Updating

Mergeback v2.22.0 refs/heads/releases/v2 into main

.github/workflows/__go-indirect-tracing-workaround-diagnostic.yml

@@ -0,0 +1,96 @@
+# Warning: This file is generated automatically, and should not be modified.
+# Instead, please modify the template in the pr-checks directory and run:
+#     (cd pr-checks; pip install ruamel.yaml@0.17.31 && python3 sync.py)
+# to regenerate this file.
+
+name: 'PR Check - Go: diagnostic when Go is changed after init step'
+env:
+  GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+  GO111MODULE: auto
+  CODEQL_EXTRACTOR_JAVA_AGENT_DISABLE_KOTLIN: 'true'
+on:
+  push:
+    branches:
+    - main
+    - releases/v2
+  pull_request:
+    types:
+    - opened
+    - synchronize
+    - reopened
+    - ready_for_review
+  workflow_dispatch: {}
+jobs:
+  go-indirect-tracing-workaround-diagnostic:
+    strategy:
+      matrix:
+        include:
+        - os: ubuntu-latest
+          version: stable-v2.14.6
+    name: 'Go: diagnostic when Go is changed after init step'
+    permissions:
+      contents: read
+      security-events: write
+    timeout-minutes: 45
+    runs-on: ${{ matrix.os }}
+    steps:
+    - name: Check out repository
+      uses: actions/checkout@v4
+    - name: Prepare test
+      id: prepare-test
+      uses: ./.github/actions/prepare-test
+      with:
+        version: ${{ matrix.version }}
+        use-all-platform-bundle: 'false'
+    - name: Set environment variable for Swift enablement
+      if: >-
+        runner.os != 'Windows' && (
+            matrix.version == '20220908' ||
+            matrix.version == '20221211'
+        )
+      shell: bash
+      run: echo "CODEQL_ENABLE_EXPERIMENTAL_FEATURES_SWIFT=true" >> $GITHUB_ENV
+    - uses: actions/setup-go@v4
+      with:
+      # We need a Go version that ships with statically linked binaries on Linux
+        go-version: '>=1.21.0'
+    - uses: ./../action/init
+      with:
+        languages: go
+        tools: ${{ steps.prepare-test.outputs.tools-url }}
+  # Deliberately change Go after the `init` step
+    - uses: actions/setup-go@v4
+      with:
+        go-version: '1.20'
+    - name: Build code
+      shell: bash
+      run: go build main.go
+    - uses: ./../action/analyze
+      with:
+        output: ${{ runner.temp }}/results
+        upload-database: false
+    - name: Check diagnostic appears in SARIF
+      uses: actions/github-script@v6
+      env:
+        SARIF_PATH: ${{ runner.temp }}/results/go.sarif
+      with:
+        script: |
+          const fs = require('fs');
+
+          const sarif = JSON.parse(fs.readFileSync(process.env['SARIF_PATH'], 'utf8'));
+          const run = sarif.runs[0];
+
+          const toolExecutionNotifications = run.invocations[0].toolExecutionNotifications;
+          const statusPageNotifications = toolExecutionNotifications.filter(n =>
+            n.descriptor.id === 'go/workflow/go-installed-after-codeql-init' && n.properties?.visibility?.statusPage
+          );
+          if (statusPageNotifications.length !== 1) {
+            core.setFailed(
+              'Expected exactly one status page reporting descriptor for this diagnostic in the ' +
+                `'runs[].invocations[].toolExecutionNotifications[]' SARIF property, but found ` +
+                `${statusPageNotifications.length}. All notification reporting descriptors: ` +
+                `${JSON.stringify(toolExecutionNotifications)}.`
+            );
+          }
+    env:
+      CODEQL_ACTION_TEST_MODE: true

.github/workflows/__go-indirect-tracing-workaround.yml

@@ -0,0 +1,94 @@
+# Warning: This file is generated automatically, and should not be modified.
+# Instead, please modify the template in the pr-checks directory and run:
+#     (cd pr-checks; pip install ruamel.yaml@0.17.31 && python3 sync.py)
+# to regenerate this file.
+
+name: 'PR Check - Go: workaround for indirect tracing'
+env:
+  GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+  GO111MODULE: auto
+  CODEQL_EXTRACTOR_JAVA_AGENT_DISABLE_KOTLIN: 'true'
+on:
+  push:
+    branches:
+    - main
+    - releases/v2
+  pull_request:
+    types:
+    - opened
+    - synchronize
+    - reopened
+    - ready_for_review
+  workflow_dispatch: {}
+jobs:
+  go-indirect-tracing-workaround:
+    strategy:
+      matrix:
+        include:
+        - os: ubuntu-latest
+          version: stable-v2.14.6
+    name: 'Go: workaround for indirect tracing'
+    permissions:
+      contents: read
+      security-events: write
+    timeout-minutes: 45
+    runs-on: ${{ matrix.os }}
+    steps:
+    - name: Check out repository
+      uses: actions/checkout@v4
+    - name: Prepare test
+      id: prepare-test
+      uses: ./.github/actions/prepare-test
+      with:
+        version: ${{ matrix.version }}
+        use-all-platform-bundle: 'false'
+    - name: Set environment variable for Swift enablement
+      if: >-
+        runner.os != 'Windows' && (
+            matrix.version == '20220908' ||
+            matrix.version == '20221211'
+        )
+      shell: bash
+      run: echo "CODEQL_ENABLE_EXPERIMENTAL_FEATURES_SWIFT=true" >> $GITHUB_ENV
+    - uses: actions/setup-go@v4
+      with:
+      # We need a Go version that ships with statically linked binaries on Linux
+        go-version: '>=1.21.0'
+    - uses: ./../action/init
+      with:
+        languages: go
+        tools: ${{ steps.prepare-test.outputs.tools-url }}
+    - name: Build code
+      shell: bash
+      run: go build main.go
+    - uses: ./../action/analyze
+      with:
+        upload-database: false
+    - shell: bash
+      run: |
+        if [[ -z "${CODEQL_ACTION_GO_BINARY}" ]]; then
+          echo "Expected the workaround for indirect tracing of static binaries to trigger, but the" \
+            "CODEQL_ACTION_GO_BINARY environment variable is not set."
+          exit 1
+        fi
+        if [[ ! -f "${CODEQL_ACTION_GO_BINARY}" ]]; then
+          echo "CODEQL_ACTION_GO_BINARY is set, but the corresponding script does not exist."
+          exit 1
+        fi
+
+
+        # Once we start running Bash 4.2 in all environments, we can replace the
+        # `! -z` flag with the more elegant `-v` which confirms that the variable
+        # is actually unset and not potentially set to a blank value.
+        if [[ ! -z "${CODEQL_ACTION_DID_AUTOBUILD_GOLANG}" ]]; then
+          echo "Expected the Go autobuilder not to be run, but the" \
+            "CODEQL_ACTION_DID_AUTOBUILD_GOLANG environment variable was set."
+          exit 1
+        fi
+        cd "$RUNNER_TEMP/codeql_databases"
+        if [[ ! -d go ]]; then
+          echo "Did not find a Go database"
+          exit 1
+        fi
+    env:
+      CODEQL_ACTION_TEST_MODE: true

.github/workflows/__go-tracing-autobuilder.yml

@@ -80,6 +80,9 @@ jobs:
         )
       shell: bash
       run: echo "CODEQL_ENABLE_EXPERIMENTAL_FEATURES_SWIFT=true" >> $GITHUB_ENV
+    - uses: actions/setup-go@v4
+      with:
+        go-version: ~1.21.1
     - uses: ./../action/init
       with:
         languages: go

.github/workflows/__go-tracing-custom-build-steps.yml

@@ -80,6 +80,9 @@ jobs:
         )
       shell: bash
       run: echo "CODEQL_ENABLE_EXPERIMENTAL_FEATURES_SWIFT=true" >> $GITHUB_ENV
+    - uses: actions/setup-go@v4
+      with:
+        go-version: ~1.21.1
     - uses: ./../action/init
       with:
         languages: go

.github/workflows/__go-tracing-legacy-workflow.yml

@@ -80,6 +80,9 @@ jobs:
         )
       shell: bash
       run: echo "CODEQL_ENABLE_EXPERIMENTAL_FEATURES_SWIFT=true" >> $GITHUB_ENV
+    - uses: actions/setup-go@v4
+      with:
+        go-version: ~1.21.1
     - uses: ./../action/init
       with:
         languages: go

.github/workflows/__resolve-environment-action.yml

@@ -31,6 +31,24 @@ jobs:
           version: stable-v2.13.4
         - os: windows-latest
           version: stable-v2.13.4
+        - os: ubuntu-latest
+          version: default
+        - os: macos-latest
+          version: default
+        - os: windows-latest
+          version: default
+        - os: ubuntu-latest
+          version: latest
+        - os: macos-latest
+          version: latest
+        - os: windows-latest
+          version: latest
+        - os: ubuntu-latest
+          version: nightly-latest
+        - os: macos-latest
+          version: nightly-latest
+        - os: windows-latest
+          version: nightly-latest
     name: Resolve environment
     permissions:
       contents: read
@@ -56,16 +74,30 @@ jobs:
       run: echo "CODEQL_ENABLE_EXPERIMENTAL_FEATURES_SWIFT=true" >> $GITHUB_ENV
     - uses: ./../action/init
       with:
-        languages: go
+        languages: ${{ matrix.version == 'stable-v2.13.4' && 'go' || 'go,javascript-typescript'
+          }}
         tools: ${{ steps.prepare-test.outputs.tools-url }}
 
-    - uses: ./../action/resolve-environment
-      id: resolve-environment
+    - name: Resolve environment for Go
+      uses: ./../action/resolve-environment
+      id: resolve-environment-go
       with:
         language: go
 
-    - name: Fail if no Go configuration was returned
-      if: (!fromJSON(steps.resolve-environment.outputs.environment).configuration.go)
+    - name: Fail if Go configuration missing
+      if: (!fromJSON(steps.resolve-environment-go.outputs.environment).configuration.go)
+      run: exit 1
+
+    - name: Resolve environment for JavaScript/TypeScript
+      if: matrix.version != 'stable-v2.13.4'
+      uses: ./../action/resolve-environment
+      id: resolve-environment-js
+      with:
+        language: javascript-typescript
+
+    - name: Fail if JavaScript/TypeScript configuration present
+      if: matrix.version != 'stable-v2.13.4' && 
+        fromJSON(steps.resolve-environment-js.outputs.environment).configuration.javascript
       run: exit 1
     env:
       CODEQL_ACTION_TEST_MODE: true

CHANGELOG.md

@@ -4,8 +4,13 @@ See the [releases page](https://github.com/github/codeql-action/releases) for th
 
 ## [UNRELEASED]
 
+No user facing changes.
+
+## 2.22.0 - 06 Oct 2023
+
 - The CodeQL Action now requires CodeQL version 2.10.5 or later. For more information, see the corresponding changelog entry for CodeQL Action version 2.21.8. [#1907](https://github.com/github/codeql-action/pull/1907)
 - The CodeQL Action no longer runs ML-powered queries. For more information, including details on our investment in AI-powered security technology, see ["CodeQL code scanning deprecates ML-powered alerts."](https://github.blog/changelog/2023-09-29-codeql-code-scanning-deprecates-ml-powered-alerts/) [#1910](https://github.com/github/codeql-action/pull/1910)
+- Fix a bug which prevented tracing of projects using Go 1.21 and above on Linux. [#1909](https://github.com/github/codeql-action/pull/1909)
 
 ## 2.21.9 - 27 Sep 2023
 

lib/actions-util.js

@@ -23,7 +23,7 @@ var __importStar = (this && this.__importStar) || function (mod) {
     return result;
 };
 Object.defineProperty(exports, "__esModule", { value: true });
-exports.getWorkflowRunAttempt = exports.getWorkflowRunID = exports.getUploadValue = exports.printDebugLogs = exports.isAnalyzingDefaultBranch = exports.getRelativeScriptPath = exports.isRunningLocalAction = exports.getWorkflowEventName = exports.getActionVersion = exports.getRef = exports.determineMergeBaseCommitOid = exports.getCommitOid = exports.getTemporaryDirectory = exports.getOptionalInput = exports.getRequiredInput = void 0;
+exports.getFileType = exports.getWorkflowRunAttempt = exports.getWorkflowRunID = exports.getUploadValue = exports.printDebugLogs = exports.isAnalyzingDefaultBranch = exports.getRelativeScriptPath = exports.isRunningLocalAction = exports.getWorkflowEventName = exports.getActionVersion = exports.getRef = exports.determineMergeBaseCommitOid = exports.getCommitOid = exports.getTemporaryDirectory = exports.getOptionalInput = exports.getRequiredInput = void 0;
 const fs = __importStar(require("fs"));
 const path = __importStar(require("path"));
 const core = __importStar(require("@actions/core"));
@@ -380,4 +380,34 @@ function getWorkflowRunAttempt() {
     return workflowRunAttempt;
 }
 exports.getWorkflowRunAttempt = getWorkflowRunAttempt;
+/**
+ * Tries to obtain the output of the `file` command for the file at the specified path.
+ * The output will vary depending on the type of `file`, which operating system we are running on, etc.
+ */
+const getFileType = async (filePath) => {
+    let stderr = "";
+    let stdout = "";
+    try {
+        // The `file` command will output information about the type of file pointed at by `filePath`.
+        // For binary files, this may include e.g. whether they are static of dynamic binaries.
+        // The `-L` switch instructs the command to follow symbolic links.
+        await new toolrunner.ToolRunner(await safeWhich.safeWhich("file"), ["-L", filePath], {
+            silent: true,
+            listeners: {
+                stdout: (data) => {
+                    stdout += data.toString();
+                },
+                stderr: (data) => {
+                    stderr += data.toString();
+                },
+            },
+        }).exec();
+        return stdout.trim();
+    }
+    catch (e) {
+        core.info(`Could not determine type of ${filePath} from ${stdout}. ${stderr}`);
+        throw e;
+    }
+};
+exports.getFileType = getFileType;
 //# sourceMappingURL=actions-util.js.map

