Move conversion of PR diff-range paths to absolute paths

Add unit test for diffRangeExtensionPackContents
Move diff-range extension pack generation into testable function
2025-12-16 20:39:23 +08:00 · 2025-11-12 08:10:40 +01:00 · 2025-11-12 08:10:40 +01:00 · 2025-11-12 08:10:39 +01:00 · 2025-11-12 08:10:39 +01:00
12 changed files with 336 additions and 100 deletions
--- a/lib/analyze-action.js
+++ b/lib/analyze-action.js
@@ -89182,14 +89182,13 @@ Error Response: ${JSON.stringify(error4.response, null, 2)}`
  }
 }
 function getDiffRanges(fileDiff, logger) {
-  const filename = path5.join(getRequiredInput("checkout_path"), fileDiff.filename).replaceAll(path5.sep, "/");
  if (fileDiff.patch === void 0) {
    if (fileDiff.changes === 0) {
      return [];
    }
    return [
      {
-        path: filename,
+        path: fileDiff.filename,
        startLine: 0,
        endLine: 0
      }
@@ -89213,7 +89212,7 @@ function getDiffRanges(fileDiff, logger) {
    }
    if (additionRangeStartLine !== void 0) {
      diffRanges.push({
-        path: filename,
+        path: fileDiff.filename,
        startLine: additionRangeStartLine,
        endLine: currentLine - 1
      });
@@ -91324,6 +91323,25 @@ async function setupDiffInformedQueryRun(branches, logger) {
    }
  );
 }
+function diffRangeExtensionPackContents(ranges) {
+  const header = `
+extensions:
+  - addsTo:
+      pack: codeql/util
+      extensible: restrictAlertsTo
+      checkPresence: false
+    data:
+`;
+  let data = ranges.map((range) => {
+    const filename = path12.join(getRequiredInput("checkout_path"), range.path).replaceAll(path12.sep, "/");
+    return `      - [${dump(filename, { forceQuotes: true }).trim()}, ${range.startLine}, ${range.endLine}]
+`;
+  }).join("");
+  if (!data) {
+    data = '      - ["", 0, 0]\n';
+  }
+  return header + data;
+}
 function writeDiffRangeDataExtensionPack(logger, ranges) {
  if (ranges === void 0) {
    return void 0;
@@ -91345,27 +91363,7 @@ dataExtensions:
  - pr-diff-range.yml
 `
  );
-  const header = `
-extensions:
-  - addsTo:
-      pack: codeql/util
-      extensible: restrictAlertsTo
-      checkPresence: false
-    data:
-`;
-  let data = ranges.map(
-    (range) => (
-      // Using yaml.dump() with `forceQuotes: true` ensures that all special
-      // characters are escaped, and that the path is always rendered as a
-      // quoted string on a single line.
