Merge pull request #1345 from github/update-v2.1.31-a8cabafa

Merge main into releases/v2

.github/workflows/__analyze-ref-input.yml

@@ -25,19 +25,19 @@ jobs:
     strategy:
       matrix:
         include:
-        - os: ubuntu-latest
+        - os: ubuntu-20.04
           version: stable-20210308
         - os: macos-latest
           version: stable-20210308
         - os: windows-2019
           version: stable-20210308
-        - os: ubuntu-latest
+        - os: ubuntu-20.04
           version: stable-20210319
         - os: macos-latest
           version: stable-20210319
         - os: windows-2019
           version: stable-20210319
-        - os: ubuntu-latest
+        - os: ubuntu-20.04
           version: stable-20210809
         - os: macos-latest
           version: stable-20210809
@@ -47,23 +47,19 @@ jobs:
           version: cached
         - os: macos-latest
           version: cached
-        - os: windows-2019
+        - os: windows-latest
           version: cached
         - os: ubuntu-latest
           version: latest
         - os: macos-latest
           version: latest
-        - os: windows-2019
-          version: latest
-        - os: windows-2022
+        - os: windows-latest
           version: latest
         - os: ubuntu-latest
           version: nightly-latest
         - os: macos-latest
           version: nightly-latest
-        - os: windows-2019
-          version: nightly-latest
-        - os: windows-2022
+        - os: windows-latest
           version: nightly-latest
     name: "Analyze: 'ref' and 'sha' from inputs"
     timeout-minutes: 45

.github/workflows/__autobuild-action.yml

@@ -29,9 +29,7 @@ jobs:
           version: latest
         - os: macos-latest
           version: latest
-        - os: windows-2019
-          version: latest
-        - os: windows-2022
+        - os: windows-latest
           version: latest
     name: autobuild-action
     timeout-minutes: 45

.github/workflows/__go-custom-queries.yml

@@ -25,19 +25,19 @@ jobs:
     strategy:
       matrix:
         include:
-        - os: ubuntu-latest
+        - os: ubuntu-20.04
           version: stable-20210308
         - os: macos-latest
           version: stable-20210308
         - os: windows-2019
           version: stable-20210308
-        - os: ubuntu-latest
+        - os: ubuntu-20.04
           version: stable-20210319
         - os: macos-latest
           version: stable-20210319
         - os: windows-2019
           version: stable-20210319
-        - os: ubuntu-latest
+        - os: ubuntu-20.04
           version: stable-20210809
         - os: macos-latest
           version: stable-20210809
@@ -47,23 +47,19 @@ jobs:
           version: cached
         - os: macos-latest
           version: cached
-        - os: windows-2019
+        - os: windows-latest
           version: cached
         - os: ubuntu-latest
           version: latest
         - os: macos-latest
           version: latest
-        - os: windows-2019
-          version: latest
-        - os: windows-2022
+        - os: windows-latest
           version: latest
         - os: ubuntu-latest
           version: nightly-latest
         - os: macos-latest
           version: nightly-latest
-        - os: windows-2019
-          version: nightly-latest
-        - os: windows-2022
+        - os: windows-latest
           version: nightly-latest
     name: 'Go: Custom queries'
     timeout-minutes: 45

.github/workflows/__go-custom-tracing-autobuild.yml

@@ -25,15 +25,15 @@ jobs:
     strategy:
       matrix:
         include:
-        - os: ubuntu-latest
+        - os: ubuntu-20.04
           version: stable-20210308
         - os: macos-latest
           version: stable-20210308
-        - os: ubuntu-latest
+        - os: ubuntu-20.04
           version: stable-20210319
         - os: macos-latest
           version: stable-20210319
-        - os: ubuntu-latest
+        - os: ubuntu-20.04
           version: stable-20210809
         - os: macos-latest
           version: stable-20210809

.github/workflows/__go-custom-tracing.yml

@@ -25,19 +25,19 @@ jobs:
     strategy:
       matrix:
         include:
-        - os: ubuntu-latest
+        - os: ubuntu-20.04
           version: stable-20210308
         - os: macos-latest
           version: stable-20210308
         - os: windows-2019
           version: stable-20210308
-        - os: ubuntu-latest
+        - os: ubuntu-20.04
           version: stable-20210319
         - os: macos-latest
           version: stable-20210319
         - os: windows-2019
           version: stable-20210319
-        - os: ubuntu-latest
+        - os: ubuntu-20.04
           version: stable-20210809
         - os: macos-latest
           version: stable-20210809
@@ -47,23 +47,19 @@ jobs:
           version: cached
         - os: macos-latest
           version: cached
-        - os: windows-2019
+        - os: windows-latest
           version: cached
         - os: ubuntu-latest
           version: latest
         - os: macos-latest
           version: latest
-        - os: windows-2019
-          version: latest
-        - os: windows-2022
+        - os: windows-latest
           version: latest
         - os: ubuntu-latest
           version: nightly-latest
         - os: macos-latest
           version: nightly-latest
-        - os: windows-2019
-          version: nightly-latest
-        - os: windows-2022
+        - os: windows-latest
           version: nightly-latest
     name: 'Go: Custom tracing'
     timeout-minutes: 45

.github/workflows/__go-reconciled-tracing-autobuilder.yml

@@ -25,15 +25,15 @@ jobs:
     strategy:
       matrix:
         include:
-        - os: ubuntu-latest
+        - os: ubuntu-20.04
           version: stable-20210308
         - os: macos-latest
           version: stable-20210308
-        - os: ubuntu-latest
+        - os: ubuntu-20.04
           version: stable-20210319
         - os: macos-latest
           version: stable-20210319
-        - os: ubuntu-latest
+        - os: ubuntu-20.04
           version: stable-20210809
         - os: macos-latest
           version: stable-20210809

.github/workflows/__go-reconciled-tracing-custom-build-steps.yml

@@ -25,19 +25,19 @@ jobs:
     strategy:
       matrix:
         include:
-        - os: ubuntu-latest
+        - os: ubuntu-20.04
           version: stable-20210308
         - os: macos-latest
           version: stable-20210308
         - os: windows-2019
           version: stable-20210308
-        - os: ubuntu-latest
+        - os: ubuntu-20.04
           version: stable-20210319
         - os: macos-latest
           version: stable-20210319
         - os: windows-2019
           version: stable-20210319
-        - os: ubuntu-latest
+        - os: ubuntu-20.04
           version: stable-20210809
         - os: macos-latest
           version: stable-20210809
@@ -47,23 +47,19 @@ jobs:
           version: cached
         - os: macos-latest
           version: cached
-        - os: windows-2019
+        - os: windows-latest
           version: cached
         - os: ubuntu-latest
           version: latest
         - os: macos-latest
           version: latest
-        - os: windows-2019
-          version: latest
-        - os: windows-2022
+        - os: windows-latest
           version: latest
         - os: ubuntu-latest
           version: nightly-latest
         - os: macos-latest
           version: nightly-latest
-        - os: windows-2019
-          version: nightly-latest
-        - os: windows-2022
+        - os: windows-latest
           version: nightly-latest
     name: 'Go: Reconciled tracing with custom build steps'
     timeout-minutes: 45

.github/workflows/__go-reconciled-tracing-legacy-workflow.yml

@@ -25,15 +25,15 @@ jobs:
     strategy:
       matrix:
         include:
-        - os: ubuntu-latest
+        - os: ubuntu-20.04
           version: stable-20210308
         - os: macos-latest
           version: stable-20210308
-        - os: ubuntu-latest
+        - os: ubuntu-20.04
           version: stable-20210319
         - os: macos-latest
           version: stable-20210319
-        - os: ubuntu-latest
+        - os: ubuntu-20.04
           version: stable-20210809
         - os: macos-latest
           version: stable-20210809

.github/workflows/__init-with-registries.yml

@@ -29,9 +29,7 @@ jobs:
           version: nightly-latest
         - os: macos-latest
           version: nightly-latest
-        - os: windows-2019
-          version: nightly-latest
-        - os: windows-2022
+        - os: windows-latest
           version: nightly-latest
     name: 'Packaging: Download using registries'
     timeout-minutes: 45