lib/analyze-action.js

@@ -31,6 +31,7 @@ const fs = __importStar(require("fs"));
 const path_1 = __importDefault(require("path"));
 const perf_hooks_1 = require("perf_hooks");
 const core = __importStar(require("@actions/core"));
+const safe_which_1 = require("@chrisgavin/safe-which");
 const actionsUtil = __importStar(require("./actions-util"));
 const analyze_1 = require("./analyze");
 const api_client_1 = require("./api-client");
@@ -38,6 +39,7 @@ const autobuild_1 = require("./autobuild");
 const codeql_1 = require("./codeql");
 const config_utils_1 = require("./config-utils");
 const database_upload_1 = require("./database-upload");
+const diagnostics_1 = require("./diagnostics");
 const environment_1 = require("./environment");
 const feature_flags_1 = require("./feature-flags");
 const languages_1 = require("./languages");
@@ -159,6 +161,26 @@ async function run() {
         const gitHubVersion = await (0, api_client_1.getGitHubVersion)();
         const features = new feature_flags_1.Features(gitHubVersion, repositoryNwo, actionsUtil.getTemporaryDirectory(), logger);
         const memory = util.getMemoryFlag(actionsUtil.getOptionalInput("ram") || process.env["CODEQL_RAM"], logger);
+        // Check that `which go` still points at the wrapper script we installed in the `init` Action,
+        // if the corresponding environment variable is set. This is to ensure that there isn't a step
+        // in the workflow after the `init` step which installs a different version of Go and takes
+        // precedence in the PATH, thus potentially circumventing our workaround that allows tracing to work.
+        const goWrapperPath = process.env[environment_1.EnvVar.GO_BINARY_LOCATION];
+        if (goWrapperPath !== undefined) {
+            const goBinaryPath = await (0, safe_which_1.safeWhich)("go");
+            if (goWrapperPath !== goBinaryPath) {
+                core.warning(`Expected \`which go\` to return ${goWrapperPath}, but got ${goBinaryPath}: please ensure that the correct version of Go is installed before the \`codeql-action/init\` Action is used.`);
+                (0, diagnostics_1.addDiagnostic)(config, languages_1.Language.go, (0, diagnostics_1.makeDiagnostic)("go/workflow/go-installed-after-codeql-init", "Go was installed after the `codeql-action/init` Action was run", {
+                    markdownMessage: "To avoid interfering with the CodeQL analysis, perform all installation steps before calling the `github/codeql-action/init` Action.",
+                    visibility: {
+                        statusPage: true,
+                        telemetry: true,
+                        cliSummaryTable: true,
+                    },
+                    severity: "warning",
+                }));
+            }
+        }
         await runAutobuildIfLegacyGoWorkflow(config, logger);
         dbCreationTimings = await (0, analyze_1.runFinalize)(outputDir, threads, memory, config, logger, features);
         if (actionsUtil.getRequiredInput("skip-queries") !== "true") {

lib/autobuild-action.js

@@ -28,8 +28,6 @@ const actions_util_1 = require("./actions-util");
 const api_client_1 = require("./api-client");
 const autobuild_1 = require("./autobuild");
 const configUtils = __importStar(require("./config-utils"));
-const environment_1 = require("./environment");
-const languages_1 = require("./languages");
 const logging_1 = require("./logging");
 const status_report_1 = require("./status-report");
 const util_1 = require("./util");
@@ -69,9 +67,6 @@ async function run() {
             for (const language of languages) {
                 currentLanguage = language;
                 await (0, autobuild_1.runAutobuild)(language, config, logger);
-                if (language === languages_1.Language.go) {
-                    core.exportVariable(environment_1.EnvVar.DID_AUTOBUILD_GOLANG, "true");
-                }
             }
         }
     }

lib/autobuild-action.js.map

@@ -1 +1 @@
-{"version":3,"file":"autobuild-action.js","sourceRoot":"","sources":["../src/autobuild-action.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;AAAA,oDAAsC;AAEtC,iDAIwB;AACxB,6CAAgD;AAChD,2CAAwE;AACxE,4DAA8C;AAC9C,+CAAuC;AACvC,2CAAuC;AACvC,uCAAqD;AACrD,mDAKyB;AACzB,iCAKgB;AAShB,KAAK,UAAU,yBAAyB,CACtC,MAAc,EACd,SAAe,EACf,YAAsB,EACtB,eAAwB,EACxB,KAAa;IAEb,IAAA,4BAAqB,EAAC,IAAA,+BAAgB,GAAE,CAAC,CAAC;IAE1C,MAAM,MAAM,GAAG,IAAA,gCAAgB,EAAC,KAAK,EAAE,eAAe,CAAC,CAAC;IACxD,MAAM,gBAAgB,GAAG,MAAM,IAAA,sCAAsB,EACnD,WAAW,EACX,MAAM,EACN,SAAS,EACT,MAAM,IAAA,qBAAc,EAAC,MAAM,CAAC,EAC5B,KAAK,EAAE,OAAO,EACd,KAAK,EAAE,KAAK,CACb,CAAC;IACF,MAAM,YAAY,GAA0B;QAC1C,GAAG,gBAAgB;QACnB,mBAAmB,EAAE,YAAY,CAAC,IAAI,CAAC,GAAG,CAAC;QAC3C,iBAAiB,EAAE,eAAe;KACnC,CAAC;IACF,MAAM,IAAA,gCAAgB,EAAC,YAAY,CAAC,CAAC;AACvC,CAAC;AAED,KAAK,UAAU,GAAG;IAChB,MAAM,SAAS,GAAG,IAAI,IAAI,EAAE,CAAC;IAC7B,MAAM,MAAM,GAAG,IAAA,0BAAgB,GAAE,CAAC;IAClC,IAAI,eAAe,GAAyB,SAAS,CAAC;IACtD,IAAI,SAAS,GAA2B,SAAS,CAAC;IAClD,IAAI;QACF,IACE,CAAC,CAAC,MAAM,IAAA,gCAAgB,EACtB,MAAM,IAAA,sCAAsB,EAC1B,WAAW,EACX,UAAU,EACV,SAAS,EACT,MAAM,IAAA,qBAAc,EAAC,MAAM,CAAC,CAC7B,CACF,CAAC,EACF;YACA,OAAO;SACR;QAED,MAAM,aAAa,GAAG,MAAM,IAAA,6BAAgB,GAAE,CAAC;QAC/C,IAAA,gCAAyB,EAAC,aAAa,EAAE,MAAM,CAAC,CAAC;QAEjD,MAAM,MAAM,GAAG,MAAM,WAAW,CAAC,SAAS,CAAC,IAAA,oCAAqB,GAAE,EAAE,MAAM,CAAC,CAAC;QAC5E,IAAI,MAAM,KAAK,SAAS,EAAE;YACxB,MAAM,IAAI,KAAK,CACb,yFAAyF,CAC1F,CAAC;SACH;QAED,SAAS,GAAG,MAAM,IAAA,uCAA2B,EAAC,MAAM,EAAE,MAAM,CAAC,CAAC;QAC9D,IAAI,SAAS,KAAK,SAAS,EAAE;YAC3B,MAAM,gBAAgB,GAAG,IAAA,+BAAgB,EAAC,mBAAmB,CAAC,CAAC;YAC/D,IAAI,gBAAgB,EAAE;gBACpB,MAAM,CAAC,IAAI,CACT,6CAA6C,gBAAgB,EAAE,CAChE,CAAC;gBACF,OAAO,CAAC,KAAK,CAAC,gBAAgB,CAAC,CAAC;aACjC;YACD,KAAK,MAAM,QAAQ,IAAI,SAAS,EAAE;gBAChC,eAAe,GAAG,QAAQ,CAAC;gBAC3B,MAAM,IAAA,wBAAY,EAAC,QAAQ,EAAE,MAAM,EAAE,MAAM,CAAC,CAAC;gBAC7C,IAAI,QAAQ,KAAK,oBAAQ,CAAC,EAAE,EAAE;oBAC5B,IAAI,CAAC,cAAc,CAAC,oBAAM,CAAC,oBAAoB,EAAE,MAAM,CAAC,CAAC;iBAC1D;aACF;SACF;KACF;IAAC,OAAO,cAAc,EAAE;QACvB,MAAM,KAAK,GAAG,IAAA,gBAAS,EAAC,cAAc,CAAC,CAAC;QACxC,IAAI,CAAC,SAAS,CACZ,kIAAkI,KAAK,CAAC,OAAO,EAAE,CAClJ,CAAC;QACF,MAAM,yBAAyB,CAC7B,MAAM,EACN,SAAS,EACT,SAAS,IAAI,EAAE,EACf,eAAe,EACf,KAAK,CACN,CAAC;QACF,OAAO;KACR;IAED,MAAM,yBAAyB,CAAC,MAAM,EAAE,SAAS,EAAE,SAAS,IAAI,EAAE,CAAC,CAAC;AACtE,CAAC;AAED,KAAK,UAAU,UAAU;IACvB,IAAI;QACF,MAAM,GAAG,EAAE,CAAC;KACb;IAAC,OAAO,KAAK,EAAE;QACd,IAAI,CAAC,SAAS,CAAC,4BAA4B,IAAA,gBAAS,EAAC,KAAK,CAAC,CAAC,OAAO,EAAE,CAAC,CAAC;KACxE;AACH,CAAC;AAED,KAAK,UAAU,EAAE,CAAC"}
+{"version":3,"file":"autobuild-action.js","sourceRoot":"","sources":["../src/autobuild-action.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;AAAA,oDAAsC;AAEtC,iDAIwB;AACxB,6CAAgD;AAChD,2CAAwE;AACxE,4DAA8C;AAE9C,uCAAqD;AACrD,mDAKyB;AACzB,iCAKgB;AAShB,KAAK,UAAU,yBAAyB,CACtC,MAAc,EACd,SAAe,EACf,YAAsB,EACtB,eAAwB,EACxB,KAAa;IAEb,IAAA,4BAAqB,EAAC,IAAA,+BAAgB,GAAE,CAAC,CAAC;IAE1C,MAAM,MAAM,GAAG,IAAA,gCAAgB,EAAC,KAAK,EAAE,eAAe,CAAC,CAAC;IACxD,MAAM,gBAAgB,GAAG,MAAM,IAAA,sCAAsB,EACnD,WAAW,EACX,MAAM,EACN,SAAS,EACT,MAAM,IAAA,qBAAc,EAAC,MAAM,CAAC,EAC5B,KAAK,EAAE,OAAO,EACd,KAAK,EAAE,KAAK,CACb,CAAC;IACF,MAAM,YAAY,GAA0B;QAC1C,GAAG,gBAAgB;QACnB,mBAAmB,EAAE,YAAY,CAAC,IAAI,CAAC,GAAG,CAAC;QAC3C,iBAAiB,EAAE,eAAe;KACnC,CAAC;IACF,MAAM,IAAA,gCAAgB,EAAC,YAAY,CAAC,CAAC;AACvC,CAAC;AAED,KAAK,UAAU,GAAG;IAChB,MAAM,SAAS,GAAG,IAAI,IAAI,EAAE,CAAC;IAC7B,MAAM,MAAM,GAAG,IAAA,0BAAgB,GAAE,CAAC;IAClC,IAAI,eAAe,GAAyB,SAAS,CAAC;IACtD,IAAI,SAAS,GAA2B,SAAS,CAAC;IAClD,IAAI;QACF,IACE,CAAC,CAAC,MAAM,IAAA,gCAAgB,EACtB,MAAM,IAAA,sCAAsB,EAC1B,WAAW,EACX,UAAU,EACV,SAAS,EACT,MAAM,IAAA,qBAAc,EAAC,MAAM,CAAC,CAC7B,CACF,CAAC,EACF;YACA,OAAO;SACR;QAED,MAAM,aAAa,GAAG,MAAM,IAAA,6BAAgB,GAAE,CAAC;QAC/C,IAAA,gCAAyB,EAAC,aAAa,EAAE,MAAM,CAAC,CAAC;QAEjD,MAAM,MAAM,GAAG,MAAM,WAAW,CAAC,SAAS,CAAC,IAAA,oCAAqB,GAAE,EAAE,MAAM,CAAC,CAAC;QAC5E,IAAI,MAAM,KAAK,SAAS,EAAE;YACxB,MAAM,IAAI,KAAK,CACb,yFAAyF,CAC1F,CAAC;SACH;QAED,SAAS,GAAG,MAAM,IAAA,uCAA2B,EAAC,MAAM,EAAE,MAAM,CAAC,CAAC;QAC9D,IAAI,SAAS,KAAK,SAAS,EAAE;YAC3B,MAAM,gBAAgB,GAAG,IAAA,+BAAgB,EAAC,mBAAmB,CAAC,CAAC;YAC/D,IAAI,gBAAgB,EAAE;gBACpB,MAAM,CAAC,IAAI,CACT,6CAA6C,gBAAgB,EAAE,CAChE,CAAC;gBACF,OAAO,CAAC,KAAK,CAAC,gBAAgB,CAAC,CAAC;aACjC;YACD,KAAK,MAAM,QAAQ,IAAI,SAAS,EAAE;gBAChC,eAAe,GAAG,QAAQ,CAAC;gBAC3B,MAAM,IAAA,wBAAY,EAAC,QAAQ,EAAE,MAAM,EAAE,MAAM,CAAC,CAAC;aAC9C;SACF;KACF;IAAC,OAAO,cAAc,EAAE;QACvB,MAAM,KAAK,GAAG,IAAA,gBAAS,EAAC,cAAc,CAAC,CAAC;QACxC,IAAI,CAAC,SAAS,CACZ,kIAAkI,KAAK,CAAC,OAAO,EAAE,CAClJ,CAAC;QACF,MAAM,yBAAyB,CAC7B,MAAM,EACN,SAAS,EACT,SAAS,IAAI,EAAE,EACf,eAAe,EACf,KAAK,CACN,CAAC;QACF,OAAO;KACR;IAED,MAAM,yBAAyB,CAAC,MAAM,EAAE,SAAS,EAAE,SAAS,IAAI,EAAE,CAAC,CAAC;AACtE,CAAC;AAED,KAAK,UAAU,UAAU;IACvB,IAAI;QACF,MAAM,GAAG,EAAE,CAAC;KACb;IAAC,OAAO,KAAK,EAAE;QACd,IAAI,CAAC,SAAS,CAAC,4BAA4B,IAAA,gBAAS,EAAC,KAAK,CAAC,CAAC,OAAO,EAAE,CAAC,CAAC;KACxE;AACH,CAAC;AAED,KAAK,UAAU,EAAE,CAAC"}

lib/autobuild.js

@@ -28,6 +28,7 @@ const core = __importStar(require("@actions/core"));
 const actions_util_1 = require("./actions-util");
 const api_client_1 = require("./api-client");
 const codeql_1 = require("./codeql");
+const environment_1 = require("./environment");
 const feature_flags_1 = require("./feature-flags");
 const languages_1 = require("./languages");
 const repository_1 = require("./repository");
@@ -132,6 +133,9 @@ async function runAutobuild(language, config, logger) {
         await setupCppAutobuild(codeQL, logger);
     }
     await codeQL.runAutobuild(language);
+    if (language === languages_1.Language.go) {
+        core.exportVariable(environment_1.EnvVar.DID_AUTOBUILD_GOLANG, "true");
+    }
     logger.endGroup();
 }
 exports.runAutobuild = runAutobuild;