-      `      - [${dump(range.path, { forceQuotes: true }).trim()}, ${range.startLine}, ${range.endLine}]
-`
-    )
-  ).join("");
-  if (!data) {
-    data = '      - ["", 0, 0]\n';
-  }
-  const extensionContents = header + data;
+  const extensionContents = diffRangeExtensionPackContents(ranges);
  const extensionFilePath = path12.join(diffRangeDir, "pr-diff-range.yml");
  fs12.writeFileSync(extensionFilePath, extensionContents);
  logger.debug(
@@ -93648,7 +93646,6 @@ function filterAlertsByDiffRange(logger, sarif) {
  if (!diffRanges?.length) {
    return sarif;
  }
-  const checkoutPath = getRequiredInput("checkout_path");
  for (const run2 of sarif.runs) {
    if (run2.results) {
      run2.results = run2.results.filter((result) => {
@@ -93662,9 +93659,8 @@ function filterAlertsByDiffRange(logger, sarif) {
          if (!locationUri || locationStartLine === void 0) {
            return false;
          }
-          const locationPath = path14.join(checkoutPath, locationUri).replaceAll(path14.sep, "/");
          return diffRanges.some(
-            (range) => range.path === locationPath && (range.startLine <= locationStartLine && range.endLine >= locationStartLine || range.startLine === 0 && range.endLine === 0)
+            (range) => range.path === locationUri && (range.startLine <= locationStartLine && range.endLine >= locationStartLine || range.startLine === 0 && range.endLine === 0)
          );
        });
      });
--- a/lib/init-action-post.js
+++ b/lib/init-action-post.js
@@ -90452,8 +90452,8 @@ var require_primordials = __commonJS({
      ArrayPrototypeIndexOf(self2, el) {
        return self2.indexOf(el);
      },
-      ArrayPrototypeJoin(self2, sep4) {
-        return self2.join(sep4);
+      ArrayPrototypeJoin(self2, sep3) {
+        return self2.join(sep3);
      },
      ArrayPrototypeMap(self2, fn) {
        return self2.map(fn);
@@ -102340,7 +102340,7 @@ var require_commonjs16 = __commonJS({
       *
       * @internal
       */
-      constructor(cwd = process.cwd(), pathImpl, sep4, { nocase, childrenCacheSize = 16 * 1024, fs: fs17 = defaultFS } = {}) {
+      constructor(cwd = process.cwd(), pathImpl, sep3, { nocase, childrenCacheSize = 16 * 1024, fs: fs17 = defaultFS } = {}) {
        this.#fs = fsFromOption(fs17);
        if (cwd instanceof URL || cwd.startsWith("file://")) {
          cwd = (0, node_url_1.fileURLToPath)(cwd);
@@ -102351,7 +102351,7 @@ var require_commonjs16 = __commonJS({
        this.#resolveCache = new ResolveCache();
        this.#resolvePosixCache = new ResolveCache();
        this.#children = new ChildrenCache(childrenCacheSize);
-        const split = cwdPath.substring(this.rootPath.length).split(sep4);
+        const split = cwdPath.substring(this.rootPath.length).split(sep3);
        if (split.length === 1 && !split[0]) {
          split.pop();
        }
@@ -127560,7 +127560,6 @@ function filterAlertsByDiffRange(logger, sarif) {
  if (!diffRanges?.length) {
    return sarif;
  }
-  const checkoutPath = getRequiredInput("checkout_path");
  for (const run2 of sarif.runs) {
    if (run2.results) {
      run2.results = run2.results.filter((result) => {
@@ -127574,9 +127573,8 @@ function filterAlertsByDiffRange(logger, sarif) {
          if (!locationUri || locationStartLine === void 0) {
            return false;
          }
-          const locationPath = path13.join(checkoutPath, locationUri).replaceAll(path13.sep, "/");
          return diffRanges.some(
-            (range) => range.path === locationPath && (range.startLine <= locationStartLine && range.endLine >= locationStartLine || range.startLine === 0 && range.endLine === 0)
+            (range) => range.path === locationUri && (range.startLine <= locationStartLine && range.endLine >= locationStartLine || range.startLine === 0 && range.endLine === 0)
          );
        });
      });
--- a/lib/upload-lib.js
+++ b/lib/upload-lib.js
@@ -83220,6 +83220,7 @@ var upload_lib_exports = {};
 __export(upload_lib_exports, {
  InvalidSarifUploadError: () => InvalidSarifUploadError,
  buildPayload: () => buildPayload,
+  filterAlertsByDiffRange: () => filterAlertsByDiffRange,
  findSarifFilesInDir: () => findSarifFilesInDir,
  getGroupedSarifFilePaths: () => getGroupedSarifFilePaths,
  getSarifFilePaths: () => getSarifFilePaths,
@@ -90615,7 +90616,6 @@ function filterAlertsByDiffRange(logger, sarif) {