.github/workflows/__multi-language-autodetect.yml

@@ -25,15 +25,15 @@ jobs:
     strategy:
       matrix:
         include:
-        - os: ubuntu-latest
+        - os: ubuntu-20.04
           version: stable-20210308
         - os: macos-latest
           version: stable-20210308
-        - os: ubuntu-latest
+        - os: ubuntu-20.04
           version: stable-20210319
         - os: macos-latest
           version: stable-20210319
-        - os: ubuntu-latest
+        - os: ubuntu-20.04
           version: stable-20210809
         - os: macos-latest
           version: stable-20210809

.github/workflows/__packaging-codescanning-config-inputs-js.yml

@@ -29,23 +29,19 @@ jobs:
           version: latest
         - os: macos-latest
           version: latest
-        - os: windows-2019
-          version: latest
-        - os: windows-2022
+        - os: windows-latest
           version: latest
         - os: ubuntu-latest
           version: cached
         - os: macos-latest
           version: cached
-        - os: windows-2019
+        - os: windows-latest
           version: cached
         - os: ubuntu-latest
           version: nightly-latest
         - os: macos-latest
           version: nightly-latest
-        - os: windows-2019
-          version: nightly-latest
-        - os: windows-2022
+        - os: windows-latest
           version: nightly-latest
     name: 'Packaging: Config and input passed to the CLI'
     timeout-minutes: 45

.github/workflows/__packaging-config-inputs-js.yml

@@ -29,23 +29,19 @@ jobs:
           version: latest
         - os: macos-latest
           version: latest
-        - os: windows-2019
-          version: latest
-        - os: windows-2022
+        - os: windows-latest
           version: latest
         - os: ubuntu-latest
           version: cached
         - os: macos-latest
           version: cached
-        - os: windows-2019
+        - os: windows-latest
           version: cached
         - os: ubuntu-latest
           version: nightly-latest
         - os: macos-latest
           version: nightly-latest
-        - os: windows-2019
-          version: nightly-latest
-        - os: windows-2022
+        - os: windows-latest
           version: nightly-latest
     name: 'Packaging: Config and input'
     timeout-minutes: 45

.github/workflows/__packaging-config-js.yml

@@ -29,23 +29,19 @@ jobs:
           version: latest
         - os: macos-latest
           version: latest
-        - os: windows-2019
-          version: latest
-        - os: windows-2022
+        - os: windows-latest
           version: latest
         - os: ubuntu-latest
           version: cached
         - os: macos-latest
           version: cached
-        - os: windows-2019
+        - os: windows-latest
           version: cached
         - os: ubuntu-latest
           version: nightly-latest
         - os: macos-latest
           version: nightly-latest
-        - os: windows-2019
-          version: nightly-latest
-        - os: windows-2022
+        - os: windows-latest
           version: nightly-latest
     name: 'Packaging: Config file'
     timeout-minutes: 45

.github/workflows/__packaging-inputs-js.yml

@@ -29,23 +29,19 @@ jobs:
           version: latest
         - os: macos-latest
           version: latest
-        - os: windows-2019
-          version: latest
-        - os: windows-2022
+        - os: windows-latest
           version: latest
         - os: ubuntu-latest
           version: cached
         - os: macos-latest
           version: cached
-        - os: windows-2019
+        - os: windows-latest
           version: cached
         - os: ubuntu-latest
           version: nightly-latest
         - os: macos-latest
           version: nightly-latest
-        - os: windows-2019
-          version: nightly-latest
-        - os: windows-2022
+        - os: windows-latest
           version: nightly-latest
     name: 'Packaging: Action input'
     timeout-minutes: 45

.github/workflows/__remote-config.yml

@@ -25,19 +25,19 @@ jobs:
     strategy:
       matrix:
         include:
-        - os: ubuntu-latest
+        - os: ubuntu-20.04
           version: stable-20210308
         - os: macos-latest
           version: stable-20210308
         - os: windows-2019
           version: stable-20210308
-        - os: ubuntu-latest
+        - os: ubuntu-20.04
           version: stable-20210319
         - os: macos-latest
           version: stable-20210319
         - os: windows-2019
           version: stable-20210319
-        - os: ubuntu-latest
+        - os: ubuntu-20.04
           version: stable-20210809
         - os: macos-latest
           version: stable-20210809
@@ -47,23 +47,19 @@ jobs:
           version: cached
         - os: macos-latest
           version: cached
-        - os: windows-2019
+        - os: windows-latest
           version: cached
         - os: ubuntu-latest
           version: latest
         - os: macos-latest
           version: latest
-        - os: windows-2019
-          version: latest
-        - os: windows-2022
+        - os: windows-latest
           version: latest
         - os: ubuntu-latest
           version: nightly-latest
         - os: macos-latest
           version: nightly-latest
-        - os: windows-2019
-          version: nightly-latest
-        - os: windows-2022
+        - os: windows-latest
           version: nightly-latest
     name: Remote config file
     timeout-minutes: 45

.github/workflows/__rubocop-multi-language.yml

@@ -25,18 +25,8 @@ jobs:
     strategy:
       matrix:
         include:
-        - os: ubuntu-latest
-          version: stable-20210308
-        - os: ubuntu-latest
-          version: stable-20210319
-        - os: ubuntu-latest
-          version: stable-20210809
         - os: ubuntu-latest
           version: cached
-        - os: ubuntu-latest
-          version: latest
-        - os: ubuntu-latest
-          version: nightly-latest
     name: RuboCop multi-language
     timeout-minutes: 45
     runs-on: ${{ matrix.os }}

.github/workflows/__test-proxy.yml

@@ -51,10 +51,10 @@ jobs:
       https_proxy: http://squid-proxy:3128
       INTERNAL_CODEQL_ACTION_DEBUG_LOC: true
     container:
-      image: ubuntu:18.04
+      image: ubuntu:22.04
       options: --dns 127.0.0.1
     services:
       squid-proxy:
-        image: datadog/squid:latest
+        image: ubuntu/squid:latest
         ports:
         - 3128:3128

.github/workflows/__upload-ref-sha-input.yml

@@ -25,19 +25,19 @@ jobs:
     strategy:
       matrix:
         include:
-        - os: ubuntu-latest
+        - os: ubuntu-20.04
           version: stable-20210308
         - os: macos-latest
           version: stable-20210308
         - os: windows-2019
           version: stable-20210308
-        - os: ubuntu-latest
+        - os: ubuntu-20.04
           version: stable-20210319
         - os: macos-latest
           version: stable-20210319
         - os: windows-2019
           version: stable-20210319
-        - os: ubuntu-latest
+        - os: ubuntu-20.04
           version: stable-20210809
         - os: macos-latest
           version: stable-20210809
@@ -47,23 +47,19 @@ jobs:
           version: cached
         - os: macos-latest
           version: cached
-        - os: windows-2019
+        - os: windows-latest
           version: cached
         - os: ubuntu-latest
           version: latest
         - os: macos-latest
           version: latest
-        - os: windows-2019
-          version: latest
-        - os: windows-2022
+        - os: windows-latest
           version: latest
         - os: ubuntu-latest
           version: nightly-latest
         - os: macos-latest
           version: nightly-latest
-        - os: windows-2019
-          version: nightly-latest
-        - os: windows-2022
+        - os: windows-latest
           version: nightly-latest
     name: "Upload-sarif: 'ref' and 'sha' from inputs"
     timeout-minutes: 45

.github/workflows/__with-checkout-path.yml

@@ -25,19 +25,19 @@ jobs:
     strategy:
       matrix:
         include:
-        - os: ubuntu-latest
+        - os: ubuntu-20.04
           version: stable-20210308
         - os: macos-latest
           version: stable-20210308
         - os: windows-2019
           version: stable-20210308
-        - os: ubuntu-latest
+        - os: ubuntu-20.04
           version: stable-20210319
         - os: macos-latest
           version: stable-20210319
         - os: windows-2019
           version: stable-20210319
-        - os: ubuntu-latest
+        - os: ubuntu-20.04
           version: stable-20210809
         - os: macos-latest
           version: stable-20210809
@@ -47,23 +47,19 @@ jobs:
           version: cached
         - os: macos-latest
           version: cached
-        - os: windows-2019
+        - os: windows-latest
           version: cached
         - os: ubuntu-latest
           version: latest
         - os: macos-latest
           version: latest
-        - os: windows-2019
-          version: latest
-        - os: windows-2022
+        - os: windows-latest
           version: latest
         - os: ubuntu-latest
           version: nightly-latest
         - os: macos-latest
           version: nightly-latest
-        - os: windows-2019
-          version: nightly-latest
-        - os: windows-2022
+        - os: windows-latest
           version: nightly-latest
     name: Use a custom `checkout_path`
     timeout-minutes: 45