lib/autobuild.js.map

@@ -1 +1 @@
-{"version":3,"file":"autobuild.js","sourceRoot":"","sources":["../src/autobuild.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;;AAAA,oDAAsC;AAEtC,iDAA6E;AAC7E,6CAAgD;AAChD,qCAA6C;AAE7C,mDAAmE;AACnE,2CAAyD;AAEzD,6CAAkD;AAClD,iCAA6C;AAEtC,KAAK,UAAU,2BAA2B,CAC/C,MAA0B,EAC1B,MAAc;IAEd,0CAA0C;IAC1C,mFAAmF;IACnF,oFAAoF;IACpF,4EAA4E;IAC5E,MAAM,kBAAkB,GAAG,MAAM,CAAC,SAAS,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CACvD,IAAA,4BAAgB,EAAC,CAAC,CAAC,CACpB,CAAC;IAEF,IAAI,CAAC,kBAAkB,EAAE;QACvB,MAAM,CAAC,IAAI,CACT,iEAAiE,CAClE,CAAC;QACF,OAAO,SAAS,CAAC;KAClB;IAED;;;;;;;;;;;;;;;;;;;;;;;;;;OA0BG;IACH,MAAM,2BAA2B,GAAG,kBAAkB,CAAC,MAAM,CAC3D,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,KAAK,oBAAQ,CAAC,EAAE,CACzB,CAAC;IAEF,MAAM,SAAS,GAAe,EAAE,CAAC;IACjC,yEAAyE;IACzE,UAAU;IACV,IAAI,2BAA2B,CAAC,CAAC,CAAC,KAAK,SAAS,EAAE;QAChD,SAAS,CAAC,IAAI,CAAC,2BAA2B,CAAC,CAAC,CAAC,CAAC,CAAC;KAChD;IACD,uEAAuE;IACvE,wCAAwC;IACxC,IAAI,kBAAkB,CAAC,MAAM,KAAK,2BAA2B,CAAC,MAAM,EAAE;QACpE,SAAS,CAAC,IAAI,CAAC,oBAAQ,CAAC,EAAE,CAAC,CAAC;KAC7B;IAED,MAAM,CAAC,KAAK,CAAC,kBAAkB,SAAS,CAAC,IAAI,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC;IAE3D,2EAA2E;IAC3E,4EAA4E;IAC5E,2CAA2C;IAC3C,uEAAuE;IACvE,2EAA2E;IAC3E,uEAAuE;IACvE,yCAAyC;IACzC,IAAI,2BAA2B,CAAC,MAAM,GAAG,CAAC,EAAE;QAC1C,MAAM,CAAC,OAAO,CACZ,oCAAoC,SAAS,CAAC,IAAI,CAChD,OAAO,CACR,8BAA8B,2BAA2B;aACvD,KAAK,CAAC,CAAC,CAAC;aACR,IAAI,CACH,OAAO,CACR,kFAAkF;YACnF,4BAA4B;YAC5B,0NAA0N,CAC7N,CAAC;KACH;IAED,OAAO,SAAS,CAAC;AACnB,CAAC;AAtFD,kEAsFC;AAED,KAAK,UAAU,iBAAiB,CAAC,MAAc,EAAE,MAAc;IAC7D,MAAM,MAAM,GAAG,6BAAa,CAAC,uBAAO,CAAC,yBAAyB,CAAC,CAAC,MAAM,CAAC;IACvE,MAAM,WAAW,GAAG,4CAA4C,CAAC;IACjE,MAAM,MAAM,GACV,wHAAwH,CAAC;IAC3H,MAAM,aAAa,GAAG,MAAM,IAAA,6BAAgB,GAAE,CAAC;IAC/C,MAAM,aAAa,GAAG,IAAA,+BAAkB,EACtC,IAAA,0BAAmB,EAAC,mBAAmB,CAAC,CACzC,CAAC;IACF,MAAM,QAAQ,GAAG,IAAI,wBAAQ,CAC3B,aAAa,EACb,aAAa,EACb,IAAA,oCAAqB,GAAE,EACvB,MAAM,CACP,CAAC;IACF,IAAI,MAAM,QAAQ,CAAC,QAAQ,CAAC,uBAAO,CAAC,yBAAyB,EAAE,MAAM,CAAC,EAAE;QACtE,yEAAyE;QACzE,IACE,OAAO,CAAC,GAAG,CAAC,oBAAoB,CAAC,KAAK,aAAa;YACnD,OAAO,CAAC,GAAG,CAAC,MAAM,CAAC,KAAK,MAAM,EAC9B;YACA,MAAM,CAAC,IAAI,CACT,aAAa,WAAW,sCACtB,IAAA,mCAAoB,GAAE,KAAK,SAAS;gBAClC,CAAC,CAAC,8BAA8B,MAAM,yDAAyD,MAAM,IAAI;gBACzG,CAAC,CAAC,EACN,EAAE,CACH,CAAC;YACF,IAAI,CAAC,cAAc,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;SACtC;aAAM;YACL,MAAM,CAAC,IAAI,CACT,YAAY,WAAW,yCAAyC,MAAM,yCAAyC,MAAM,IAAI,CAC1H,CAAC;YACF,IAAI,CAAC,cAAc,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;SACrC;KACF;SAAM;QACL,MAAM,CAAC,IAAI,CAAC,aAAa,WAAW,GAAG,CAAC,CAAC;QACzC,IAAI,CAAC,cAAc,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;KACtC;AACH,CAAC;AAEM,KAAK,UAAU,YAAY,CAChC,QAAkB,EAClB,MAA0B,EAC1B,MAAc;IAEd,MAAM,CAAC,UAAU,CAAC,qCAAqC,QAAQ,OAAO,CAAC,CAAC;IACxE,MAAM,MAAM,GAAG,MAAM,IAAA,kBAAS,EAAC,MAAM,CAAC,SAAS,CAAC,CAAC;IACjD,IAAI,QAAQ,KAAK,oBAAQ,CAAC,GAAG,EAAE;QAC7B,MAAM,iBAAiB,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;KACzC;IACD,MAAM,MAAM,CAAC,YAAY,CAAC,QAAQ,CAAC,CAAC;IACpC,MAAM,CAAC,QAAQ,EAAE,CAAC;AACpB,CAAC;AAZD,oCAYC"}
+{"version":3,"file":"autobuild.js","sourceRoot":"","sources":["../src/autobuild.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;;AAAA,oDAAsC;AAEtC,iDAA6E;AAC7E,6CAAgD;AAChD,qCAA6C;AAE7C,+CAAuC;AACvC,mDAAmE;AACnE,2CAAyD;AAEzD,6CAAkD;AAClD,iCAA6C;AAEtC,KAAK,UAAU,2BAA2B,CAC/C,MAA0B,EAC1B,MAAc;IAEd,0CAA0C;IAC1C,mFAAmF;IACnF,oFAAoF;IACpF,4EAA4E;IAC5E,MAAM,kBAAkB,GAAG,MAAM,CAAC,SAAS,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CACvD,IAAA,4BAAgB,EAAC,CAAC,CAAC,CACpB,CAAC;IAEF,IAAI,CAAC,kBAAkB,EAAE;QACvB,MAAM,CAAC,IAAI,CACT,iEAAiE,CAClE,CAAC;QACF,OAAO,SAAS,CAAC;KAClB;IAED;;;;;;;;;;;;;;;;;;;;;;;;;;OA0BG;IACH,MAAM,2BAA2B,GAAG,kBAAkB,CAAC,MAAM,CAC3D,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,KAAK,oBAAQ,CAAC,EAAE,CACzB,CAAC;IAEF,MAAM,SAAS,GAAe,EAAE,CAAC;IACjC,yEAAyE;IACzE,UAAU;IACV,IAAI,2BAA2B,CAAC,CAAC,CAAC,KAAK,SAAS,EAAE;QAChD,SAAS,CAAC,IAAI,CAAC,2BAA2B,CAAC,CAAC,CAAC,CAAC,CAAC;KAChD;IACD,uEAAuE;IACvE,wCAAwC;IACxC,IAAI,kBAAkB,CAAC,MAAM,KAAK,2BAA2B,CAAC,MAAM,EAAE;QACpE,SAAS,CAAC,IAAI,CAAC,oBAAQ,CAAC,EAAE,CAAC,CAAC;KAC7B;IAED,MAAM,CAAC,KAAK,CAAC,kBAAkB,SAAS,CAAC,IAAI,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC;IAE3D,2EAA2E;IAC3E,4EAA4E;IAC5E,2CAA2C;IAC3C,uEAAuE;IACvE,2EAA2E;IAC3E,uEAAuE;IACvE,yCAAyC;IACzC,IAAI,2BAA2B,CAAC,MAAM,GAAG,CAAC,EAAE;QAC1C,MAAM,CAAC,OAAO,CACZ,oCAAoC,SAAS,CAAC,IAAI,CAChD,OAAO,CACR,8BAA8B,2BAA2B;aACvD,KAAK,CAAC,CAAC,CAAC;aACR,IAAI,CACH,OAAO,CACR,kFAAkF;YACnF,4BAA4B;YAC5B,0NAA0N,CAC7N,CAAC;KACH;IAED,OAAO,SAAS,CAAC;AACnB,CAAC;AAtFD,kEAsFC;AAED,KAAK,UAAU,iBAAiB,CAAC,MAAc,EAAE,MAAc;IAC7D,MAAM,MAAM,GAAG,6BAAa,CAAC,uBAAO,CAAC,yBAAyB,CAAC,CAAC,MAAM,CAAC;IACvE,MAAM,WAAW,GAAG,4CAA4C,CAAC;IACjE,MAAM,MAAM,GACV,wHAAwH,CAAC;IAC3H,MAAM,aAAa,GAAG,MAAM,IAAA,6BAAgB,GAAE,CAAC;IAC/C,MAAM,aAAa,GAAG,IAAA,+BAAkB,EACtC,IAAA,0BAAmB,EAAC,mBAAmB,CAAC,CACzC,CAAC;IACF,MAAM,QAAQ,GAAG,IAAI,wBAAQ,CAC3B,aAAa,EACb,aAAa,EACb,IAAA,oCAAqB,GAAE,EACvB,MAAM,CACP,CAAC;IACF,IAAI,MAAM,QAAQ,CAAC,QAAQ,CAAC,uBAAO,CAAC,yBAAyB,EAAE,MAAM,CAAC,EAAE;QACtE,yEAAyE;QACzE,IACE,OAAO,CAAC,GAAG,CAAC,oBAAoB,CAAC,KAAK,aAAa;YACnD,OAAO,CAAC,GAAG,CAAC,MAAM,CAAC,KAAK,MAAM,EAC9B;YACA,MAAM,CAAC,IAAI,CACT,aAAa,WAAW,sCACtB,IAAA,mCAAoB,GAAE,KAAK,SAAS;gBAClC,CAAC,CAAC,8BAA8B,MAAM,yDAAyD,MAAM,IAAI;gBACzG,CAAC,CAAC,EACN,EAAE,CACH,CAAC;YACF,IAAI,CAAC,cAAc,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;SACtC;aAAM;YACL,MAAM,CAAC,IAAI,CACT,YAAY,WAAW,yCAAyC,MAAM,yCAAyC,MAAM,IAAI,CAC1H,CAAC;YACF,IAAI,CAAC,cAAc,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;SACrC;KACF;SAAM;QACL,MAAM,CAAC,IAAI,CAAC,aAAa,WAAW,GAAG,CAAC,CAAC;QACzC,IAAI,CAAC,cAAc,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;KACtC;AACH,CAAC;AAEM,KAAK,UAAU,YAAY,CAChC,QAAkB,EAClB,MAA0B,EAC1B,MAAc;IAEd,MAAM,CAAC,UAAU,CAAC,qCAAqC,QAAQ,OAAO,CAAC,CAAC;IACxE,MAAM,MAAM,GAAG,MAAM,IAAA,kBAAS,EAAC,MAAM,CAAC,SAAS,CAAC,CAAC;IACjD,IAAI,QAAQ,KAAK,oBAAQ,CAAC,GAAG,EAAE;QAC7B,MAAM,iBAAiB,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;KACzC;IACD,MAAM,MAAM,CAAC,YAAY,CAAC,QAAQ,CAAC,CAAC;IACpC,IAAI,QAAQ,KAAK,oBAAQ,CAAC,EAAE,EAAE;QAC5B,IAAI,CAAC,cAAc,CAAC,oBAAM,CAAC,oBAAoB,EAAE,MAAM,CAAC,CAAC;KAC1D;IACD,MAAM,CAAC,QAAQ,EAAE,CAAC;AACpB,CAAC;AAfD,oCAeC"}

lib/codeql.js

@@ -298,6 +298,7 @@ async function getCodeQLForCmd(cmd, checkVersion) {
                 "--db-cluster",
                 config.dbLocation,
                 `--source-root=${sourceRoot}`,
+                ...(await getLanguageAliasingArguments(this)),
                 ...extraArgs,
                 ...getExtraOptionsFromEnv(["database", "init"]),
             ], { stdin: externalRepositoryToken });
@@ -385,16 +386,12 @@ async function getCodeQLForCmd(cmd, checkVersion) {
             }
         },
         async betterResolveLanguages() {
-            const extraArgs = [];
-            if (await util.codeQlVersionAbove(this, exports.CODEQL_VERSION_LANGUAGE_ALIASING)) {
-                extraArgs.push("--extractor-include-aliases");
-            }
             const codeqlArgs = [
                 "resolve",
                 "languages",
                 "--format=betterjson",
                 "--extractor-options-verbosity=4",
-                ...extraArgs,
+                ...(await getLanguageAliasingArguments(this)),
                 ...getExtraOptionsFromEnv(["resolve", "languages"]),
             ];
             const output = await runTool(cmd, codeqlArgs);
@@ -429,6 +426,7 @@ async function getCodeQLForCmd(cmd, checkVersion) {
                 "resolve",
                 "build-environment",
                 `--language=${language}`,
+                ...(await getLanguageAliasingArguments(this)),
                 ...getExtraOptionsFromEnv(["resolve", "build-environment"]),
             ];
             if (workingDir !== undefined) {
@@ -646,6 +644,7 @@ async function getCodeQLForCmd(cmd, checkVersion) {
                 "extractor",
                 "--format=json",
                 `--language=${language}`,
+                ...(await getLanguageAliasingArguments(this)),
                 ...getExtraOptionsFromEnv(["resolve", "extractor"]),
             ], {
                 silent: true,
@@ -962,4 +961,10 @@ function isNoCodeFoundError(e) {
 async function isDiagnosticsExportInvalidSarifFixed(codeql) {
     return await util.codeQlVersionAbove(codeql, exports.CODEQL_VERSION_DIAGNOSTICS_EXPORT_FIXED);
 }
+async function getLanguageAliasingArguments(codeql) {
+    if (await util.codeQlVersionAbove(codeql, exports.CODEQL_VERSION_LANGUAGE_ALIASING)) {
+        return ["--extractor-include-aliases"];
+    }
+    return [];
+}
 //# sourceMappingURL=codeql.js.map

