifContents);
+  for (const run of sarif.runs || []) {
+    if (run.automationDetails === undefined) {
+      run.automationDetails = {
+        id: automationID,
+      };
+    }
+  }
+
+  return JSON.stringify(sarif);
+}
+
 // Upload the given payload.
 // If the request fails then this will retry a small number of times.
 async function uploadPayload(
@@ -321,6 +359,11 @@ async function uploadFiles(
     checkoutPath,
     logger
   );
+  sarifPayload = populateRunAutomationDetails(
+    sarifPayload,
+    analysisKey,
+    environment
+  );
 
   const zippedSarif = zlib.gzipSync(sarifPayload).toString("base64");
   const checkoutURI = fileUrl(checkoutPath);