.github/workflows/codescanning-config-cli.yml

@@ -24,7 +24,6 @@ jobs:
     continue-on-error: true
 
     strategy:
-      fail-fast: true
       matrix:
         include:
         - os: ubuntu-latest

.github/workflows/debug-artifacts.yml

@@ -19,8 +19,31 @@ jobs:
   upload-artifacts:
     strategy:
       matrix:
-        os: [ubuntu-latest, macos-latest]
-        version: [stable-20210308, stable-20210319, stable-20210809, cached, latest, nightly-latest]
+        include:
+          - os: ubuntu-20.04
+            version: stable-20210308
+          - os: macos-latest
+            version: stable-20210308
+          - os: ubuntu-20.04
+            version: stable-20210319
+          - os: macos-latest
+            version: stable-20210319
+          - os: ubuntu-20.04
+            version: stable-20210809
+          - os: macos-latest
+            version: stable-20210809
+          - os: ubuntu-latest
+            version: cached
+          - os: macos-latest
+            version: cached
+          - os: ubuntu-latest
+            version: latest
+          - os: macos-latest
+            version: latest
+          - os: ubuntu-latest
+            version: nightly-latest
+          - os: macos-latest
+            version: nightly-latest
     name: Upload debug artifacts
     timeout-minutes: 45
     runs-on: ${{ matrix.os }}
@@ -58,11 +81,17 @@ jobs:
       - name: Check expected artifacts exist
         shell: bash
         run: |
-          OPERATING_SYSTEMS="ubuntu-latest macos-latest"
           VERSIONS="stable-20210308 stable-20210319 stable-20210809 cached latest nightly-latest"
           LANGUAGES="cpp csharp go java javascript python"
-          for os in $OPERATING_SYSTEMS; do
-            for version in $VERSIONS; do
+          for version in $VERSIONS; do
+            if [[ "$version" =~ stable-(20210308|20210319|20210809) ]]; then
+              # Note the absence of the period in "ubuntu-2004": this is present in the image name
+              # but not the artifact name
+              OPERATING_SYSTEMS="ubuntu-2004 macos-latest"
+            else
+              OPERATING_SYSTEMS="ubuntu-latest macos-latest"
+            fi
+            for os in $OPERATING_SYSTEMS; do
               pushd "./my-debug-artifacts-$os-$version"
               echo "Artifacts from version $version on $os:"
               for language in $LANGUAGES; do

.github/workflows/post-release-mergeback.yml

@@ -121,7 +121,8 @@ jobs:
             - [ ] Remove and re-add the "Update dependencies" label to the PR to trigger just this workflow.
             - [ ] Wait for the "Update dependencies" workflow to push a commit updating the dependencies.
             - [ ] Mark the PR as ready for review to trigger the full set of PR checks.
-            - [ ] Approve and merge the PR. Make sure `Create a merge commit` is selected rather than `Squash and merge` or `Rebase and merge`.
+            - [ ] Approve and merge the PR. When merging the PR, make sure "Create a merge commit" is
+                  selected rather than "Squash and merge" or "Rebase and merge".
           EOF
           )
 

.github/workflows/pr-checks.yml

@@ -16,7 +16,6 @@ jobs:
     timeout-minutes: 45
 
     strategy:
-      fail-fast: true
       matrix:
         node-types-version: [12.12, current]
 

.github/workflows/python-deps.yml

@@ -26,7 +26,7 @@ jobs:
     strategy:
         fail-fast: false
         matrix:
-          os: [ubuntu-latest, ubuntu-22.04, macos-latest]
+          os: [ubuntu-20.04, ubuntu-22.04, macos-latest]
           python_deps_type: [pipenv, poetry, requirements, setup_py]
           python_version: [2, 3]
           exclude:
@@ -65,7 +65,7 @@ jobs:
         cd $GITHUB_WORKSPACE/python-setup/tests/${PYTHON_DEPS_TYPE}/requests-${PYTHON_VERSION}
 
         case ${{ matrix.os }} in
-            ubuntu-latest*)     basePath="/opt";;
+            ubuntu-20.04*)     basePath="/opt";;
             ubuntu-22.04*)     basePath="/opt";;
             macos-latest*)    basePath="/Users/runner";;
         esac
@@ -90,7 +90,7 @@ jobs:
     strategy:
         fail-fast: false
         matrix:
-          os: [ubuntu-latest, ubuntu-22.04, macos-latest]
+          os: [ubuntu-20.04, ubuntu-22.04, macos-latest]
 
     steps:
     # Checks-out your repository under $GITHUB_WORKSPACE, so your job can access it
@@ -112,7 +112,7 @@ jobs:
         cd $GITHUB_WORKSPACE/python-setup/tests/requirements/non-standard-location
 
         case ${{ matrix.os }} in
-            ubuntu-latest*)     basePath="/opt";;
+            ubuntu-20.04*)     basePath="/opt";;
             ubuntu-22.04*)     basePath="/opt";;
             macos-latest*)    basePath="/Users/runner";;
         esac

.github/workflows/unset-environment-new-cli.yml

@@ -21,7 +21,7 @@ jobs:
     strategy:
       matrix:
         include:
-        - os: ubuntu-latest
+        - os: ubuntu-20.04
           version: stable-20210809
         - os: ubuntu-latest
           version: cached

.github/workflows/unset-environment-old-cli.yml

@@ -24,9 +24,9 @@ jobs:
     strategy:
       matrix:
         include:
-        - os: ubuntu-latest
+        - os: ubuntu-20.04
           version: stable-20210308
-        - os: ubuntu-latest
+        - os: ubuntu-20.04
           version: stable-20210319
     name: Test unsetting environment variables
     timeout-minutes: 45

CHANGELOG.md

@@ -1,8 +1,16 @@
 # CodeQL Action Changelog
 
-## [UNRELEASED]
+## 2.1.31 - 04 Nov 2022
 
-No user facing changes.
+- The `rb/weak-cryptographic-algorithm` Ruby query has been updated to no longer report uses of hash functions such as `MD5` and `SHA1` even if they are known to be weak. These hash algorithms are used very often in non-sensitive contexts, making the query too imprecise in practice. For more information, see the corresponding change in the [github/codeql repository](https://github.com/github/codeql/pull/11129). [#1344](https://github.com/github/codeql-action/pull/1344)
+
+## 2.1.30 - 02 Nov 2022
+
+- Improve the error message when using CodeQL bundle version 2.7.2 and earlier in a workflow that runs on a runner image such as `ubuntu-22.04` that uses glibc version 2.34 and later. [#1334](https://github.com/github/codeql-action/pull/1334)
+
+## 2.1.29 - 26 Oct 2022
+
+- Update default CodeQL bundle version to 2.11.2. [#1320](https://github.com/github/codeql-action/pull/1320)
 
 ## 2.1.28 - 18 Oct 2022
 

README.md

@@ -61,7 +61,7 @@ jobs:
         # with:
         #   languages: go, javascript, csharp, python, cpp, java
 