  if (!diffRanges?.length) {
    return sarif;
  }
-  const checkoutPath = getRequiredInput("checkout_path");
  for (const run of sarif.runs) {
    if (run.results) {
      run.results = run.results.filter((result) => {
@@ -90629,9 +90629,8 @@ function filterAlertsByDiffRange(logger, sarif) {
          if (!locationUri || locationStartLine === void 0) {
            return false;
          }
-          const locationPath = path10.join(checkoutPath, locationUri).replaceAll(path10.sep, "/");
          return diffRanges.some(
-            (range) => range.path === locationPath && (range.startLine <= locationStartLine && range.endLine >= locationStartLine || range.startLine === 0 && range.endLine === 0)
+            (range) => range.path === locationUri && (range.startLine <= locationStartLine && range.endLine >= locationStartLine || range.startLine === 0 && range.endLine === 0)
          );
        });
      });
@@ -90643,6 +90642,7 @@ function filterAlertsByDiffRange(logger, sarif) {
 0 && (module.exports = {
  InvalidSarifUploadError,
  buildPayload,
+  filterAlertsByDiffRange,
  findSarifFilesInDir,
  getGroupedSarifFilePaths,
  getSarifFilePaths,
--- a/lib/upload-sarif-action.js
+++ b/lib/upload-sarif-action.js
@@ -91085,7 +91085,6 @@ function filterAlertsByDiffRange(logger, sarif) {
  if (!diffRanges?.length) {
    return sarif;
  }
-  const checkoutPath = getRequiredInput("checkout_path");
  for (const run2 of sarif.runs) {
    if (run2.results) {
      run2.results = run2.results.filter((result) => {
@@ -91099,9 +91098,8 @@ function filterAlertsByDiffRange(logger, sarif) {
          if (!locationUri || locationStartLine === void 0) {
            return false;
          }
-          const locationPath = path11.join(checkoutPath, locationUri).replaceAll(path11.sep, "/");
          return diffRanges.some(
-            (range) => range.path === locationPath && (range.startLine <= locationStartLine && range.endLine >= locationStartLine || range.startLine === 0 && range.endLine === 0)
+            (range) => range.path === locationUri && (range.startLine <= locationStartLine && range.endLine >= locationStartLine || range.startLine === 0 && range.endLine === 0)
          );
        });
      });
--- a/src/analyze.test.ts
+++ b/src/analyze.test.ts
@@ -4,12 +4,14 @@ import * as path from "path";
 import test from "ava";
 import * as sinon from "sinon";

+import * as actionsUtil from "./actions-util";
 import { CodeQuality, CodeScanning } from "./analyses";
 import {
  runQueries,
  defaultSuites,
  resolveQuerySuiteAlias,
  addSarifExtension,
+  diffRangeExtensionPackContents,
 } from "./analyze";
 import { createStubCodeQL } from "./codeql";
 import { Feature } from "./feature-flags";
@@ -158,3 +160,23 @@ test("addSarifExtension", (t) => {
    );
  }
 });
+
+test("diffRangeExtensionPackContents", (t) => {
+  sinon
+    .stub(actionsUtil, "getRequiredInput")
+    .withArgs("checkout_path")
+    .returns("/checkout/path");
+  const output = diffRangeExtensionPackContents([
+    {
+      path: "main.js",
+      startLine: 10,
+      endLine: 20,
+    },
+  ]);
+
+  const expected = fs.readFileSync(
+    `${__dirname}/../src/testdata/pr-diff-range.yml`,
+    "utf8",
+  );
+  t.deepEqual(output, expected);
+});
--- a/src/analyze.ts
+++ b/src/analyze.ts
@@ -5,7 +5,11 @@ import { performance } from "perf_hooks";
 import * as io from "@actions/io";
 import * as yaml from "js-yaml";

-import { getTemporaryDirectory, PullRequestBranches } from "./actions-util";
+import {
+  getTemporaryDirectory,
+  getRequiredInput,
+  PullRequestBranches,
+} from "./actions-util";
 import * as analyses from "./analyses";
 import { setupCppAutobuild } from "./autobuild";
 import { type CodeQL } from "./codeql";
@@ -244,6 +248,45 @@ export async function setupDiffInformedQueryRun(
  );
 }

+export function diffRangeExtensionPackContents(
+  ranges: DiffThunkRange[],
+): string {
+  const header = `
+extensions:
+  - addsTo:
+      pack: codeql/util
+      extensible: restrictAlertsTo
+      checkPresence: false
+    data:
+`;
+
+  let data = ranges
+    .map((range) => {
+      // Diff-informed queries expect the file path to be absolute. CodeQL always
+      // uses forward slashes as the path separator, so on Windows we need to
+      // replace any backslashes with forward slashes.