lib/diagnostics.js

@@ -0,0 +1,47 @@
+"use strict";
+var __importDefault = (this && this.__importDefault) || function (mod) {
+    return (mod && mod.__esModule) ? mod : { "default": mod };
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.addDiagnostic = exports.makeDiagnostic = void 0;
+const fs_1 = require("fs");
+const path_1 = __importDefault(require("path"));
+const logging_1 = require("./logging");
+const util_1 = require("./util");
+/**
+ * Constructs a new diagnostic message with the specified id and name, as well as optional additional data.
+ *
+ * @param id An identifier under which it makes sense to group this diagnostic message.
+ * @param name Display name for the ID.
+ * @param data Optional additional data to initialize the diagnostic with.
+ * @returns Returns the new diagnostic message.
+ */
+function makeDiagnostic(id, name, data = undefined) {
+    return {
+        ...data,
+        timestamp: data?.timestamp ?? new Date().toISOString(),
+        source: { ...data?.source, id, name },
+    };
+}
+exports.makeDiagnostic = makeDiagnostic;
+/**
+ * Writes the given diagnostic to the database.
+ *
+ * @param config The configuration that tells us where to store the diagnostic.
+ * @param diagnostic The diagnostic message to add to the database.
+ */
+function addDiagnostic(config, language, diagnostic) {
+    const logger = (0, logging_1.getActionsLogger)();
+    const diagnosticsPath = path_1.default.resolve((0, util_1.getCodeQLDatabasePath)(config, language), "diagnostic", "codeql-action");
+    try {
+        // Create the directory if it doesn't exist yet.
+        (0, fs_1.mkdirSync)(diagnosticsPath, { recursive: true });
+        const jsonPath = path_1.default.resolve(diagnosticsPath, `codeql-action-${diagnostic.timestamp}.json`);
+        (0, fs_1.writeFileSync)(jsonPath, JSON.stringify(diagnostic));
+    }
+    catch (err) {
+        logger.warning(`Unable to write diagnostic message to database: ${err}`);
+    }
+}
+exports.addDiagnostic = addDiagnostic;
+//# sourceMappingURL=diagnostics.js.map

lib/diagnostics.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"diagnostics.js","sourceRoot":"","sources":["../src/diagnostics.ts"],"names":[],"mappings":";;;;;;AAAA,2BAA8C;AAC9C,gDAAwB;AAIxB,uCAA6C;AAC7C,iCAA+C;AAmD/C;;;;;;;GAOG;AACH,SAAgB,cAAc,CAC5B,EAAU,EACV,IAAY,EACZ,OAA+C,SAAS;IAExD,OAAO;QACL,GAAG,IAAI;QACP,SAAS,EAAE,IAAI,EAAE,SAAS,IAAI,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE;QACtD,MAAM,EAAE,EAAE,GAAG,IAAI,EAAE,MAAM,EAAE,EAAE,EAAE,IAAI,EAAE;KACtC,CAAC;AACJ,CAAC;AAVD,wCAUC;AAED;;;;;GAKG;AACH,SAAgB,aAAa,CAC3B,MAAc,EACd,QAAkB,EAClB,UAA6B;IAE7B,MAAM,MAAM,GAAG,IAAA,0BAAgB,GAAE,CAAC;IAClC,MAAM,eAAe,GAAG,cAAI,CAAC,OAAO,CAClC,IAAA,4BAAqB,EAAC,MAAM,EAAE,QAAQ,CAAC,EACvC,YAAY,EACZ,eAAe,CAChB,CAAC;IAEF,IAAI;QACF,gDAAgD;QAChD,IAAA,cAAS,EAAC,eAAe,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC,CAAC;QAEhD,MAAM,QAAQ,GAAG,cAAI,CAAC,OAAO,CAC3B,eAAe,EACf,iBAAiB,UAAU,CAAC,SAAS,OAAO,CAC7C,CAAC;QAEF,IAAA,kBAAa,EAAC,QAAQ,EAAE,IAAI,CAAC,SAAS,CAAC,UAAU,CAAC,CAAC,CAAC;KACrD;IAAC,OAAO,GAAG,EAAE;QACZ,MAAM,CAAC,OAAO,CAAC,mDAAmD,GAAG,EAAE,CAAC,CAAC;KAC1E;AACH,CAAC;AAzBD,sCAyBC"}

lib/environment.js

@@ -51,5 +51,11 @@ var EnvVar;
      * rather that the init action.
      */
     EnvVar["WORKFLOW_STARTED_AT"] = "CODEQL_WORKFLOW_STARTED_AT";
+    /**
+     * The path where we initially discovered the Go binary in the system path
+     * before replacing it with a wrapper script. We check this later to ensure
+     * that it hasn't been tampered with by a late e.g. `setup-go` step.
+     */
+    EnvVar["GO_BINARY_LOCATION"] = "CODEQL_ACTION_GO_BINARY";
 })(EnvVar || (exports.EnvVar = EnvVar = {}));
 //# sourceMappingURL=environment.js.map

lib/environment.js.map

@@ -1 +1 @@
-{"version":3,"file":"environment.js","sourceRoot":"","sources":["../src/environment.ts"],"names":[],"mappings":";;;AAAA,IAAY,MAgEX;AAhED,WAAY,MAAM;IAChB,2DAA2D;IAC3D,+FAAqF,CAAA;IAErF,gEAAgE;IAChE,qEAA2D,CAAA;IAE3D;;;OAGG;IACH,yFAA+E,CAAA;IAE/E;;;OAGG;IACH,yEAA+D,CAAA;IAE/D,gFAAgF;IAChF,6DAAmD,CAAA;IAEnD;;;OAGG;IACH,uEAA6D,CAAA;IAE7D,gEAAgE;IAChE,mEAAyD,CAAA;IAEzD,kFAAkF;IAClF,mFAAyE,CAAA;IAEzE,6CAA6C;IAC7C,uCAA6B,CAAA;IAE7B,mEAAyD,CAAA;IAEzD;;;OAGG;IACH,2FAAiF,CAAA;IAEjF,mFAAmF;IACnF,6FAAmF,CAAA;IAEnF,qFAAqF;IACrF,+CAAqC,CAAA;IAErC,mEAAyD,CAAA;IAEzD,kEAAkE;IAClE,2CAAiC,CAAA;IAEjC;;;;;;OAMG;IACH,4DAAkD,CAAA;AACpD,CAAC,EAhEW,MAAM,sBAAN,MAAM,QAgEjB"}
+{"version":3,"file":"environment.js","sourceRoot":"","sources":["../src/environment.ts"],"names":[],"mappings":";;;AAAA,IAAY,MAuEX;AAvED,WAAY,MAAM;IAChB,2DAA2D;IAC3D,+FAAqF,CAAA;IAErF,gEAAgE;IAChE,qEAA2D,CAAA;IAE3D;;;OAGG;IACH,yFAA+E,CAAA;IAE/E;;;OAGG;IACH,yEAA+D,CAAA;IAE/D,gFAAgF;IAChF,6DAAmD,CAAA;IAEnD;;;OAGG;IACH,uEAA6D,CAAA;IAE7D,gEAAgE;IAChE,mEAAyD,CAAA;IAEzD,kFAAkF;IAClF,mFAAyE,CAAA;IAEzE,6CAA6C;IAC7C,uCAA6B,CAAA;IAE7B,mEAAyD,CAAA;IAEzD;;;OAGG;IACH,2FAAiF,CAAA;IAEjF,mFAAmF;IACnF,6FAAmF,CAAA;IAEnF,qFAAqF;IACrF,+CAAqC,CAAA;IAErC,mEAAyD,CAAA;IAEzD,kEAAkE;IAClE,2CAAiC,CAAA;IAEjC;;;;;;OAMG;IACH,4DAAkD,CAAA;IAElD;;;;OAIG;IACH,wDAA8C,CAAA;AAChD,CAAC,EAvEW,MAAM,sBAAN,MAAM,QAuEjB"}

lib/init-action.js

@@ -23,8 +23,10 @@ var __importStar = (this && this.__importStar) || function (mod) {
     return result;
 };
 Object.defineProperty(exports, "__esModule", { value: true });
+const fs = __importStar(require("fs"));
 const path = __importStar(require("path"));
 const core = __importStar(require("@actions/core"));
+const safe_which_1 = require("@chrisgavin/safe-which");
 const uuid_1 = require("uuid");
 const actions_util_1 = require("./actions-util");
 const api_client_1 = require("./api-client");
@@ -36,6 +38,7 @@ const logging_1 = require("./logging");
 const repository_1 = require("./repository");
 const setup_codeql_1 = require("./setup-codeql");
 const status_report_1 = require("./status-report");
+const tools_features_1 = require("./tools-features");
 const trap_caching_1 = require("./trap-caching");
 const util_1 = require("./util");
 const workflow_1 = require("./workflow");
@@ -159,12 +162,43 @@ async function run() {
         return;
     }
     try {
+        // Query CLI for supported features
+        const versionInfo = await codeql.getVersion();
         // Forward Go flags
         const goFlags = process.env["GOFLAGS"];
         if (goFlags) {
             core.exportVariable("GOFLAGS", goFlags);
             core.warning("Passing the GOFLAGS env parameter to the init action is deprecated. Please move this to the analyze action.");
         }
+        // Go 1.21 and above ships with statically linked binaries on Linux. CodeQL cannot currently trace custom builds
+        // where the entry point is a statically linked binary. Until that is fixed, we work around the problem by
+        // replacing the `go` binary with a shell script that invokes the actual `go` binary. Since the shell is typically
+        // dynamically linked, this provides a suitable entry point for the CodeQL tracer.
+        if (config.languages.includes(languages_1.Language.go) &&
+            process.platform === "linux" &&
+            !(0, tools_features_1.isSupportedToolsFeature)(versionInfo, tools_features_1.ToolsFeature.IndirectTracingSupportsStaticBinaries)) {
+            try {
+                const goBinaryPath = await (0, safe_which_1.safeWhich)("go");
+                const fileOutput = await (0, actions_util_1.getFileType)(goBinaryPath);
+                if (fileOutput.includes("statically linked")) {
+                    logger.debug(`Applying static binary workaround for Go`);
+                    // Create a directory that we can add to the system PATH.
+                    const tempBinPath = path.resolve((0, actions_util_1.getTemporaryDirectory)(), "codeql-action-go-tracing", "bin");
+                    fs.mkdirSync(tempBinPath, { recursive: true });
+                    core.addPath(tempBinPath);
+                    // Write the wrapper script to the directory we just added to the PATH.
+                    const goWrapperPath = path.resolve(tempBinPath, "go");
+                    fs.writeFileSync(goWrapperPath, `#!/bin/bash\n\nexec ${goBinaryPath} "$@"`);
+                    fs.chmodSync(goWrapperPath, "755");
+                    // Store the original location of our wrapper script somewhere where we can
+                    // later retrieve it from and cross-check that it hasn't been changed.
+                    core.exportVariable(environment_1.EnvVar.GO_BINARY_LOCATION, goWrapperPath);
+                }
+            }
+            catch (e) {
+                logger.warning(`Analyzing Go on Linux, but failed to install wrapper script. Tracing custom builds may fail: ${e}`);
+            }
+        }
         // Limit RAM and threads for extractors. When running extractors, the CodeQL CLI obeys the
         // CODEQL_RAM and CODEQL_THREADS environment variables to decide how much RAM and how many
         // threads it would ask extractors to use. See help text for the "--ram" and "--threads"

lib/resolve-environment-action.js

@@ -28,7 +28,6 @@ const actions_util_1 = require("./actions-util");
 const api_client_1 = require("./api-client");
 const codeql_1 = require("./codeql");
 const configUtils = __importStar(require("./config-utils"));
-const languages_1 = require("./languages");
 const logging_1 = require("./logging");
 const resolve_environment_1 = require("./resolve-environment");
 const status_report_1 = require("./status-report");
@@ -42,10 +41,6 @@ async function run() {
         if (!(await (0, status_report_1.sendStatusReport)(await (0, status_report_1.createStatusReportBase)(ACTION_NAME, "starting", startedAt, await (0, util_1.checkDiskUsage)(logger))))) {
             return;
         }
-        const language = (0, languages_1.parseLanguage)((0, actions_util_1.getRequiredInput)("language"));
-        if (language === undefined) {
-            throw new Error(`Did not recognize the language "${(0, actions_util_1.getRequiredInput)("language")}".`);
-        }
         const gitHubVersion = await (0, api_client_1.getGitHubVersion)();
         (0, util_1.checkGitHubVersionInRange)(gitHubVersion, logger);
         const config = await configUtils.getConfig((0, actions_util_1.getTemporaryDirectory)(), logger);
@@ -53,7 +48,7 @@ async function run() {
             throw new Error("Config file could not be found at expected location. Has the 'init' action been called?");
         }
         const workingDirectory = (0, actions_util_1.getOptionalInput)("working-directory");
-        const result = await (0, resolve_environment_1.runResolveBuildEnvironment)(config.codeQLCmd, logger, workingDirectory, language);
+        const result = await (0, resolve_environment_1.runResolveBuildEnvironment)(config.codeQLCmd, logger, workingDirectory, (0, actions_util_1.getRequiredInput)("language"));
         core.setOutput(ENVIRONMENT_OUTPUT_NAME, result);
     }
     catch (unwrappedError) {