-      # Autobuild attempts to build any compiled languages (C/C++, C#, or Java).
+      # Autobuild attempts to build any compiled languages (C/C++, C#, Go, or Java).
       # If this step fails, then you should remove it and run the build manually (see below).
       - name: Autobuild
         uses: github/codeql-action/autobuild@v2

lib/actions-util.js

@@ -502,6 +502,12 @@ async function createStatusReportBase(actionName, status, actionStartedAt, cause
     const runnerOs = (0, util_1.getRequiredEnvParam)("RUNNER_OS");
     const codeQlCliVersion = (0, util_1.getCachedCodeQlVersion)();
     const actionRef = process.env["GITHUB_ACTION_REF"];
+    const testingEnvironment = process.env[sharedEnv.CODEQL_ACTION_TESTING_ENVIRONMENT] || "";
+    // re-export the testing environment variable so that it is available to subsequent steps,
+    // even if it was only set for this step
+    if (testingEnvironment !== "") {
+        core.exportVariable(sharedEnv.CODEQL_ACTION_TESTING_ENVIRONMENT, testingEnvironment);
+    }
     const statusReport = {
         workflow_run_id: workflowRunID,
         workflow_name: workflowName,
@@ -515,6 +521,7 @@ async function createStatusReportBase(actionName, status, actionStartedAt, cause
         started_at: workflowStartedAt,
         action_started_at: actionStartedAt.toISOString(),
         status,
+        testing_environment: testingEnvironment,
         runner_os: runnerOs,
         action_version: pkg.version,
     };

lib/codeql.js

@@ -22,7 +22,7 @@ var __importDefault = (this && this.__importDefault) || function (mod) {
     return (mod && mod.__esModule) ? mod : { "default": mod };
 };
 Object.defineProperty(exports, "__esModule", { value: true });
-exports.getExtraOptions = exports.getCodeQLForTesting = exports.getCachedCodeQL = exports.setCodeQL = exports.getCodeQL = exports.convertToSemVer = exports.getCodeQLURLVersion = exports.setupCodeQL = exports.getCodeQLActionRepository = exports.CODEQL_VERSION_BETTER_RESOLVE_LANGUAGES = exports.CODEQL_VERSION_ML_POWERED_QUERIES_WINDOWS = exports.CODEQL_VERSION_NEW_TRACING = exports.CODEQL_VERSION_GHES_PACK_DOWNLOAD = exports.CODEQL_VERSION_CONFIG_FILES = exports.CODEQL_VERSION_COUNTS_LINES = exports.CODEQL_DEFAULT_ACTION_REPOSITORY = exports.CommandInvocationError = void 0;
+exports.getExtraOptions = exports.getCodeQLForTesting = exports.getCachedCodeQL = exports.setCodeQL = exports.getCodeQL = exports.convertToSemVer = exports.getCodeQLURLVersion = exports.setupCodeQL = exports.getCodeQLActionRepository = exports.CODEQL_VERSION_BETTER_RESOLVE_LANGUAGES = exports.CODEQL_VERSION_ML_POWERED_QUERIES_WINDOWS = exports.CODEQL_VERSION_TRACING_GLIBC_2_34 = exports.CODEQL_VERSION_NEW_TRACING = exports.CODEQL_VERSION_GHES_PACK_DOWNLOAD = exports.CODEQL_VERSION_CONFIG_FILES = exports.CODEQL_VERSION_COUNTS_LINES = exports.CODEQL_DEFAULT_ACTION_REPOSITORY = exports.CommandInvocationError = void 0;
 const fs = __importStar(require("fs"));
 const path = __importStar(require("path"));
 const toolrunner = __importStar(require("@actions/exec/lib/toolrunner"));
@@ -43,10 +43,11 @@ const trap_caching_1 = require("./trap-caching");
 const util = __importStar(require("./util"));
 const util_1 = require("./util");
 class CommandInvocationError extends Error {
-    constructor(cmd, args, exitCode, error) {
+    constructor(cmd, args, exitCode, error, output) {
         super(`Failure invoking ${cmd} with arguments ${args}.\n
       Exit code ${exitCode} and error was:\n
       ${error}`);
+        this.output = output;
     }
 }
 exports.CommandInvocationError = CommandInvocationError;
@@ -93,6 +94,11 @@ exports.CODEQL_VERSION_GHES_PACK_DOWNLOAD = "2.10.4";
  * versions above that.
  */
 exports.CODEQL_VERSION_NEW_TRACING = "2.7.0";
+/**
+ * Versions 2.7.3+ of the CodeQL CLI support build tracing with glibc 2.34 on Linux. Versions before
+ * this cannot perform build tracing when running on the Actions `ubuntu-22.04` runner image.
+ */
+exports.CODEQL_VERSION_TRACING_GLIBC_2_34 = "2.7.3";
 /**
  * Versions 2.9.0+ of the CodeQL CLI run machine learning models from a temporary directory, which
  * resolves an issue on Windows where TensorFlow models are not correctly loaded due to the path of
@@ -467,15 +473,32 @@ async function getCodeQLForCmd(cmd, checkVersion) {
             // action/runner has been implemented in `codeql database trace-command`
             // _and_ is present in the latest supported CLI release.)
             const envFile = path.resolve(databasePath, "working", "env.tmp");
-            await runTool(cmd, [
-                "database",
-                "trace-command",
-                databasePath,
-                ...getExtraOptionsFromEnv(["database", "trace-command"]),
-                process.execPath,
-                tracerEnvJs,
-                envFile,
-            ]);
+            try {
+                await runTool(cmd, [
+                    "database",
+                    "trace-command",
+                    databasePath,
+                    ...getExtraOptionsFromEnv(["database", "trace-command"]),
+                    process.execPath,
+                    tracerEnvJs,
+                    envFile,
+                ]);
+            }
+            catch (e) {
+                if (e instanceof CommandInvocationError &&
+                    e.output.includes("undefined symbol: __libc_dlopen_mode, version GLIBC_PRIVATE") &&
+                    process.platform === "linux" &&
+                    !(await util.codeQlVersionAbove(this, exports.CODEQL_VERSION_TRACING_GLIBC_2_34))) {
+                    throw new util.UserError("The CodeQL CLI is incompatible with the version of glibc on your system. " +
+                        `Please upgrade to CodeQL CLI version ${exports.CODEQL_VERSION_TRACING_GLIBC_2_34} or ` +
+                        "later. If you cannot upgrade to a newer version of the CodeQL CLI, you can " +
+                        `alternatively run your workflow on another runner image such as "ubuntu-20.04" ` +
+                        "that has glibc 2.33 or earlier installed.");
+                }
+                else {
+                    throw e;
+                }
+            }
             return JSON.parse(fs.readFileSync(envFile, "utf-8"));
         },
         async databaseInit(databasePath, language, sourceRoot) {
@@ -864,7 +887,7 @@ async function runTool(cmd, args = []) {
         ignoreReturnCode: true,
     }).exec();
     if (exitCode !== 0)
-        throw new CommandInvocationError(cmd, args, exitCode, error);
+        throw new CommandInvocationError(cmd, args, exitCode, error, output);
     return output;
 }
 /**

lib/defaults.json

@@ -1,3 +1,3 @@
 {
-    "bundleVersion": "codeql-bundle-20221010"
+    "bundleVersion": "codeql-bundle-20221024"
 }

lib/feature-flags.js

@@ -37,7 +37,7 @@ exports.featureConfig = {
     },
     [Feature.CliConfigFileEnabled]: {
         envVar: "CODEQL_PASS_CONFIG_TO_CLI",
-        minimumVersion: "2.10.1",
+        minimumVersion: "2.11.1",
     },
     [Feature.GolangExtractionReconciliationEnabled]: {
         envVar: "CODEQL_GOLANG_EXTRACTION_RECONCILIATION",

lib/shared-environment.js

@@ -1,6 +1,6 @@
 "use strict";
 Object.defineProperty(exports, "__esModule", { value: true });
-exports.CODEQL_WORKFLOW_STARTED_AT = exports.ODASA_TRACER_CONFIGURATION = void 0;
+exports.CODEQL_ACTION_TESTING_ENVIRONMENT = exports.CODEQL_WORKFLOW_STARTED_AT = exports.ODASA_TRACER_CONFIGURATION = void 0;
 exports.ODASA_TRACER_CONFIGURATION = "ODASA_TRACER_CONFIGURATION";
 // The time at which the first action (normally init) started executing.
 // If a workflow invokes a different action without first invoking the init
@@ -8,4 +8,5 @@ exports.ODASA_TRACER_CONFIGURATION = "ODASA_TRACER_CONFIGURATION";
 // then this variable will be assigned the start time of the action invoked
 // rather that the init action.
 exports.CODEQL_WORKFLOW_STARTED_AT = "CODEQL_WORKFLOW_STARTED_AT";
+exports.CODEQL_ACTION_TESTING_ENVIRONMENT = "CODEQL_ACTION_TESTING_ENVIRONMENT";
 //# sourceMappingURL=shared-environment.js.map