+      const filename = path
+        .join(getRequiredInput("checkout_path"), range.path)
+        .replaceAll(path.sep, "/");
+
+      // Using yaml.dump() with `forceQuotes: true` ensures that all special
+      // characters are escaped, and that the path is always rendered as a
+      // quoted string on a single line.
+      return (
+        `      - [${yaml.dump(filename, { forceQuotes: true }).trim()}, ` +
+        `${range.startLine}, ${range.endLine}]\n`
+      );
+    })
+    .join("");
+  if (!data) {
+    // Ensure that the data extension is not empty, so that a pull request with
+    // no edited lines would exclude (instead of accepting) all alerts.
+    data = '      - ["", 0, 0]\n';
+  }
+
+  return header + data;
+}
+
 /**
 * Create an extension pack in the temporary directory that contains the file
 * line ranges that were added or modified in the pull request.
@@ -292,32 +335,7 @@ dataExtensions:
 `,
  );

-  const header = `
-extensions:
-  - addsTo:
-      pack: codeql/util
-      extensible: restrictAlertsTo
-      checkPresence: false
-    data:
-`;
-
-  let data = ranges
-    .map(
-      (range) =>
-        // Using yaml.dump() with `forceQuotes: true` ensures that all special
-        // characters are escaped, and that the path is always rendered as a
-        // quoted string on a single line.
-        `      - [${yaml.dump(range.path, { forceQuotes: true }).trim()}, ` +
-        `${range.startLine}, ${range.endLine}]\n`,
-    )
-    .join("");
-  if (!data) {
-    // Ensure that the data extension is not empty, so that a pull request with
-    // no edited lines would exclude (instead of accepting) all alerts.
-    data = '      - ["", 0, 0]\n';
-  }
-
-  const extensionContents = header + data;
+  const extensionContents = diffRangeExtensionPackContents(ranges);
  const extensionFilePath = path.join(diffRangeDir, "pr-diff-range.yml");
  fs.writeFileSync(extensionFilePath, extensionContents);
  logger.debug(
--- a/src/diff-informed-analysis-utils.test.ts
+++ b/src/diff-informed-analysis-utils.test.ts
@@ -188,10 +188,6 @@ test(
 );

 function runGetDiffRanges(changes: number, patch: string[] | undefined): any {
-  sinon
-    .stub(actionsUtil, "getRequiredInput")
-    .withArgs("checkout_path")
-    .returns("/checkout/path");
  return exportedForTesting.getDiffRanges(
    {
      filename: "test.txt",
@@ -211,7 +207,7 @@ test("getDiffRanges: file diff too large", async (t) => {
  const diffRanges = runGetDiffRanges(1000000, undefined);
  t.deepEqual(diffRanges, [
    {
-      path: "/checkout/path/test.txt",
+      path: "test.txt",
      startLine: 0,
      endLine: 0,
    },
@@ -232,7 +228,7 @@ test("getDiffRanges: diff thunk with single addition range", async (t) => {
  ]);
  t.deepEqual(diffRanges, [
    {