lib/resolve-environment-action.js.map

@@ -1 +1 @@
-{"version":3,"file":"resolve-environment-action.js","sourceRoot":"","sources":["../src/resolve-environment-action.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;AAAA,oDAAsC;AAEtC,iDAIwB;AACxB,6CAAgD;AAChD,qCAAkD;AAClD,4DAA8C;AAC9C,2CAAsD;AACtD,uCAA6C;AAC7C,+DAAmE;AACnE,mDAIyB;AACzB,iCAKgB;AAEhB,MAAM,WAAW,GAAG,qBAAqB,CAAC;AAC1C,MAAM,uBAAuB,GAAG,aAAa,CAAC;AAE9C,KAAK,UAAU,GAAG;IAChB,MAAM,SAAS,GAAG,IAAI,IAAI,EAAE,CAAC;IAC7B,MAAM,MAAM,GAAG,IAAA,0BAAgB,GAAE,CAAC;IAElC,IAAI;QACF,IACE,CAAC,CAAC,MAAM,IAAA,gCAAgB,EACtB,MAAM,IAAA,sCAAsB,EAC1B,WAAW,EACX,UAAU,EACV,SAAS,EACT,MAAM,IAAA,qBAAc,EAAC,MAAM,CAAC,CAC7B,CACF,CAAC,EACF;YACA,OAAO;SACR;QAED,MAAM,QAAQ,GAAyB,IAAA,yBAAa,EAClD,IAAA,+BAAgB,EAAC,UAAU,CAAC,CAC7B,CAAC;QAEF,IAAI,QAAQ,KAAK,SAAS,EAAE;YAC1B,MAAM,IAAI,KAAK,CACb,mCAAmC,IAAA,+BAAgB,EAAC,UAAU,CAAC,IAAI,CACpE,CAAC;SACH;QAED,MAAM,aAAa,GAAG,MAAM,IAAA,6BAAgB,GAAE,CAAC;QAC/C,IAAA,gCAAyB,EAAC,aAAa,EAAE,MAAM,CAAC,CAAC;QAEjD,MAAM,MAAM,GAAG,MAAM,WAAW,CAAC,SAAS,CAAC,IAAA,oCAAqB,GAAE,EAAE,MAAM,CAAC,CAAC;QAC5E,IAAI,MAAM,KAAK,SAAS,EAAE;YACxB,MAAM,IAAI,KAAK,CACb,yFAAyF,CAC1F,CAAC;SACH;QAED,MAAM,gBAAgB,GAAG,IAAA,+BAAgB,EAAC,mBAAmB,CAAC,CAAC;QAC/D,MAAM,MAAM,GAAG,MAAM,IAAA,gDAA0B,EAC7C,MAAM,CAAC,SAAS,EAChB,MAAM,EACN,gBAAgB,EAChB,QAAQ,CACT,CAAC;QACF,IAAI,CAAC,SAAS,CAAC,uBAAuB,EAAE,MAAM,CAAC,CAAC;KACjD;IAAC,OAAO,cAAc,EAAE;QACvB,MAAM,KAAK,GAAG,IAAA,gBAAS,EAAC,cAAc,CAAC,CAAC;QAExC,IAAI,KAAK,YAAY,+BAAsB,EAAE;YAC3C,6DAA6D;YAC7D,qEAAqE;YACrE,IAAI,CAAC,SAAS,CAAC,uBAAuB,EAAE,EAAE,CAAC,CAAC;YAC5C,MAAM,CAAC,OAAO,CACZ,wFAAwF,KAAK,CAAC,OAAO,EAAE,CACxG,CAAC;SACH;aAAM;YACL,kFAAkF;YAClF,IAAI,CAAC,SAAS,CACZ,wFAAwF,KAAK,CAAC,OAAO,EAAE,CACxG,CAAC;YAEF,MAAM,IAAA,gCAAgB,EACpB,MAAM,IAAA,sCAAsB,EAC1B,WAAW,EACX,IAAA,gCAAgB,EAAC,KAAK,CAAC,EACvB,SAAS,EACT,MAAM,IAAA,qBAAc,GAAE,EACtB,KAAK,CAAC,OAAO,EACb,KAAK,CAAC,KAAK,CACZ,CACF,CAAC;SACH;QAED,OAAO;KACR;IAED,MAAM,IAAA,gCAAgB,EACpB,MAAM,IAAA,sCAAsB,EAC1B,WAAW,EACX,SAAS,EACT,SAAS,EACT,MAAM,IAAA,qBAAc,GAAE,CACvB,CACF,CAAC;AACJ,CAAC;AAED,KAAK,UAAU,UAAU;IACvB,IAAI;QACF,MAAM,GAAG,EAAE,CAAC;KACb;IAAC,OAAO,KAAK,EAAE;QACd,IAAI,CAAC,SAAS,CAAC,GAAG,WAAW,mBAAmB,IAAA,gBAAS,EAAC,KAAK,CAAC,CAAC,OAAO,EAAE,CAAC,CAAC;KAC7E;IACD,MAAM,IAAA,sBAAe,GAAE,CAAC;AAC1B,CAAC;AAED,KAAK,UAAU,EAAE,CAAC"}
+{"version":3,"file":"resolve-environment-action.js","sourceRoot":"","sources":["../src/resolve-environment-action.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;AAAA,oDAAsC;AAEtC,iDAIwB;AACxB,6CAAgD;AAChD,qCAAkD;AAClD,4DAA8C;AAC9C,uCAA6C;AAC7C,+DAAmE;AACnE,mDAIyB;AACzB,iCAKgB;AAEhB,MAAM,WAAW,GAAG,qBAAqB,CAAC;AAC1C,MAAM,uBAAuB,GAAG,aAAa,CAAC;AAE9C,KAAK,UAAU,GAAG;IAChB,MAAM,SAAS,GAAG,IAAI,IAAI,EAAE,CAAC;IAC7B,MAAM,MAAM,GAAG,IAAA,0BAAgB,GAAE,CAAC;IAElC,IAAI;QACF,IACE,CAAC,CAAC,MAAM,IAAA,gCAAgB,EACtB,MAAM,IAAA,sCAAsB,EAC1B,WAAW,EACX,UAAU,EACV,SAAS,EACT,MAAM,IAAA,qBAAc,EAAC,MAAM,CAAC,CAC7B,CACF,CAAC,EACF;YACA,OAAO;SACR;QAED,MAAM,aAAa,GAAG,MAAM,IAAA,6BAAgB,GAAE,CAAC;QAC/C,IAAA,gCAAyB,EAAC,aAAa,EAAE,MAAM,CAAC,CAAC;QAEjD,MAAM,MAAM,GAAG,MAAM,WAAW,CAAC,SAAS,CAAC,IAAA,oCAAqB,GAAE,EAAE,MAAM,CAAC,CAAC;QAC5E,IAAI,MAAM,KAAK,SAAS,EAAE;YACxB,MAAM,IAAI,KAAK,CACb,yFAAyF,CAC1F,CAAC;SACH;QAED,MAAM,gBAAgB,GAAG,IAAA,+BAAgB,EAAC,mBAAmB,CAAC,CAAC;QAC/D,MAAM,MAAM,GAAG,MAAM,IAAA,gDAA0B,EAC7C,MAAM,CAAC,SAAS,EAChB,MAAM,EACN,gBAAgB,EAChB,IAAA,+BAAgB,EAAC,UAAU,CAAC,CAC7B,CAAC;QACF,IAAI,CAAC,SAAS,CAAC,uBAAuB,EAAE,MAAM,CAAC,CAAC;KACjD;IAAC,OAAO,cAAc,EAAE;QACvB,MAAM,KAAK,GAAG,IAAA,gBAAS,EAAC,cAAc,CAAC,CAAC;QAExC,IAAI,KAAK,YAAY,+BAAsB,EAAE;YAC3C,6DAA6D;YAC7D,qEAAqE;YACrE,IAAI,CAAC,SAAS,CAAC,uBAAuB,EAAE,EAAE,CAAC,CAAC;YAC5C,MAAM,CAAC,OAAO,CACZ,wFAAwF,KAAK,CAAC,OAAO,EAAE,CACxG,CAAC;SACH;aAAM;YACL,kFAAkF;YAClF,IAAI,CAAC,SAAS,CACZ,wFAAwF,KAAK,CAAC,OAAO,EAAE,CACxG,CAAC;YAEF,MAAM,IAAA,gCAAgB,EACpB,MAAM,IAAA,sCAAsB,EAC1B,WAAW,EACX,IAAA,gCAAgB,EAAC,KAAK,CAAC,EACvB,SAAS,EACT,MAAM,IAAA,qBAAc,GAAE,EACtB,KAAK,CAAC,OAAO,EACb,KAAK,CAAC,KAAK,CACZ,CACF,CAAC;SACH;QAED,OAAO;KACR;IAED,MAAM,IAAA,gCAAgB,EACpB,MAAM,IAAA,sCAAsB,EAC1B,WAAW,EACX,SAAS,EACT,SAAS,EACT,MAAM,IAAA,qBAAc,GAAE,CACvB,CACF,CAAC;AACJ,CAAC;AAED,KAAK,UAAU,UAAU;IACvB,IAAI;QACF,MAAM,GAAG,EAAE,CAAC;KACb;IAAC,OAAO,KAAK,EAAE;QACd,IAAI,CAAC,SAAS,CAAC,GAAG,WAAW,mBAAmB,IAAA,gBAAS,EAAC,KAAK,CAAC,CAAC,OAAO,EAAE,CAAC,CAAC;KAC7E;IACD,MAAM,IAAA,sBAAe,GAAE,CAAC;AAC1B,CAAC;AAED,KAAK,UAAU,EAAE,CAAC"}

lib/resolve-environment.js

@@ -25,10 +25,21 @@ var __importStar = (this && this.__importStar) || function (mod) {
 Object.defineProperty(exports, "__esModule", { value: true });
 exports.runResolveBuildEnvironment = void 0;
 const codeql_1 = require("./codeql");
+const languages_1 = require("./languages");
 const util = __importStar(require("./util"));
-async function runResolveBuildEnvironment(cmd, logger, workingDir, language) {
-    logger.startGroup(`Attempting to resolve build environment for ${language}`);
+async function runResolveBuildEnvironment(cmd, logger, workingDir, languageInput) {
+    logger.startGroup(`Attempting to resolve build environment for ${languageInput}`);
     const codeql = await (0, codeql_1.getCodeQL)(cmd);
+    let language = languageInput;
+    // If the CodeQL CLI version in use supports language aliasing, give the CLI the raw language
+    // input. Otherwise, parse the language input and give the CLI the parsed language.
+    if (!(await util.codeQlVersionAbove(codeql, codeql_1.CODEQL_VERSION_LANGUAGE_ALIASING))) {
+        const parsedLanguage = (0, languages_1.parseLanguage)(languageInput)?.toString();
+        if (parsedLanguage === undefined) {
+            throw new Error(`Did not recognize the language '${languageInput}'.`);
+        }
+        language = parsedLanguage;
+    }
     let result = {};
     // If the CodeQL version in use does not support the `resolve build-environment`
     // command, just return an empty configuration. Otherwise invoke the CLI.

lib/resolve-environment.js.map

@@ -1 +1 @@
-{"version":3,"file":"resolve-environment.js","sourceRoot":"","sources":["../src/resolve-environment.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;;AAAA,qCAAyE;AAGzE,6CAA+B;AAExB,KAAK,UAAU,0BAA0B,CAC9C,GAAW,EACX,MAAc,EACd,UAA8B,EAC9B,QAAkB;IAElB,MAAM,CAAC,UAAU,CAAC,+CAA+C,QAAQ,EAAE,CAAC,CAAC;IAE7E,MAAM,MAAM,GAAG,MAAM,IAAA,kBAAS,EAAC,GAAG,CAAC,CAAC;IACpC,IAAI,MAAM,GAAG,EAAE,CAAC;IAEhB,gFAAgF;IAChF,yEAAyE;IACzE,IACE,CAAC,CAAC,MAAM,IAAI,CAAC,kBAAkB,CAAC,MAAM,EAAE,2CAAkC,CAAC,CAAC,EAC5E;QACA,MAAM,CAAC,OAAO,CACZ,0EAA0E;YACxE,mCAAmC,CACtC,CAAC;KACH;SAAM;QACL,IAAI,UAAU,KAAK,SAAS,EAAE;YAC5B,MAAM,CAAC,IAAI,CAAC,SAAS,UAAU,4BAA4B,CAAC,CAAC;SAC9D;QAED,MAAM,GAAG,MAAM,MAAM,CAAC,uBAAuB,CAAC,UAAU,EAAE,QAAQ,CAAC,CAAC;KACrE;IAED,MAAM,CAAC,QAAQ,EAAE,CAAC;IAClB,OAAO,MAAM,CAAC;AAChB,CAAC;AA9BD,gEA8BC"}
+{"version":3,"file":"resolve-environment.js","sourceRoot":"","sources":["../src/resolve-environment.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;;AAAA,qCAIkB;AAClB,2CAA4C;AAE5C,6CAA+B;AAExB,KAAK,UAAU,0BAA0B,CAC9C,GAAW,EACX,MAAc,EACd,UAA8B,EAC9B,aAAqB;IAErB,MAAM,CAAC,UAAU,CACf,+CAA+C,aAAa,EAAE,CAC/D,CAAC;IAEF,MAAM,MAAM,GAAG,MAAM,IAAA,kBAAS,EAAC,GAAG,CAAC,CAAC;IAEpC,IAAI,QAAQ,GAAG,aAAa,CAAC;IAC7B,6FAA6F;IAC7F,mFAAmF;IACnF,IACE,CAAC,CAAC,MAAM,IAAI,CAAC,kBAAkB,CAAC,MAAM,EAAE,yCAAgC,CAAC,CAAC,EAC1E;QACA,MAAM,cAAc,GAAG,IAAA,yBAAa,EAAC,aAAa,CAAC,EAAE,QAAQ,EAAE,CAAC;QAChE,IAAI,cAAc,KAAK,SAAS,EAAE;YAChC,MAAM,IAAI,KAAK,CAAC,mCAAmC,aAAa,IAAI,CAAC,CAAC;SACvE;QACD,QAAQ,GAAG,cAAc,CAAC;KAC3B;IAED,IAAI,MAAM,GAAG,EAAE,CAAC;IAEhB,gFAAgF;IAChF,yEAAyE;IACzE,IACE,CAAC,CAAC,MAAM,IAAI,CAAC,kBAAkB,CAAC,MAAM,EAAE,2CAAkC,CAAC,CAAC,EAC5E;QACA,MAAM,CAAC,OAAO,CACZ,0EAA0E;YACxE,mCAAmC,CACtC,CAAC;KACH;SAAM;QACL,IAAI,UAAU,KAAK,SAAS,EAAE;YAC5B,MAAM,CAAC,IAAI,CAAC,SAAS,UAAU,4BAA4B,CAAC,CAAC;SAC9D;QAED,MAAM,GAAG,MAAM,MAAM,CAAC,uBAAuB,CAAC,UAAU,EAAE,QAAQ,CAAC,CAAC;KACrE;IAED,MAAM,CAAC,QAAQ,EAAE,CAAC;IAClB,OAAO,MAAM,CAAC;AAChB,CAAC;AA9CD,gEA8CC"}