lib/shared-environment.js.map

@@ -1 +1 @@
-{"version":3,"file":"shared-environment.js","sourceRoot":"","sources":["../src/shared-environment.ts"],"names":[],"mappings":";;;AAAa,QAAA,0BAA0B,GAAG,4BAA4B,CAAC;AACvE,wEAAwE;AACxE,2EAA2E;AAC3E,4EAA4E;AAC5E,2EAA2E;AAC3E,+BAA+B;AAClB,QAAA,0BAA0B,GAAG,4BAA4B,CAAC"}
+{"version":3,"file":"shared-environment.js","sourceRoot":"","sources":["../src/shared-environment.ts"],"names":[],"mappings":";;;AAAa,QAAA,0BAA0B,GAAG,4BAA4B,CAAC;AACvE,wEAAwE;AACxE,2EAA2E;AAC3E,4EAA4E;AAC5E,2EAA2E;AAC3E,+BAA+B;AAClB,QAAA,0BAA0B,GAAG,4BAA4B,CAAC;AAE1D,QAAA,iCAAiC,GAC5C,mCAAmC,CAAC"}

lib/upload-lib.js

@@ -22,9 +22,10 @@ var __importDefault = (this && this.__importDefault) || function (mod) {
     return (mod && mod.__esModule) ? mod : { "default": mod };
 };
 Object.defineProperty(exports, "__esModule", { value: true });
-exports.validateUniqueCategory = exports.waitForProcessing = exports.buildPayload = exports.validateSarifFileSchema = exports.countResultsInSarif = exports.uploadFromRunner = exports.uploadFromActions = exports.findSarifFilesInDir = exports.populateRunAutomationDetails = exports.combineSarifFiles = void 0;
+exports.pruneInvalidResults = exports.validateUniqueCategory = exports.waitForProcessing = exports.buildPayload = exports.validateSarifFileSchema = exports.countResultsInSarif = exports.uploadFromRunner = exports.uploadFromActions = exports.findSarifFilesInDir = exports.populateRunAutomationDetails = exports.combineSarifFiles = void 0;
 const fs = __importStar(require("fs"));
 const path = __importStar(require("path"));
+const process_1 = require("process");
 const zlib_1 = __importDefault(require("zlib"));
 const core = __importStar(require("@actions/core"));
 const file_url_1 = __importDefault(require("file-url"));
@@ -269,6 +270,8 @@ async function uploadFiles(sarifFiles, repositoryNwo, commitOid, ref, analysisKe
     let sarif = combineSarifFiles(sarifFiles);
     sarif = await fingerprints.addFingerprints(sarif, sourceRoot, logger);
     sarif = populateRunAutomationDetails(sarif, category, analysisKey, environment);
+    if (process_1.env["CODEQL_DISABLE_SARIF_PRUNING"] !== "true")
+        sarif = pruneInvalidResults(sarif, logger);
     const toolNames = util.getToolNames(sarif);
     validateUniqueCategory(sarif);
     const sarifPayload = JSON.stringify(sarif);
@@ -376,4 +379,36 @@ exports.validateUniqueCategory = validateUniqueCategory;
 function sanitize(str) {
     return (str !== null && str !== void 0 ? str : "_").replace(/[^a-zA-Z0-9_]/g, "_").toLocaleUpperCase();
 }
+function pruneInvalidResults(sarif, logger) {
+    var _a, _b, _c, _d, _e, _f, _g, _h;
+    let pruned = 0;
+    const newRuns = [];
+    for (const run of sarif.runs || []) {
+        if (((_b = (_a = run.tool) === null || _a === void 0 ? void 0 : _a.driver) === null || _b === void 0 ? void 0 : _b.name) === "CodeQL" &&
+            ((_d = (_c = run.tool) === null || _c === void 0 ? void 0 : _c.driver) === null || _d === void 0 ? void 0 : _d.semanticVersion) === "2.11.2") {
+            // Version 2.11.2 of the CodeQL CLI had many false positives in the
+            // rb/weak-cryptographic-algorithm query which we prune here. The
+            // issue is tracked in https://github.com/github/codeql/issues/11107.
+            const newResults = [];
+            for (const result of run.results || []) {
+                if (result.ruleId === "rb/weak-cryptographic-algorithm" &&
+                    (((_f = (_e = result.message) === null || _e === void 0 ? void 0 : _e.text) === null || _f === void 0 ? void 0 : _f.includes(" MD5 ")) ||
+                        ((_h = (_g = result.message) === null || _g === void 0 ? void 0 : _g.text) === null || _h === void 0 ? void 0 : _h.includes(" SHA1 ")))) {
+                    pruned += 1;
+                    continue;
+                }
+                newResults.push(result);
+            }
+            newRuns.push({ ...run, results: newResults });
+        }
+        else {
+            newRuns.push(run);
+        }
+    }
+    if (pruned > 0) {
+        logger.info(`Pruned ${pruned} results believed to be invalid from SARIF file.`);
+    }
+    return { ...sarif, runs: newRuns };
+}
+exports.pruneInvalidResults = pruneInvalidResults;
 //# sourceMappingURL=upload-lib.js.map

lib/upload-lib.test.js

@@ -28,6 +28,7 @@ const ava_1 = __importDefault(require("ava"));
 const logging_1 = require("./logging");
 const testing_utils_1 = require("./testing-utils");
 const uploadLib = __importStar(require("./upload-lib"));
+const upload_lib_1 = require("./upload-lib");
 const util_1 = require("./util");
 (0, testing_utils_1.setupTests)(ava_1.default);
 ava_1.default.beforeEach(() => {
@@ -200,6 +201,105 @@ ava_1.default.beforeEach(() => {
     t.throws(() => uploadLib.validateUniqueCategory(sarif1));
     t.throws(() => uploadLib.validateUniqueCategory(sarif2));
 });
+(0, ava_1.default)("pruneInvalidResults", (t) => {
+    const loggedMessages = [];
+    const mockLogger = {
+        info: (message) => {
+            loggedMessages.push(message);
+        },
+    };
+    const sarif = {
+        runs: [
+            {
+                tool: otherTool,
+                results: [resultWithBadMessage1, resultWithGoodMessage],
+            },
+            {
+                tool: affectedCodeQLVersion,
+                results: [
+                    resultWithOtherRuleId,
+                    resultWithBadMessage1,
+                    resultWithBadMessage2,
+                    resultWithGoodMessage,
+                ],
+            },
+            {
+                tool: unaffectedCodeQLVersion,
+                results: [resultWithBadMessage1, resultWithGoodMessage],
+            },
+        ],
+    };
+    const result = (0, upload_lib_1.pruneInvalidResults)(sarif, mockLogger);
+    const expected = {
+        runs: [
+            {
+                tool: otherTool,
+                results: [resultWithBadMessage1, resultWithGoodMessage],
+            },
+            {
+                tool: affectedCodeQLVersion,
+                results: [resultWithOtherRuleId, resultWithGoodMessage],
+            },
+            {
+                tool: unaffectedCodeQLVersion,
+                results: [resultWithBadMessage1, resultWithGoodMessage],
+            },
+        ],
+    };
+    t.deepEqual(result, expected);
+    t.deepEqual(loggedMessages.length, 1);
+    t.assert(loggedMessages[0].includes("Pruned 2 results"));
+});
+const affectedCodeQLVersion = {
+    driver: {
+        name: "CodeQL",
+        semanticVersion: "2.11.2",
+    },
+};
+const unaffectedCodeQLVersion = {
+    driver: {
+        name: "CodeQL",
+        semanticVersion: "2.11.3",
+    },
+};
+const otherTool = {
+    driver: {
+        name: "Some other tool",
+        semanticVersion: "2.11.2",
+    },
+};
+const resultWithOtherRuleId = {
+    ruleId: "doNotPrune",
+    message: {
+        text: "should not be pruned even though it says MD5 in it",
+    },
+    locations: [],
+    partialFingerprints: {},
+};
+const resultWithGoodMessage = {
+    ruleId: "rb/weak-cryptographic-algorithm",
+    message: {
+        text: "should not be pruned SHA128 is not a FP",
+    },
+    locations: [],
+    partialFingerprints: {},
+};
+const resultWithBadMessage1 = {
+    ruleId: "rb/weak-cryptographic-algorithm",
+    message: {
+        text: "should be pruned MD5 is a FP",
+    },
+    locations: [],
+    partialFingerprints: {},
+};
+const resultWithBadMessage2 = {
+    ruleId: "rb/weak-cryptographic-algorithm",
+    message: {
+        text: "should be pruned SHA1 is a FP",
+    },
+    locations: [],
+    partialFingerprints: {},
+};
 function createMockSarif(id, tool) {
     return {
         runs: [