-      path: "/checkout/path/test.txt",
+      path: "test.txt",
      startLine: 53,
      endLine: 54,
    },
@@ -268,7 +264,7 @@ test("getDiffRanges: diff thunk with single update range", async (t) => {
  ]);
  t.deepEqual(diffRanges, [
    {
-      path: "/checkout/path/test.txt",
+      path: "test.txt",
      startLine: 53,
      endLine: 53,
    },
@@ -290,12 +286,12 @@ test("getDiffRanges: diff thunk with addition ranges", async (t) => {
  ]);
  t.deepEqual(diffRanges, [
    {
-      path: "/checkout/path/test.txt",
+      path: "test.txt",
      startLine: 53,
      endLine: 53,
    },
    {
-      path: "/checkout/path/test.txt",
+      path: "test.txt",
      startLine: 55,
      endLine: 55,
    },
@@ -322,12 +318,12 @@ test("getDiffRanges: diff thunk with mixed ranges", async (t) => {
  ]);
  t.deepEqual(diffRanges, [
    {
-      path: "/checkout/path/test.txt",
+      path: "test.txt",
      startLine: 54,
      endLine: 54,
    },
    {
-      path: "/checkout/path/test.txt",
+      path: "test.txt",
      startLine: 57,
      endLine: 58,
    },
@@ -357,12 +353,12 @@ test("getDiffRanges: multiple diff thunks", async (t) => {
  ]);
  t.deepEqual(diffRanges, [
    {
-      path: "/checkout/path/test.txt",
+      path: "test.txt",
      startLine: 53,
      endLine: 54,
    },
    {
-      path: "/checkout/path/test.txt",
+      path: "test.txt",
      startLine: 153,
      endLine: 154,
    },
@@ -373,7 +369,7 @@ test("getDiffRanges: no diff context lines", async (t) => {
  const diffRanges = runGetDiffRanges(2, ["@@ -30 +50,2 @@", "+1", "+2"]);
  t.deepEqual(diffRanges, [
    {
-      path: "/checkout/path/test.txt",
+      path: "test.txt",
      startLine: 50,
      endLine: 51,
    },
--- a/src/diff-informed-analysis-utils.ts
+++ b/src/diff-informed-analysis-utils.ts
@@ -191,13 +191,6 @@ function getDiffRanges(
  fileDiff: FileDiff,
  logger: Logger,
 ): DiffThunkRange[] | undefined {
-  // Diff-informed queries expect the file path to be absolute. CodeQL always
-  // uses forward slashes as the path separator, so on Windows we need to
-  // replace any backslashes with forward slashes.
-  const filename = path
-    .join(actionsUtil.getRequiredInput("checkout_path"), fileDiff.filename)
-    .replaceAll(path.sep, "/");
-
  if (fileDiff.patch === undefined) {
    if (fileDiff.changes === 0) {
      // There are situations where a changed file legitimately has no diff.
@@ -212,7 +205,7 @@ function getDiffRanges(
    // to a special diff range that covers the entire file.
    return [
      {
-        path: filename,
+        path: fileDiff.filename,
        startLine: 0,
        endLine: 0,
      },
@@ -247,7 +240,7 @@ function getDiffRanges(
      // Any line that does not start with a "+" or "-" terminates the current
      // range of added lines.