lib/setup-codeql.js

@@ -418,7 +418,7 @@ async function downloadCodeQL(codeqlURL, maybeBundleVersion, maybeCliVersion, ap
     else {
         logger.debug("Downloading CodeQL tools without an authorization token.");
     }
-    logger.info(`Downloading CodeQL tools from ${codeqlURL}. This may take a while.`);
+    logger.info(`Downloading CodeQL tools from ${codeqlURL} . This may take a while.`);
     const dest = path.join(tempDir, (0, uuid_1.v4)());
     const finalHeaders = Object.assign({ "User-Agent": "CodeQL Action" }, headers);
     const toolsDownloadStart = perf_hooks_1.performance.now();

lib/tools-features.js

@@ -0,0 +1,19 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.isSupportedToolsFeature = exports.ToolsFeature = void 0;
+var ToolsFeature;
+(function (ToolsFeature) {
+    ToolsFeature["IndirectTracingSupportsStaticBinaries"] = "indirectTracingSupportsStaticBinaries";
+})(ToolsFeature || (exports.ToolsFeature = ToolsFeature = {}));
+/**
+ * Determines if the given feature is supported by the CLI.
+ *
+ * @param versionInfo Version information, including features, returned by the CLI.
+ * @param feature The feature to check for.
+ * @returns True if the feature is supported or false otherwise.
+ */
+function isSupportedToolsFeature(versionInfo, feature) {
+    return !!versionInfo.features && versionInfo.features[feature];
+}
+exports.isSupportedToolsFeature = isSupportedToolsFeature;
+//# sourceMappingURL=tools-features.js.map

lib/tools-features.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"tools-features.js","sourceRoot":"","sources":["../src/tools-features.ts"],"names":[],"mappings":";;;AAEA,IAAY,YAEX;AAFD,WAAY,YAAY;IACtB,+FAA+E,CAAA;AACjF,CAAC,EAFW,YAAY,4BAAZ,YAAY,QAEvB;AAED;;;;;;GAMG;AACH,SAAgB,uBAAuB,CACrC,WAAwB,EACxB,OAAqB;IAErB,OAAO,CAAC,CAAC,WAAW,CAAC,QAAQ,IAAI,WAAW,CAAC,QAAQ,CAAC,OAAO,CAAC,CAAC;AACjE,CAAC;AALD,0DAKC"}

lib/tools-features.test.js

@@ -0,0 +1,15 @@
+"use strict";
+var __importDefault = (this && this.__importDefault) || function (mod) {
+    return (mod && mod.__esModule) ? mod : { "default": mod };
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+const ava_1 = __importDefault(require("ava"));
+const testing_utils_1 = require("./testing-utils");
+const tools_features_1 = require("./tools-features");
+(0, ava_1.default)("isSupportedToolsFeature", async (t) => {
+    const versionInfo = (0, testing_utils_1.makeVersionInfo)("1.0.0");
+    t.false((0, tools_features_1.isSupportedToolsFeature)(versionInfo, tools_features_1.ToolsFeature.IndirectTracingSupportsStaticBinaries));
+    versionInfo.features = { indirectTracingSupportsStaticBinaries: true };
+    t.true((0, tools_features_1.isSupportedToolsFeature)(versionInfo, tools_features_1.ToolsFeature.IndirectTracingSupportsStaticBinaries));
+});
+//# sourceMappingURL=tools-features.test.js.map

lib/tools-features.test.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"tools-features.test.js","sourceRoot":"","sources":["../src/tools-features.test.ts"],"names":[],"mappings":";;;;;AAAA,8CAAuB;AAEvB,mDAAkD;AAClD,qDAAyE;AAEzE,IAAA,aAAI,EAAC,yBAAyB,EAAE,KAAK,EAAE,CAAC,EAAE,EAAE;IAC1C,MAAM,WAAW,GAAG,IAAA,+BAAe,EAAC,OAAO,CAAC,CAAC;IAE7C,CAAC,CAAC,KAAK,CACL,IAAA,wCAAuB,EACrB,WAAW,EACX,6BAAY,CAAC,qCAAqC,CACnD,CACF,CAAC;IAEF,WAAW,CAAC,QAAQ,GAAG,EAAE,qCAAqC,EAAE,IAAI,EAAE,CAAC;IAEvE,CAAC,CAAC,IAAI,CACJ,IAAA,wCAAuB,EACrB,WAAW,EACX,6BAAY,CAAC,qCAAqC,CACnD,CACF,CAAC;AACJ,CAAC,CAAC,CAAC"}

node_modules/.package-lock.json

@@ -1,6 +1,6 @@
 {
   "name": "codeql",
-  "version": "2.22.0",
+  "version": "2.22.1",
   "lockfileVersion": 3,
   "requires": true,
   "packages": {

package-lock.json

@@ -1,12 +1,12 @@
 {
   "name": "codeql",
-  "version": "2.22.0",
+  "version": "2.22.1",
   "lockfileVersion": 3,
   "requires": true,
   "packages": {
     "": {
       "name": "codeql",
-      "version": "2.22.0",
+      "version": "2.22.1",
       "license": "MIT",
       "dependencies": {
         "@actions/artifact": "^1.1.2",

package.json

@@ -1,6 +1,6 @@
 {
   "name": "codeql",
-  "version": "2.22.0",
+  "version": "2.22.1",
   "private": true,
   "description": "CodeQL action",
   "scripts": {

pr-checks/checks/go-indirect-tracing-workaround-diagnostic.yml

@@ -0,0 +1,49 @@
+name: "Go: diagnostic when Go is changed after init step"
+description: "Checks that we emit a diagnostic if Go is changed after the init step"
+# only Linux is affected
+operatingSystems: ["ubuntu"]
+# pinned to a version which does not support statically linked binaries for indirect tracing
+versions: ["stable-v2.14.6"]
+steps:
+  - uses: actions/setup-go@v4
+    with:
+      # We need a Go version that ships with statically linked binaries on Linux
+      go-version: ">=1.21.0"
+  - uses: ./../action/init
+    with:
+      languages: go
+      tools: ${{ steps.prepare-test.outputs.tools-url }}
+  # Deliberately change Go after the `init` step
+  - uses: actions/setup-go@v4
+    with:
+      go-version: "1.20"
+  - name: Build code
+    shell: bash
+    run: go build main.go
+  - uses: ./../action/analyze
+    with:
+      output: "${{ runner.temp }}/results"
+      upload-database: false
+  - name: Check diagnostic appears in SARIF
+    uses: actions/github-script@v6
+    env:
+      SARIF_PATH: "${{ runner.temp }}/results/go.sarif"
+    with:
+      script: |
+        const fs = require('fs');
+
+        const sarif = JSON.parse(fs.readFileSync(process.env['SARIF_PATH'], 'utf8'));
+        const run = sarif.runs[0];
+
+        const toolExecutionNotifications = run.invocations[0].toolExecutionNotifications;
+        const statusPageNotifications = toolExecutionNotifications.filter(n =>
+          n.descriptor.id === 'go/workflow/go-installed-after-codeql-init' && n.properties?.visibility?.statusPage
+        );
+        if (statusPageNotifications.length !== 1) {
+          core.setFailed(
+            'Expected exactly one status page reporting descriptor for this diagnostic in the ' +
+              `'runs[].invocations[].toolExecutionNotifications[]' SARIF property, but found ` +
+              `${statusPageNotifications.length}. All notification reporting descriptors: ` +
+              `${JSON.stringify(toolExecutionNotifications)}.`
+          );
+        }

pr-checks/checks/go-indirect-tracing-workaround.yml

@@ -0,0 +1,47 @@
+name: "Go: workaround for indirect tracing"
+description: "Checks that our workaround for indirect tracing for Go 1.21+ on Linux works"
+# only Linux is affected
+operatingSystems: ["ubuntu"]
+# pinned to a version which does not support statically linked binaries for indirect tracing
+versions: ["stable-v2.14.6"]
+steps:
+  - uses: actions/setup-go@v4
+    with:
+      # We need a Go version that ships with statically linked binaries on Linux
+      go-version: ">=1.21.0"
+  - uses: ./../action/init
+    with:
+      languages: go
+      tools: ${{ steps.prepare-test.outputs.tools-url }}
+  - name: Build code
+    shell: bash
+    run: go build main.go
+  - uses: ./../action/analyze
+    with:
+      upload-database: false
+  - shell: bash
+    run: |
+      if [[ -z "${CODEQL_ACTION_GO_BINARY}" ]]; then
+        echo "Expected the workaround for indirect tracing of static binaries to trigger, but the" \
+          "CODEQL_ACTION_GO_BINARY environment variable is not set."
+        exit 1
+      fi
+      if [[ ! -f "${CODEQL_ACTION_GO_BINARY}" ]]; then
+        echo "CODEQL_ACTION_GO_BINARY is set, but the corresponding script does not exist."
+        exit 1
+      fi
+
+
+      # Once we start running Bash 4.2 in all environments, we can replace the
+      # `! -z` flag with the more elegant `-v` which confirms that the variable
+      # is actually unset and not potentially set to a blank value.
+      if [[ ! -z "${CODEQL_ACTION_DID_AUTOBUILD_GOLANG}" ]]; then
+        echo "Expected the Go autobuilder not to be run, but the" \
+          "CODEQL_ACTION_DID_AUTOBUILD_GOLANG environment variable was set."
+        exit 1
+      fi
+      cd "$RUNNER_TEMP/codeql_databases"
+      if [[ ! -d go ]]; then
+        echo "Did not find a Go database"
+        exit 1
+      fi

pr-checks/checks/go-tracing-autobuilder.yml

@@ -4,6 +4,9 @@ operatingSystems: ["ubuntu", "macos"]
 env:
   DOTNET_GENERATE_ASPNET_CERTIFICATE: "false"
 steps:
+  - uses: actions/setup-go@v4
+    with:
+      go-version: "~1.21.1"
   - uses: ./../action/init
     with:
       languages: go

pr-checks/checks/go-tracing-custom-build-steps.yml

@@ -2,6 +2,9 @@ name: "Go: tracing with custom build steps"
 description: "Checks that Go tracing traces the build when using custom build steps"
 operatingSystems: ["ubuntu", "macos"]
 steps:
+  - uses: actions/setup-go@v4
+    with:
+      go-version: "~1.21.1"
   - uses: ./../action/init
     with:
       languages: go

pr-checks/checks/go-tracing-legacy-workflow.yml

@@ -4,6 +4,9 @@ operatingSystems: ["ubuntu", "macos"]
 env:
   DOTNET_GENERATE_ASPNET_CERTIFICATE: "false"
 steps:
+  - uses: actions/setup-go@v4
+    with:
+      go-version: "~1.21.1"
   - uses: ./../action/init
     with:
       languages: go

pr-checks/checks/resolve-environment-action.yml

@@ -1,17 +1,29 @@
 name: "Resolve environment"
-description: "Tests that the resolve-environment action works for Go"
-versions: ["stable-v2.13.4"]
+description: "Tests that the resolve-environment action works for Go and JavaScript/TypeScript"
+versions: ["stable-v2.13.4", "default", "latest", "nightly-latest"]
 steps:
   - uses: ./../action/init
     with:
-      languages: go
+      languages: ${{ matrix.version == 'stable-v2.13.4' && 'go' || 'go,javascript-typescript' }}
       tools: ${{ steps.prepare-test.outputs.tools-url }}
 
-  - uses: ./../action/resolve-environment
-    id: resolve-environment
+  - name: Resolve environment for Go
+    uses: ./../action/resolve-environment
+    id: resolve-environment-go
     with:
       language: go
 
-  - name: "Fail if no Go configuration was returned"
-    if: (!fromJSON(steps.resolve-environment.outputs.environment).configuration.go)
+  - name: Fail if Go configuration missing
+    if: (!fromJSON(steps.resolve-environment-go.outputs.environment).configuration.go)
+    run: exit 1
+
+  - name: Resolve environment for JavaScript/TypeScript
+    if: matrix.version != 'stable-v2.13.4'
+    uses: ./../action/resolve-environment
+    id: resolve-environment-js
+    with:
+      language: javascript-typescript
+
+  - name: Fail if JavaScript/TypeScript configuration present
+    if: matrix.version != 'stable-v2.13.4' && fromJSON(steps.resolve-environment-js.outputs.environment).configuration.javascript
     run: exit 1

python-setup/install_tools.ps1

@@ -1,5 +1,15 @@
 #! /usr/bin/pwsh
 
+# If we are running greater than or equal to python 3.12, add src to the python path
+Write-Host "Checking python version"
+Write-Host "PYTHONPATH $Env:PYTHONPATH"
+if ((py -3 -c "import sys; print(0 if sys.version_info >= (3, 12) else 1)") -eq "0") {
+    Write-Host "Python 3.12+ detected, adding imp.py to PYTHONPATH"
+    Write-Output "PYTHONPATH=$Env:PYTHONPATH;$PSScriptRoot/src" | Out-File -FilePath $Env:GITHUB_ENV -Encoding utf8 -Append
+} else {
+    Write-Host "Python 3.12+ not detected, not adding imp.py to PYTHONPATH"
+}
+
 py -2 -m pip install --user --upgrade pip setuptools wheel
 py -3 -m pip install --user --upgrade pip setuptools wheel
 