node_modules/.package-lock.json

@@ -1,6 +1,6 @@
 {
   "name": "codeql",
-  "version": "2.1.29",
+  "version": "2.1.31",
   "lockfileVersion": 2,
   "requires": true,
   "packages": {

package-lock.json

@@ -1,12 +1,12 @@
 {
   "name": "codeql",
-  "version": "2.1.29",
+  "version": "2.1.31",
   "lockfileVersion": 2,
   "requires": true,
   "packages": {
     "": {
       "name": "codeql",
-      "version": "2.1.29",
+      "version": "2.1.31",
       "license": "MIT",
       "dependencies": {
         "@actions/artifact": "^1.1.0",

package.json

@@ -1,6 +1,6 @@
 {
   "name": "codeql",
-  "version": "2.1.29",
+  "version": "2.1.31",
   "private": true,
   "description": "CodeQL action",
   "scripts": {

pr-checks/checks/extractor-ram-threads.yml

@@ -1,7 +1,7 @@
 name: "Extractor ram and threads options test"
 description: "Tests passing RAM and threads limits to extractors"
 versions: ["latest"]
-os: ["ubuntu-latest"]
+operatingSystems: ["ubuntu"]
 steps:
   - uses: ./../action/init
     with:

pr-checks/checks/go-custom-tracing-autobuild.yml

@@ -1,6 +1,6 @@
 name: "Go: Autobuild custom tracing"
 description: "Checks that Go tracing works in conjunction with the autobuilder"
-os: ["ubuntu-latest", "macos-latest"]
+operatingSystems: ["ubuntu", "macos"]
 env:
   CODEQL_EXTRACTOR_GO_BUILD_TRACING: "on"
   DOTNET_GENERATE_ASPNET_CERTIFICATE: "false"

pr-checks/checks/go-reconciled-tracing-autobuilder.yml

@@ -1,6 +1,6 @@
 name: "Go: Reconciled tracing with autobuilder"
 description: "Checks that Go reconciled tracing works when using an autobuilder step"
-os: ["ubuntu-latest", "macos-latest"]
+operatingSystems: ["ubuntu", "macos"]
 env:
   CODEQL_ACTION_RECONCILE_GO_EXTRACTION: "true"
   DOTNET_GENERATE_ASPNET_CERTIFICATE: "false"

pr-checks/checks/go-reconciled-tracing-legacy-workflow.yml

@@ -1,6 +1,6 @@
 name: "Go: Reconciled tracing with legacy workflow"
 description: "Checks that we run the autobuilder in legacy workflows with neither an autobuild step nor manual build steps"
-os: ["ubuntu-latest", "macos-latest"]
+operatingSystems: ["ubuntu", "macos"]
 env:
   # Enable reconciled Go tracing beta functionality
   CODEQL_ACTION_RECONCILE_GO_EXTRACTION: "true"

pr-checks/checks/javascript-source-root.yml

@@ -1,7 +1,7 @@
 name: "Custom source root"
 description: "Checks that the argument specifying a non-default source root works"
 versions: ["latest", "cached", "nightly-latest"] # This feature is not compatible with old CLIs
-os: ["ubuntu-latest"]
+operatingSystems: ["ubuntu"]
 steps:
   - name: Move codeql-action
     shell: bash

pr-checks/checks/ml-powered-queries.yml

@@ -7,8 +7,6 @@ versions: [
     "latest",
     "nightly-latest",
   ]
-# Test on all three platforms since ML-powered queries use native code
-os: ["ubuntu-latest", "macos-latest", "windows-latest"]
 steps:
   - uses: ./../action/init
     with:

pr-checks/checks/multi-language-autodetect.yml

@@ -1,6 +1,6 @@
 name: "Multi-language repository"
 description: "An end-to-end integration test of a multi-language repository using automatic language detection"
-os: ["ubuntu-latest", "macos-latest"]
+operatingSystems: ["ubuntu", "macos"]
 steps:
   - uses: ./../action/init
     with:

pr-checks/checks/rubocop-multi-language.yml

@@ -1,6 +1,8 @@
 name: "RuboCop multi-language"
 description: "Tests using RuboCop to analyze a multi-language repository and then using the CodeQL Action to upload the resulting SARIF"
-os: ["ubuntu-latest"]
+operatingSystems: ["ubuntu"]
+# This check doesn't use CodeQL, so the `version` matrix variable is unused.
+versions: ["cached"]
 steps:
   - name: Set up Ruby
     uses: ruby/setup-ruby@v1

pr-checks/checks/split-workflow.yml

@@ -1,6 +1,6 @@
 name: "Split workflow"
 description: "Tests a split-up workflow in which we first build a database and later analyze it"
-os: ["ubuntu-latest", "macos-latest"]
+operatingSystems: ["ubuntu", "macos"]
 versions: ["latest", "cached", "nightly-latest"] # This feature is not compatible with old CLIs
 steps:
   - uses: ./../action/init

pr-checks/checks/test-autobuild-working-dir.yml

@@ -1,7 +1,7 @@
 name: "Autobuild working directory"
 description: "Tests working-directory input of autobuild action"
 versions: ["latest"]
-os: ["ubuntu-latest"]
+operatingSystems: ["ubuntu"]
 steps:
   - name: Test setup
     shell: bash

pr-checks/checks/test-local-codeql.yml

@@ -1,7 +1,7 @@
 name: "Local CodeQL bundle"
 description: "Tests using a CodeQL bundle from a local file rather than a URL"
 versions: ["nightly-latest"]
-os: ["ubuntu-latest"]
+operatingSystems: ["ubuntu"]
 steps:
   - name: Fetch a CodeQL bundle
     shell: bash

pr-checks/checks/test-proxy.yml

@@ -1,13 +1,13 @@
 name: "Proxy test"
 description: "Tests using a proxy specified by the https_proxy environment variable"
 versions: ["latest"]
-os: ["ubuntu-latest"]
+operatingSystems: ["ubuntu"]
 container:
-  image: ubuntu:18.04
+  image: ubuntu:22.04
   options: --dns 127.0.0.1
 services:
   squid-proxy:
-    image: datadog/squid:latest
+    image: ubuntu/squid:latest
     ports:
       - 3128:3128
 env:

pr-checks/checks/test-ruby.yml

@@ -1,7 +1,7 @@
 name: "Ruby analysis"
 description: "Tests creation of a Ruby database"
 versions: ["latest", "cached", "nightly-latest"]
-os: ["ubuntu-latest", "macos-latest"]
+operatingSystems: ["ubuntu", "macos"]
 env:
   CODEQL_ENABLE_EXPERIMENTAL_FEATURES: "true"
 steps:

pr-checks/checks/with-checkout-path.yml

@@ -1,9 +1,5 @@
 name: "Use a custom `checkout_path`"
 description: "Checks that a custom `checkout_path` will find the proper commit_oid"
-# Build tracing currently does not support Windows 2022, so use `windows-2019` instead of
-# `windows-latest`.
-# Must test on all three platforms since this test does path manipulation
-os: [ubuntu-latest, macos-latest, windows-2019]
 steps:
   # Check out the actions repo again, but at a different location.
   # choose an arbitrary SHA so that we can later test that the commit_oid is not from main

pr-checks/sync.py

@@ -1,6 +1,7 @@
 import ruamel.yaml
 import os
 
+# The default set of CodeQL Bundle versions to use for the PR checks.
 defaultTestVersions = [
     # The oldest supported CodeQL version: 2.4.5. If bumping, update `CODEQL_MINIMUM_VERSION` in `codeql.ts`
     "stable-20210308",
@@ -15,7 +16,24 @@ defaultTestVersions = [
     # A nightly build directly from the our private repo, built in the last 24 hours.
     "nightly-latest"
 ]
-defaultOperatingSystems = ["ubuntu-latest", "macos-latest", "windows-2019"]
+
+
+def isCompatibleWithLatestImages(version):
+    if version in ["cached", "latest", "nightly-latest"]:
+        return True
+    date = version.split("-")[1]
+    # The first version of the CodeQL CLI compatible with `ubuntu-22.04` and `windows-2022` is
+    # 2.7.3. This appears in CodeQL Bundle version codeql-bundle-20211208.
+    return date >= "20211208"
+
+
+def operatingSystemsForVersion(version):
+    if isCompatibleWithLatestImages(version):
+        return ["ubuntu-latest", "macos-latest", "windows-latest"]
+    else:
+        return ["ubuntu-20.04", "macos-latest", "windows-2019"]
+
+
 header = """# Warning: This file is generated automatically, and should not be modified.
 # Instead, please modify the template in the pr-checks directory and run:
 #     pip install ruamel.yaml && python3 sync.py
@@ -23,6 +41,7 @@ header = """# Warning: This file is generated automatically, and should not be m
 
 """
 
+
 class NonAliasingRTRepresenter(ruamel.yaml.representer.RoundTripRepresenter):
     def ignore_aliases(self, data):
         return True
@@ -39,13 +58,6 @@ for file in os.listdir('checks'):
     with open(f"checks/{file}", 'r') as checkStream:
         checkSpecification = yaml.load(checkStream)
 
-    versions = defaultTestVersions
-    if 'versions' in checkSpecification:
-        versions = checkSpecification['versions']
-    operatingSystems = defaultOperatingSystems
-    if 'os' in checkSpecification:
-        operatingSystems = checkSpecification['os']
-
     steps = [
         {
             'name': 'Check out repository',
@@ -63,20 +75,17 @@ for file in os.listdir('checks'):
     steps.extend(checkSpecification['steps'])
 
     matrix = []
-    for version in versions:
-        for os in operatingSystems:
+    for version in checkSpecification.get('versions', defaultTestVersions):
+        runnerImages = operatingSystemsForVersion(version)
+        if checkSpecification.get('operatingSystems', None):
+            runnerImages = [image for image in runnerImages for operatingSystem in checkSpecification['operatingSystems']
+                            if image.startswith(operatingSystem)]
+
+        for runnerImage in runnerImages:
             matrix.append({
-                'os': os,
+                'os': runnerImage,
                 'version': version
             })
-            if (version == 'latest' or version == 'nightly-latest') and os == 'windows-2019':
-                # New versions of the CLI should also work with Windows Server 2022.
-                # Once all versions of the CLI that we test against work with Windows Server 2022,
-                # we should remove this logic and instead just add windows-2022 to the test matrix.
-                matrix.append({
-                    'os': 'windows-2022',
-                    'version': version
-                })
 
     checkJob = {
         'strategy': {

src/actions-util.ts

@@ -600,6 +600,12 @@ export interface StatusReportBase {
   completed_at?: string;
   /** State this action is currently in. */
   status: ActionStatus;
+  /**
+   * Testing environment: Set if non-production environment.
+   * The server accepts one of the following values:
+   *  `["", "qa-rc", "qa-rc-1", "qa-rc-2", "qa-experiment-1", "qa-experiment-2", "qa-experiment-3"]`.
+   */
+  testing_environment: string;
   /**
    * Information about the enablement of the ML-powered JS query pack.
    *
@@ -675,6 +681,16 @@ export async function createStatusReportBase(
   const runnerOs = getRequiredEnvParam("RUNNER_OS");
   const codeQlCliVersion = getCachedCodeQlVersion();
   const actionRef = process.env["GITHUB_ACTION_REF"];
+  const testingEnvironment =
+    process.env[sharedEnv.CODEQL_ACTION_TESTING_ENVIRONMENT] || "";
+  // re-export the testing environment variable so that it is available to subsequent steps,
+  // even if it was only set for this step
+  if (testingEnvironment !== "") {
+    core.exportVariable(
+      sharedEnv.CODEQL_ACTION_TESTING_ENVIRONMENT,
+      testingEnvironment
+    );
+  }
 
   const statusReport: StatusReportBase = {
     workflow_run_id: workflowRunID,
@@ -689,6 +705,7 @@ export async function createStatusReportBase(
     started_at: workflowStartedAt,
     action_started_at: actionStartedAt.toISOString(),
     status,
+    testing_environment: testingEnvironment,
     runner_os: runnerOs,
     action_version: pkg.version,
   };

src/codeql.ts

@@ -48,7 +48,13 @@ interface ExtraOptions {
 }
 
 export class CommandInvocationError extends Error {
-  constructor(cmd: string, args: string[], exitCode: number, error: string) {
+  constructor(
+    cmd: string,
+    args: string[],
+    exitCode: number,
+    error: string,
+    public output: string
+  ) {
     super(
       `Failure invoking ${cmd} with arguments ${args}.\n
       Exit code ${exitCode} and error was:\n
@@ -263,6 +269,12 @@ export const CODEQL_VERSION_GHES_PACK_DOWNLOAD = "2.10.4";
  */
 export const CODEQL_VERSION_NEW_TRACING = "2.7.0";
 
+/**
+ * Versions 2.7.3+ of the CodeQL CLI support build tracing with glibc 2.34 on Linux. Versions before
+ * this cannot perform build tracing when running on the Actions `ubuntu-22.04` runner image.
+ */
+export const CODEQL_VERSION_TRACING_GLIBC_2_34 = "2.7.3";
+
 /**
  * Versions 2.9.0+ of the CodeQL CLI run machine learning models from a temporary directory, which
  * resolves an issue on Windows where TensorFlow models are not correctly loaded due to the path of
@@ -742,15 +754,39 @@ async function getCodeQLForCmd(
       // _and_ is present in the latest supported CLI release.)
       const envFile = path.resolve(databasePath, "working", "env.tmp");
 
-      await runTool(cmd, [
-        "database",
-        "trace-command",
-        databasePath,
-        ...getExtraOptionsFromEnv(["database", "trace-command"]),
-        process.execPath,
-        tracerEnvJs,
-        envFile,
-      ]);
+      try {
+        await runTool(cmd, [
+          "database",
+          "trace-command",
+          databasePath,
+          ...getExtraOptionsFromEnv(["database", "trace-command"]),
+          process.execPath,
+          tracerEnvJs,
+          envFile,
+        ]);
+      } catch (e) {
+        if (
+          e instanceof CommandInvocationError &&
+          e.output.includes(
+            "undefined symbol: __libc_dlopen_mode, version GLIBC_PRIVATE"
+          ) &&
+          process.platform === "linux" &&
+          !(await util.codeQlVersionAbove(
+            this,
+            CODEQL_VERSION_TRACING_GLIBC_2_34
+          ))
+        ) {
+          throw new util.UserError(
+            "The CodeQL CLI is incompatible with the version of glibc on your system. " +
+              `Please upgrade to CodeQL CLI version ${CODEQL_VERSION_TRACING_GLIBC_2_34} or ` +
+              "later. If you cannot upgrade to a newer version of the CodeQL CLI, you can " +
+              `alternatively run your workflow on another runner image such as "ubuntu-20.04" ` +
+              "that has glibc 2.33 or earlier installed."
+          );
+        } else {
+          throw e;
+        }
+      }
       return JSON.parse(fs.readFileSync(envFile, "utf-8"));
     },
     async databaseInit(
@@ -1259,7 +1295,7 @@ async function runTool(cmd: string, args: string[] = []) {
     ignoreReturnCode: true,
   }).exec();
   if (exitCode !== 0)
-    throw new CommandInvocationError(cmd, args, exitCode, error);
+    throw new CommandInvocationError(cmd, args, exitCode, error, output);
   return output;
 }
 

src/defaults.json

@@ -1,3 +1,3 @@
 {
-  "bundleVersion": "codeql-bundle-20221010"
+  "bundleVersion": "codeql-bundle-20221024"
 }

src/feature-flags.ts

@@ -26,7 +26,7 @@ export const featureConfig: Record<
   },
   [Feature.CliConfigFileEnabled]: {
     envVar: "CODEQL_PASS_CONFIG_TO_CLI",
-    minimumVersion: "2.10.1",
+    minimumVersion: "2.11.1",
   },
   [Feature.GolangExtractionReconciliationEnabled]: {
     envVar: "CODEQL_GOLANG_EXTRACTION_RECONCILIATION",

src/shared-environment.ts

@@ -5,3 +5,6 @@ export const ODASA_TRACER_CONFIGURATION = "ODASA_TRACER_CONFIGURATION";
 // then this variable will be assigned the start time of the action invoked
 // rather that the init action.
 export const CODEQL_WORKFLOW_STARTED_AT = "CODEQL_WORKFLOW_STARTED_AT";
+
+export const CODEQL_ACTION_TESTING_ENVIRONMENT =
+  "CODEQL_ACTION_TESTING_ENVIRONMENT";

src/upload-lib.test.ts

@@ -3,14 +3,16 @@ import * as path from "path";
 
 import test from "ava";
 