python-setup/src/imp.py

@@ -0,0 +1,346 @@
+"""This module provides the components needed to build your own __import__
+function.  Undocumented functions are obsolete.
+
+In most cases it is preferred you consider using the importlib module's
+functionality over this module.
+
+"""
+# (Probably) need to stay in _imp
+from _imp import (lock_held, acquire_lock, release_lock,
+                  get_frozen_object, is_frozen_package,
+                  init_frozen, is_builtin, is_frozen,
+                  _fix_co_filename, _frozen_module_names)
+try:
+    from _imp import create_dynamic
+except ImportError:
+    # Platform doesn't support dynamic loading.
+    create_dynamic = None
+
+from importlib._bootstrap import _ERR_MSG, _exec, _load, _builtin_from_name
+from importlib._bootstrap_external import SourcelessFileLoader
+
+from importlib import machinery
+from importlib import util
+import importlib
+import os
+import sys
+import tokenize
+import types
+import warnings
+
+warnings.warn("the imp module is deprecated in favour of importlib and slated "
+              "for removal in Python 3.12; "
+              "see the module's documentation for alternative uses",
+              DeprecationWarning, stacklevel=2)
+
+# DEPRECATED
+SEARCH_ERROR = 0
+PY_SOURCE = 1
+PY_COMPILED = 2
+C_EXTENSION = 3
+PY_RESOURCE = 4
+PKG_DIRECTORY = 5
+C_BUILTIN = 6
+PY_FROZEN = 7
+PY_CODERESOURCE = 8
+IMP_HOOK = 9
+
+
+def new_module(name):
+    """**DEPRECATED**
+
+    Create a new module.
+
+    The module is not entered into sys.modules.
+
+    """
+    return types.ModuleType(name)
+
+
+def get_magic():
+    """**DEPRECATED**
+
+    Return the magic number for .pyc files.
+    """
+    return util.MAGIC_NUMBER
+
+
+def get_tag():
+    """Return the magic tag for .pyc files."""
+    return sys.implementation.cache_tag
+
+
+def cache_from_source(path, debug_override=None):
+    """**DEPRECATED**
+
+    Given the path to a .py file, return the path to its .pyc file.
+
+    The .py file does not need to exist; this simply returns the path to the
+    .pyc file calculated as if the .py file were imported.
+
+    If debug_override is not None, then it must be a boolean and is used in
+    place of sys.flags.optimize.
+
+    If sys.implementation.cache_tag is None then NotImplementedError is raised.
+
+    """
+    with warnings.catch_warnings():
+        warnings.simplefilter('ignore')
+        return util.cache_from_source(path, debug_override)
+
+
+def source_from_cache(path):
+    """**DEPRECATED**
+
+    Given the path to a .pyc. file, return the path to its .py file.
+
+    The .pyc file does not need to exist; this simply returns the path to
+    the .py file calculated to correspond to the .pyc file.  If path does
+    not conform to PEP 3147 format, ValueError will be raised. If
+    sys.implementation.cache_tag is None then NotImplementedError is raised.
+
+    """
+    return util.source_from_cache(path)
+
+
+def get_suffixes():
+    """**DEPRECATED**"""
+    extensions = [(s, 'rb', C_EXTENSION) for s in machinery.EXTENSION_SUFFIXES]
+    source = [(s, 'r', PY_SOURCE) for s in machinery.SOURCE_SUFFIXES]
+    bytecode = [(s, 'rb', PY_COMPILED) for s in machinery.BYTECODE_SUFFIXES]
+
+    return extensions + source + bytecode
+
+
+class NullImporter:
+
+    """**DEPRECATED**
+
+    Null import object.
+
+    """
+
+    def __init__(self, path):
+        if path == '':
+            raise ImportError('empty pathname', path='')
+        elif os.path.isdir(path):
+            raise ImportError('existing directory', path=path)
+
+    def find_module(self, fullname):
+        """Always returns None."""
+        return None
+
+
+class _HackedGetData:
+
+    """Compatibility support for 'file' arguments of various load_*()
+    functions."""
+
+    def __init__(self, fullname, path, file=None):
+        super().__init__(fullname, path)
+        self.file = file
+
+    def get_data(self, path):
+        """Gross hack to contort loader to deal w/ load_*()'s bad API."""
+        if self.file and path == self.path:
+            # The contract of get_data() requires us to return bytes. Reopen the
+            # file in binary mode if needed.
+            if not self.file.closed:
+                file = self.file
+                if 'b' not in file.mode:
+                    file.close()
+            if self.file.closed:
+                self.file = file = open(self.path, 'rb')
+
+            with file:
+                return file.read()
+        else:
+            return super().get_data(path)
+
+
+class _LoadSourceCompatibility(_HackedGetData, machinery.SourceFileLoader):
+
+    """Compatibility support for implementing load_source()."""
+
+
+def load_source(name, pathname, file=None):
+    loader = _LoadSourceCompatibility(name, pathname, file)
+    spec = util.spec_from_file_location(name, pathname, loader=loader)
+    if name in sys.modules:
+        module = _exec(spec, sys.modules[name])
+    else:
+        module = _load(spec)
+    # To allow reloading to potentially work, use a non-hacked loader which
+    # won't rely on a now-closed file object.
+    module.__loader__ = machinery.SourceFileLoader(name, pathname)
+    module.__spec__.loader = module.__loader__
+    return module
+
+
+class _LoadCompiledCompatibility(_HackedGetData, SourcelessFileLoader):
+
+    """Compatibility support for implementing load_compiled()."""
+
+
+def load_compiled(name, pathname, file=None):
+    """**DEPRECATED**"""
+    loader = _LoadCompiledCompatibility(name, pathname, file)
+    spec = util.spec_from_file_location(name, pathname, loader=loader)
+    if name in sys.modules:
+        module = _exec(spec, sys.modules[name])
+    else:
+        module = _load(spec)
+    # To allow reloading to potentially work, use a non-hacked loader which
+    # won't rely on a now-closed file object.
+    module.__loader__ = SourcelessFileLoader(name, pathname)
+    module.__spec__.loader = module.__loader__
+    return module
+
+
+def load_package(name, path):
+    """**DEPRECATED**"""
+    if os.path.isdir(path):
+        extensions = (machinery.SOURCE_SUFFIXES[:] +
+                      machinery.BYTECODE_SUFFIXES[:])
+        for extension in extensions:
+            init_path = os.path.join(path, '__init__' + extension)
+            if os.path.exists(init_path):
+                path = init_path
+                break
+        else:
+            raise ValueError('{!r} is not a package'.format(path))
+    spec = util.spec_from_file_location(name, path,
+                                        submodule_search_locations=[])
+    if name in sys.modules:
+        return _exec(spec, sys.modules[name])
+    else:
+        return _load(spec)
+
+
+def load_module(name, file, filename, details):
+    """**DEPRECATED**
+
+    Load a module, given information returned by find_module().
+
+    The module name must include the full package name, if any.
+
+    """
+    suffix, mode, type_ = details
+    if mode and (not mode.startswith('r') or '+' in mode):
+        raise ValueError('invalid file open mode {!r}'.format(mode))
+    elif file is None and type_ in {PY_SOURCE, PY_COMPILED}:
+        msg = 'file object required for import (type code {})'.format(type_)
+        raise ValueError(msg)
+    elif type_ == PY_SOURCE:
+        return load_source(name, filename, file)
+    elif type_ == PY_COMPILED:
+        return load_compiled(name, filename, file)
+    elif type_ == C_EXTENSION and load_dynamic is not None:
+        if file is None:
+            with open(filename, 'rb') as opened_file:
+                return load_dynamic(name, filename, opened_file)
+        else:
+            return load_dynamic(name, filename, file)
+    elif type_ == PKG_DIRECTORY:
+        return load_package(name, filename)
+    elif type_ == C_BUILTIN:
+        return init_builtin(name)
+    elif type_ == PY_FROZEN:
+        return init_frozen(name)
+    else:
+        msg =  "Don't know how to import {} (type code {})".format(name, type_)
+        raise ImportError(msg, name=name)
+
+
+def find_module(name, path=None):
+    """**DEPRECATED**
+
+    Search for a module.
+
+    If path is omitted or None, search for a built-in, frozen or special
+    module and continue search in sys.path. The module name cannot
+    contain '.'; to search for a submodule of a package, pass the
+    submodule name and the package's __path__.
+
+    """
+    if not isinstance(name, str):
+        raise TypeError("'name' must be a str, not {}".format(type(name)))
+    elif not isinstance(path, (type(None), list)):
+        # Backwards-compatibility
+        raise RuntimeError("'path' must be None or a list, "
+                           "not {}".format(type(path)))
+
+    if path is None:
+        if is_builtin(name):
+            return None, None, ('', '', C_BUILTIN)
+        elif is_frozen(name):
+            return None, None, ('', '', PY_FROZEN)
+        else:
+            path = sys.path
+
+    for entry in path:
+        package_directory = os.path.join(entry, name)
+        for suffix in ['.py', machinery.BYTECODE_SUFFIXES[0]]:
+            package_file_name = '__init__' + suffix
+            file_path = os.path.join(package_directory, package_file_name)
+            if os.path.isfile(file_path):
+                return None, package_directory, ('', '', PKG_DIRECTORY)
+        for suffix, mode, type_ in get_suffixes():
+            file_name = name + suffix
+            file_path = os.path.join(entry, file_name)
+            if os.path.isfile(file_path):
+                break
+        else:
+            continue
+        break  # Break out of outer loop when breaking out of inner loop.
+    else:
+        raise ImportError(_ERR_MSG.format(name), name=name)
+
+    encoding = None
+    if 'b' not in mode:
+        with open(file_path, 'rb') as file:
+            encoding = tokenize.detect_encoding(file.readline)[0]
+    file = open(file_path, mode, encoding=encoding)
+    return file, file_path, (suffix, mode, type_)
+
+
+def reload(module):
+    """**DEPRECATED**
+
+    Reload the module and return it.
+
+    The module must have been successfully imported before.
+
+    """
+    return importlib.reload(module)
+
+
+def init_builtin(name):
+    """**DEPRECATED**
+
+    Load and return a built-in module by name, or None is such module doesn't
+    exist
+    """
+    try:
+        return _builtin_from_name(name)
+    except ImportError:
+        return None
+
+
+if create_dynamic:
+    def load_dynamic(name, path, file=None):
+        """**DEPRECATED**
+
+        Load an extension module.
+        """
+        import importlib.machinery
+        loader = importlib.machinery.ExtensionFileLoader(name, path)
+
+        # Issue #24748: Skip the sys.modules check in _load_module_shim;
+        # always load new extension
+        spec = importlib.machinery.ModuleSpec(
+            name=name, loader=loader, origin=path)
+        return _load(spec)
+
+else:
+    load_dynamic = None

src/actions-util.ts

@@ -425,3 +425,39 @@ export function getWorkflowRunAttempt(): number {
   }
   return workflowRunAttempt;
 }
+
+/**
+ * Tries to obtain the output of the `file` command for the file at the specified path.
+ * The output will vary depending on the type of `file`, which operating system we are running on, etc.
+ */
+export const getFileType = async (filePath: string): Promise<string> => {
+  let stderr = "";
+  let stdout = "";
+  try {
+    // The `file` command will output information about the type of file pointed at by `filePath`.
+    // For binary files, this may include e.g. whether they are static of dynamic binaries.
+    // The `-L` switch instructs the command to follow symbolic links.
+    await new toolrunner.ToolRunner(
+      await safeWhich.safeWhich("file"),
+      ["-L", filePath],
+      {
+        silent: true,
+        listeners: {
+          stdout: (data) => {
+            stdout += data.toString();
+          },
+          stderr: (data) => {
+            stderr += data.toString();
+          },
+        },
+      },
+    ).exec();
+    return stdout.trim();
+  } catch (e) {
+    core.info(
+      `Could not determine type of ${filePath} from ${stdout}. ${stderr}`,
+    );
+
+    throw e;
+  }
+};

src/analyze-action.ts

@@ -3,6 +3,7 @@ import path from "path";
 import { performance } from "perf_hooks";
 
 import * as core from "@actions/core";
+import { safeWhich } from "@chrisgavin/safe-which";
 
 import * as actionsUtil from "./actions-util";
 import {
@@ -18,6 +19,7 @@ import { runAutobuild } from "./autobuild";
 import { getCodeQL } from "./codeql";
 import { Config, getConfig } from "./config-utils";
 import { uploadDatabases } from "./database-upload";
+import { addDiagnostic, makeDiagnostic } from "./diagnostics";
 import { EnvVar } from "./environment";
 import { Features } from "./feature-flags";
 import { Language } from "./languages";
@@ -231,6 +233,41 @@ async function run() {
       logger,
     );
 
+    // Check that `which go` still points at the wrapper script we installed in the `init` Action,
+    // if the corresponding environment variable is set. This is to ensure that there isn't a step
+    // in the workflow after the `init` step which installs a different version of Go and takes
+    // precedence in the PATH, thus potentially circumventing our workaround that allows tracing to work.
+    const goWrapperPath = process.env[EnvVar.GO_BINARY_LOCATION];
+
+    if (goWrapperPath !== undefined) {
+      const goBinaryPath = await safeWhich("go");
+
+      if (goWrapperPath !== goBinaryPath) {
+        core.warning(
+          `Expected \`which go\` to return ${goWrapperPath}, but got ${goBinaryPath}: please ensure that the correct version of Go is installed before the \`codeql-action/init\` Action is used.`,
+        );
+
+        addDiagnostic(
+          config,
+          Language.go,
+          makeDiagnostic(
+            "go/workflow/go-installed-after-codeql-init",
+            "Go was installed after the `codeql-action/init` Action was run",
+            {
+              markdownMessage:
+                "To avoid interfering with the CodeQL analysis, perform all installation steps before calling the `github/codeql-action/init` Action.",
+              visibility: {
+                statusPage: true,
+                telemetry: true,
+                cliSummaryTable: true,
+              },
+              severity: "warning",
+            },
+          ),
+        );
+      }
+    }
+
     await runAutobuildIfLegacyGoWorkflow(config, logger);
 
     dbCreationTimings = await runFinalize(

src/autobuild-action.ts

@@ -8,7 +8,6 @@ import {
 import { getGitHubVersion } from "./api-client";
 import { determineAutobuildLanguages, runAutobuild } from "./autobuild";
 import * as configUtils from "./config-utils";
-import { EnvVar } from "./environment";
 import { Language } from "./languages";
 import { Logger, getActionsLogger } from "./logging";
 import {
@@ -98,9 +97,6 @@ async function run() {
       for (const language of languages) {
         currentLanguage = language;
         await runAutobuild(language, config, logger);
-        if (language === Language.go) {
-          core.exportVariable(EnvVar.DID_AUTOBUILD_GOLANG, "true");
-        }
       }
     }
   } catch (unwrappedError) {

src/autobuild.ts

@@ -4,6 +4,7 @@ import { getTemporaryDirectory, getWorkflowEventName } from "./actions-util";
 import { getGitHubVersion } from "./api-client";
 import { CodeQL, getCodeQL } from "./codeql";
 import * as configUtils from "./config-utils";
+import { EnvVar } from "./environment";
 import { Feature, featureConfig, Features } from "./feature-flags";
 import { isTracedLanguage, Language } from "./languages";
 import { Logger } from "./logging";
@@ -150,5 +151,8 @@ export async function runAutobuild(
     await setupCppAutobuild(codeQL, logger);
   }
   await codeQL.runAutobuild(language);
+  if (language === Language.go) {
+    core.exportVariable(EnvVar.DID_AUTOBUILD_GOLANG, "true");
+  }
   logger.endGroup();
 }

src/codeql.ts

@@ -128,7 +128,7 @@ export interface CodeQL {
    */
   resolveBuildEnvironment(
     workingDir: string | undefined,
-    language: Language,
+    language: string,
   ): Promise<ResolveBuildEnvironmentOutput>;
 