-import { getRunnerLogger } from "./logging";
+import { getRunnerLogger, Logger } from "./logging";
 import { setupTests } from "./testing-utils";
 import * as uploadLib from "./upload-lib";
+import { pruneInvalidResults } from "./upload-lib";
 import {
+  GitHubVariant,
+  GitHubVersion,
   initializeEnvironment,
   Mode,
-  GitHubVersion,
-  GitHubVariant,
+  SarifFile,
   withTmpDir,
 } from "./util";
 
@@ -344,6 +346,116 @@ test("validateUniqueCategory for multiple runs", (t) => {
   t.throws(() => uploadLib.validateUniqueCategory(sarif2));
 });
 
+test("pruneInvalidResults", (t) => {
+  const loggedMessages: string[] = [];
+  const mockLogger = {
+    info: (message: string) => {
+      loggedMessages.push(message);
+    },
+  } as Logger;
+
+  const sarif: SarifFile = {
+    runs: [
+      {
+        tool: otherTool,
+        results: [resultWithBadMessage1, resultWithGoodMessage],
+      },
+      {
+        tool: affectedCodeQLVersion,
+        results: [
+          resultWithOtherRuleId,
+          resultWithBadMessage1,
+          resultWithBadMessage2,
+          resultWithGoodMessage,
+        ],
+      },
+      {
+        tool: unaffectedCodeQLVersion,
+        results: [resultWithBadMessage1, resultWithGoodMessage],
+      },
+    ],
+  };
+  const result = pruneInvalidResults(sarif, mockLogger);
+
+  const expected: SarifFile = {
+    runs: [
+      {
+        tool: otherTool,
+        results: [resultWithBadMessage1, resultWithGoodMessage],
+      },
+      {
+        tool: affectedCodeQLVersion,
+        results: [resultWithOtherRuleId, resultWithGoodMessage],
+      },
+      {
+        tool: unaffectedCodeQLVersion,
+        results: [resultWithBadMessage1, resultWithGoodMessage],
+      },
+    ],
+  };
+
+  t.deepEqual(result, expected);
+  t.deepEqual(loggedMessages.length, 1);
+  t.assert(loggedMessages[0].includes("Pruned 2 results"));
+});
+
+const affectedCodeQLVersion = {
+  driver: {
+    name: "CodeQL",
+    semanticVersion: "2.11.2",
+  },
+};
+
+const unaffectedCodeQLVersion = {
+  driver: {
+    name: "CodeQL",
+    semanticVersion: "2.11.3",
+  },
+};
+
+const otherTool = {
+  driver: {
+    name: "Some other tool",
+    semanticVersion: "2.11.2",
+  },
+};
+
+const resultWithOtherRuleId = {
+  ruleId: "doNotPrune",
+  message: {
+    text: "should not be pruned even though it says MD5 in it",
+  },
+  locations: [],
+  partialFingerprints: {},
+};
+
+const resultWithGoodMessage = {
+  ruleId: "rb/weak-cryptographic-algorithm",
+  message: {
+    text: "should not be pruned SHA128 is not a FP",
+  },
+  locations: [],
+  partialFingerprints: {},
+};
+
+const resultWithBadMessage1 = {
+  ruleId: "rb/weak-cryptographic-algorithm",
+  message: {
+    text: "should be pruned MD5 is a FP",
+  },
+  locations: [],
+  partialFingerprints: {},
+};
+
+const resultWithBadMessage2 = {
+  ruleId: "rb/weak-cryptographic-algorithm",
+  message: {
+    text: "should be pruned SHA1 is a FP",
+  },
+  locations: [],
+  partialFingerprints: {},
+};
+
 function createMockSarif(id?: string, tool?: string) {
   return {
     runs: [

src/upload-lib.ts

@@ -1,5 +1,6 @@
 import * as fs from "fs";
 import * as path from "path";
+import { env } from "process";
 import zlib from "zlib";
 
 import * as core from "@actions/core";
@@ -15,7 +16,7 @@ import { Logger } from "./logging";
 import { parseRepositoryNwo, RepositoryNwo } from "./repository";
 import * as sharedEnv from "./shared-environment";
 import * as util from "./util";
-import { SarifFile } from "./util";
+import { SarifFile, SarifResult, SarifRun } from "./util";
 
 // Takes a list of paths to sarif files and combines them together,
 // returning the contents of the combined sarif file.
@@ -396,6 +397,9 @@ async function uploadFiles(
     environment
   );
 
+  if (env["CODEQL_DISABLE_SARIF_PRUNING"] !== "true")
+    sarif = pruneInvalidResults(sarif, logger);
+
   const toolNames = util.getToolNames(sarif);
 
   validateUniqueCategory(sarif);
@@ -546,3 +550,42 @@ export function validateUniqueCategory(sarif: SarifFile): void {
 function sanitize(str?: string) {
   return (str ?? "_").replace(/[^a-zA-Z0-9_]/g, "_").toLocaleUpperCase();
 }
+
+export function pruneInvalidResults(
+  sarif: SarifFile,
+  logger: Logger
+): SarifFile {
+  let pruned = 0;
+  const newRuns: SarifRun[] = [];
+  for (const run of sarif.runs || []) {
+    if (
+      run.tool?.driver?.name === "CodeQL" &&
+      run.tool?.driver?.semanticVersion === "2.11.2"
+    ) {
+      // Version 2.11.2 of the CodeQL CLI had many false positives in the
+      // rb/weak-cryptographic-algorithm query which we prune here. The
+      // issue is tracked in https://github.com/github/codeql/issues/11107.
+      const newResults: SarifResult[] = [];
+      for (const result of run.results || []) {
+        if (
+          result.ruleId === "rb/weak-cryptographic-algorithm" &&
+          (result.message?.text?.includes(" MD5 ") ||
+            result.message?.text?.includes(" SHA1 "))
+        ) {
+          pruned += 1;
+          continue;
+        }
+        newResults.push(result);
+      }
+      newRuns.push({ ...run, results: newResults });
+    } else {
+      newRuns.push(run);
+    }
+  }
+  if (pruned > 0) {
+    logger.info(
+      `Pruned ${pruned} results believed to be invalid from SARIF file.`
+    );
+  }
+  return { ...sarif, runs: newRuns };
+}

src/util.ts

@@ -52,21 +52,28 @@ export const DID_AUTOBUILD_GO_ENV_VAR_NAME =
 
 export interface SarifFile {
   version?: string | null;
-  runs: Array<{
-    tool?: {
-      driver?: {
-        name?: string;
-      };
+  runs: SarifRun[];
+}
+
+export interface SarifRun {
+  tool?: {
+    driver?: {
+      name?: string;
+      semanticVersion?: string;
     };
-    automationDetails?: {
-      id?: string;
-    };
-    artifacts?: string[];
-    results?: SarifResult[];
-  }>;
+  };
+  automationDetails?: {
+    id?: string;
+  };
+  artifacts?: string[];
+  results?: SarifResult[];
 }
 
 export interface SarifResult {
+  ruleId?: string;
+  message?: {
+    text?: string;
+  };
   locations: Array<{
     physicalLocation: {
       artifactLocation: {