   /**
@@ -624,6 +624,7 @@ export async function getCodeQLForCmd(
           "--db-cluster",
           config.dbLocation,
           `--source-root=${sourceRoot}`,
+          ...(await getLanguageAliasingArguments(this)),
           ...extraArgs,
           ...getExtraOptionsFromEnv(["database", "init"]),
         ],
@@ -737,20 +738,12 @@ export async function getCodeQLForCmd(
       }
     },
     async betterResolveLanguages() {
-      const extraArgs: string[] = [];
-
-      if (
-        await util.codeQlVersionAbove(this, CODEQL_VERSION_LANGUAGE_ALIASING)
-      ) {
-        extraArgs.push("--extractor-include-aliases");
-      }
-
       const codeqlArgs = [
         "resolve",
         "languages",
         "--format=betterjson",
         "--extractor-options-verbosity=4",
-        ...extraArgs,
+        ...(await getLanguageAliasingArguments(this)),
         ...getExtraOptionsFromEnv(["resolve", "languages"]),
       ];
       const output = await runTool(cmd, codeqlArgs);
@@ -787,12 +780,13 @@ export async function getCodeQLForCmd(
     },
     async resolveBuildEnvironment(
       workingDir: string | undefined,
-      language: Language,
+      language: string,
     ) {
       const codeqlArgs = [
         "resolve",
         "build-environment",
         `--language=${language}`,
+        ...(await getLanguageAliasingArguments(this)),
         ...getExtraOptionsFromEnv(["resolve", "build-environment"]),
       ];
       if (workingDir !== undefined) {
@@ -1082,6 +1076,7 @@ export async function getCodeQLForCmd(
           "extractor",
           "--format=json",
           `--language=${language}`,
+          ...(await getLanguageAliasingArguments(this)),
           ...getExtraOptionsFromEnv(["resolve", "extractor"]),
         ],
         {
@@ -1470,3 +1465,10 @@ async function isDiagnosticsExportInvalidSarifFixed(
     CODEQL_VERSION_DIAGNOSTICS_EXPORT_FIXED,
   );
 }
+
+async function getLanguageAliasingArguments(codeql: CodeQL): Promise<string[]> {
+  if (await util.codeQlVersionAbove(codeql, CODEQL_VERSION_LANGUAGE_ALIASING)) {
+    return ["--extractor-include-aliases"];
+  }
+  return [];
+}

src/diagnostics.ts

@@ -0,0 +1,109 @@
+import { mkdirSync, writeFileSync } from "fs";
+import path from "path";
+
+import { Config } from "./config-utils";
+import { Language } from "./languages";
+import { getActionsLogger } from "./logging";
+import { getCodeQLDatabasePath } from "./util";
+
+/** Represents a diagnostic message for the tool status page, etc. */
+export interface DiagnosticMessage {
+  /** ISO 8601 timestamp */
+  timestamp: string;
+  source: {
+    /**
+     * An identifier under which it makes sense to group this diagnostic message.
+     * This is used to build the SARIF reporting descriptor object.
+     */
+    id: string;
+    /** Display name for the ID. This is used to build the SARIF reporting descriptor object. */
+    name: string;
+    /**
+     * Name of the CodeQL extractor. This is used to identify which tool component the reporting
+     * descriptor object should be nested under in SARIF.
+     */
+    extractorName?: string;
+  };
+  /** GitHub flavored Markdown formatted message. Should include inline links to any help pages. */
+  markdownMessage?: string;
+  /** Plain text message. Used by components where the string processing needed to support Markdown is cumbersome. */
+  plaintextMessage?: string;
+  /** List of help links intended to supplement the `plaintextMessage`. */
+  helpLinks?: string[];
+  /** SARIF severity */
+  severity?: "error" | "warning" | "note";
+  visibility?: {
+    /** True if the message should be displayed on the status page (defaults to false) */
+    statusPage?: boolean;
+    /**
+     * True if the message should be counted in the diagnostics summary table printed by `codeql database analyze`
+     * (defaults to false)
+     */
+    cliSummaryTable?: boolean;
+    /** True if the message should be sent to telemetry (defaults to false) */
+    telemetry?: boolean;
+  };
+  location?: {
+    /** Path to the affected file if appropriate, relative to the source root */
+    file?: string;
+    startLine?: number;
+    startColumn?: number;
+    endLine?: number;
+    endColumn?: number;
+  };
+  /** Structured metadata about the diagnostic message */
+  attributes?: { [key: string]: any };
+}
+
+/**
+ * Constructs a new diagnostic message with the specified id and name, as well as optional additional data.
+ *
+ * @param id An identifier under which it makes sense to group this diagnostic message.
+ * @param name Display name for the ID.
+ * @param data Optional additional data to initialize the diagnostic with.
+ * @returns Returns the new diagnostic message.
+ */
+export function makeDiagnostic(
+  id: string,
+  name: string,
+  data: Partial<DiagnosticMessage> | undefined = undefined,
+): DiagnosticMessage {
+  return {
+    ...data,
+    timestamp: data?.timestamp ?? new Date().toISOString(),
+    source: { ...data?.source, id, name },
+  };
+}
+
+/**
+ * Writes the given diagnostic to the database.
+ *
+ * @param config The configuration that tells us where to store the diagnostic.
+ * @param diagnostic The diagnostic message to add to the database.
+ */
+export function addDiagnostic(
+  config: Config,
+  language: Language,
+  diagnostic: DiagnosticMessage,
+) {
+  const logger = getActionsLogger();
+  const diagnosticsPath = path.resolve(
+    getCodeQLDatabasePath(config, language),
+    "diagnostic",
+    "codeql-action",
+  );
+
+  try {
+    // Create the directory if it doesn't exist yet.
+    mkdirSync(diagnosticsPath, { recursive: true });
+
+    const jsonPath = path.resolve(
+      diagnosticsPath,
+      `codeql-action-${diagnostic.timestamp}.json`,
+    );
+
+    writeFileSync(jsonPath, JSON.stringify(diagnostic));
+  } catch (err) {
+    logger.warning(`Unable to write diagnostic message to database: ${err}`);
+  }
+}

src/environment.ts

@@ -62,4 +62,11 @@ export enum EnvVar {
    * rather that the init action.
    */
   WORKFLOW_STARTED_AT = "CODEQL_WORKFLOW_STARTED_AT",
+
+  /**
+   * The path where we initially discovered the Go binary in the system path
+   * before replacing it with a wrapper script. We check this later to ensure
+   * that it hasn't been tampered with by a late e.g. `setup-go` step.
+   */
+  GO_BINARY_LOCATION = "CODEQL_ACTION_GO_BINARY",
 }

src/init-action.ts

@@ -1,10 +1,13 @@
+import * as fs from "fs";
 import * as path from "path";
 
 import * as core from "@actions/core";
+import { safeWhich } from "@chrisgavin/safe-which";
 import { v4 as uuidV4 } from "uuid";
 
 import {
   getActionVersion,
+  getFileType,
   getOptionalInput,
   getRequiredInput,
   getTemporaryDirectory,
@@ -25,6 +28,7 @@ import {
   getActionsStatus,
   sendStatusReport,
 } from "./status-report";
+import { ToolsFeature, isSupportedToolsFeature } from "./tools-features";
 import { getTotalCacheSize } from "./trap-caching";
 import {
   checkDiskUsage,
@@ -312,6 +316,9 @@ async function run() {
   }
 
   try {
+    // Query CLI for supported features
+    const versionInfo = await codeql.getVersion();
+
     // Forward Go flags
     const goFlags = process.env["GOFLAGS"];
     if (goFlags) {
@@ -321,6 +328,53 @@ async function run() {
       );
     }
 
+    // Go 1.21 and above ships with statically linked binaries on Linux. CodeQL cannot currently trace custom builds
+    // where the entry point is a statically linked binary. Until that is fixed, we work around the problem by
+    // replacing the `go` binary with a shell script that invokes the actual `go` binary. Since the shell is typically
+    // dynamically linked, this provides a suitable entry point for the CodeQL tracer.
+    if (
+      config.languages.includes(Language.go) &&
+      process.platform === "linux" &&
+      !isSupportedToolsFeature(
+        versionInfo,
+        ToolsFeature.IndirectTracingSupportsStaticBinaries,
+      )
+    ) {
+      try {
+        const goBinaryPath = await safeWhich("go");
+        const fileOutput = await getFileType(goBinaryPath);
+
+        if (fileOutput.includes("statically linked")) {
+          logger.debug(`Applying static binary workaround for Go`);
+
+          // Create a directory that we can add to the system PATH.
+          const tempBinPath = path.resolve(
+            getTemporaryDirectory(),
+            "codeql-action-go-tracing",
+            "bin",
+          );
+          fs.mkdirSync(tempBinPath, { recursive: true });
+          core.addPath(tempBinPath);
+
+          // Write the wrapper script to the directory we just added to the PATH.
+          const goWrapperPath = path.resolve(tempBinPath, "go");
+          fs.writeFileSync(
+            goWrapperPath,
+            `#!/bin/bash\n\nexec ${goBinaryPath} "$@"`,
+          );
+          fs.chmodSync(goWrapperPath, "755");
+
+          // Store the original location of our wrapper script somewhere where we can
+          // later retrieve it from and cross-check that it hasn't been changed.
+          core.exportVariable(EnvVar.GO_BINARY_LOCATION, goWrapperPath);
+        }
+      } catch (e) {
+        logger.warning(
+          `Analyzing Go on Linux, but failed to install wrapper script. Tracing custom builds may fail: ${e}`,
+        );
+      }
+    }
+
     // Limit RAM and threads for extractors. When running extractors, the CodeQL CLI obeys the
     // CODEQL_RAM and CODEQL_THREADS environment variables to decide how much RAM and how many
     // threads it would ask extractors to use. See help text for the "--ram" and "--threads"

src/resolve-environment-action.ts

@@ -8,7 +8,6 @@ import {
 import { getGitHubVersion } from "./api-client";
 import { CommandInvocationError } from "./codeql";
 import * as configUtils from "./config-utils";
-import { Language, parseLanguage } from "./languages";
 import { getActionsLogger } from "./logging";
 import { runResolveBuildEnvironment } from "./resolve-environment";
 import {
@@ -44,16 +43,6 @@ async function run() {
       return;
     }
 
-    const language: Language | undefined = parseLanguage(
-      getRequiredInput("language"),
-    );
-
-    if (language === undefined) {
-      throw new Error(
-        `Did not recognize the language "${getRequiredInput("language")}".`,
-      );
-    }
-
     const gitHubVersion = await getGitHubVersion();
     checkGitHubVersionInRange(gitHubVersion, logger);
 
@@ -69,7 +58,7 @@ async function run() {
       config.codeQLCmd,
       logger,
       workingDirectory,
-      language,
+      getRequiredInput("language"),
     );
     core.setOutput(ENVIRONMENT_OUTPUT_NAME, result);
   } catch (unwrappedError) {

src/resolve-environment.ts

@@ -1,5 +1,9 @@
-import { CODEQL_VERSION_RESOLVE_ENVIRONMENT, getCodeQL } from "./codeql";
-import { Language } from "./languages";
+import {
+  CODEQL_VERSION_LANGUAGE_ALIASING,
+  CODEQL_VERSION_RESOLVE_ENVIRONMENT,
+  getCodeQL,
+} from "./codeql";
+import { parseLanguage } from "./languages";
 import { Logger } from "./logging";
 import * as util from "./util";
 
@@ -7,11 +11,27 @@ export async function runResolveBuildEnvironment(
   cmd: string,
   logger: Logger,
   workingDir: string | undefined,
-  language: Language,
+  languageInput: string,
 ) {
-  logger.startGroup(`Attempting to resolve build environment for ${language}`);
+  logger.startGroup(
+    `Attempting to resolve build environment for ${languageInput}`,
+  );
 
   const codeql = await getCodeQL(cmd);
+
+  let language = languageInput;
+  // If the CodeQL CLI version in use supports language aliasing, give the CLI the raw language
+  // input. Otherwise, parse the language input and give the CLI the parsed language.
+  if (
+    !(await util.codeQlVersionAbove(codeql, CODEQL_VERSION_LANGUAGE_ALIASING))
+  ) {
+    const parsedLanguage = parseLanguage(languageInput)?.toString();
+    if (parsedLanguage === undefined) {
+      throw new Error(`Did not recognize the language '${languageInput}'.`);
+    }
+    language = parsedLanguage;
+  }
+
   let result = {};
 
   // If the CodeQL version in use does not support the `resolve build-environment`

src/setup-codeql.ts

@@ -553,7 +553,7 @@ export async function downloadCodeQL(
     logger.debug("Downloading CodeQL tools without an authorization token.");
   }
   logger.info(
-    `Downloading CodeQL tools from ${codeqlURL}. This may take a while.`,
+    `Downloading CodeQL tools from ${codeqlURL} . This may take a while.`,
   );
 
   const dest = path.join(tempDir, uuidV4());

src/tools-features.test.ts

@@ -0,0 +1,24 @@
+import test from "ava";
+
+import { makeVersionInfo } from "./testing-utils";
+import { ToolsFeature, isSupportedToolsFeature } from "./tools-features";
+
+test("isSupportedToolsFeature", async (t) => {
+  const versionInfo = makeVersionInfo("1.0.0");
+
+  t.false(
+    isSupportedToolsFeature(
+      versionInfo,
+      ToolsFeature.IndirectTracingSupportsStaticBinaries,
+    ),
+  );
+
+  versionInfo.features = { indirectTracingSupportsStaticBinaries: true };
+
+  t.true(
+    isSupportedToolsFeature(
+      versionInfo,
+      ToolsFeature.IndirectTracingSupportsStaticBinaries,
+    ),
+  );
+});

src/tools-features.ts

@@ -0,0 +1,19 @@
+import { VersionInfo } from "./codeql";
+
+export enum ToolsFeature {
+  IndirectTracingSupportsStaticBinaries = "indirectTracingSupportsStaticBinaries",
+}
+
+/**
+ * Determines if the given feature is supported by the CLI.
+ *
+ * @param versionInfo Version information, including features, returned by the CLI.
+ * @param feature The feature to check for.
+ * @returns True if the feature is supported or false otherwise.
+ */
+export function isSupportedToolsFeature(
+  versionInfo: VersionInfo,
+  feature: ToolsFeature,
+): boolean {
+  return !!versionInfo.features && versionInfo.features[feature];
+}