      diffRanges.push({
-        path: filename,
+        path: fileDiff.filename,
        startLine: additionRangeStartLine,
        endLine: currentLine - 1,
      });
--- a/src/testdata/pr-diff-range.yml
+++ b/src/testdata/pr-diff-range.yml
@@ -0,0 +1,8 @@
+
+extensions:
+  - addsTo:
+      pack: codeql/util
+      extensible: restrictAlertsTo
+      checkPresence: false
+    data:
+      - ['/checkout/path/main.js', 10, 20]
--- a/src/testdata/valid-sarif-diff-filtered.sarif
+++ b/src/testdata/valid-sarif-diff-filtered.sarif
@@ -0,0 +1,178 @@
+{
+  "$schema": "https://raw.githubusercontent.com/oasis-tcs/sarif-spec/master/Schemata/sarif-schema-2.1.0.json",
+  "version": "2.1.0",
+  "runs": [{
+      "tool": {
+        "driver": {
+          "name": "LGTM.com",
+          "organization": "Semmle",
+          "version": "1.24.0-SNAPSHOT",
+          "rules": [{
+            "id": "js/unused-local-variable",
+            "name": "js/unused-local-variable",
+            "shortDescription": {
+              "text": "Unused variable, import, function or class"
+            },
+            "fullDescription": {
+              "text": "Unused variables, imports, functions or classes may be a symptom of a bug and should be examined carefully."
+            },
+            "defaultConfiguration": {
+              "level": "note"
+            },
+            "properties": {
+              "tags": ["maintainability"],
+              "kind": "problem",
+              "precision": "very-high",
+              "name": "Unused variable, import, function or class",
+              "description": "Unused variables, imports, functions or classes may be a symptom of a bug\n              and should be examined carefully.",
+              "id": "js/unused-local-variable",
+              "problem.severity": "recommendation"
+            }
+          }]
+        }
+      },
+      "results": [{
+        "ruleId": "js/unused-local-variable",
+        "ruleIndex": 0,
+        "message": {
+          "text": "Unused variable foo."
+        },
+        "locations": [{
+          "physicalLocation": {
+            "artifactLocation": {
+              "uri": "main.js",
+              "uriBaseId": "%SRCROOT%",
+              "index": 0
+            },
+            "region": {
+              "startLine": 2,
+              "startColumn": 7,
+              "endColumn": 10
+            }
+          }
+        }],
+        "partialFingerprints": {
+          "primaryLocationLineHash": "39fa2ee980eb94b0:1",
+          "primaryLocationStartColumnFingerprint": "4"
+        }
+      }],
+      "columnKind": "utf16CodeUnits",
+      "properties": {
+        "semmle.formatSpecifier": "2.1.0",
+        "semmle.sourceLanguage": "java"
+      }
+    },
+    {
+      "tool" : {
+        "driver" : {
+          "name" : "CodeQL command-line toolchain",
+          "organization" : "GitHub",
+          "semanticVersion" : "2.0.0",
+          "rules" : [ {
+            "id" : "js/unused-local-variable",
+            "name" : "js/unused-local-variable",
+            "shortDescription" : {
+              "text" : "Unused variable, import, function or class"
+            },
+            "fullDescription" : {
+              "text" : "Unused variables, imports, functions or classes may be a symptom of a bug and should be examined carefully."
+            },
+            "defaultConfiguration" : {
+              "level": "note"
+            },
+            "properties" : {
+              "tags" : [ "maintainability" ],
+              "kind" : "problem",
+              "precision" : "very-high",
+              "name" : "Unused variable, import, function or class",
+              "description" : "Unused variables, imports, functions or classes may be a symptom of a bug\n              and should be examined carefully.",
+              "id" : "js/unused-local-variable",
+              "problem.severity" : "recommendation"
+            }
+          },
+          {
+            "id": "js/inconsistent-use-of-new",
+            "name": "js/inconsistent-use-of-new",
+            "shortDescription": {
+              "text": "Inconsistent use of 'new'"
+            },
+            "fullDescription": {
+              "text": "If a function is intended to be a constructor, it should always be invoked with 'new'. Otherwise, it should always be invoked as a normal function, that is, without 'new'."
+            },
+            "defaultConfiguration": {
+              "level": "note"
+            },
+            "properties": {
+              "tags": [
+                "reliability",
+                "correctness",
+                "language-features"
+              ],
+              "kind": "problem",
+              "precision": "very-high",
+              "problem.severity": "warning"
+            }
+          } ]
+        }
+      },
+      "artifacts" : [ {
+        "location" : {
+          "uri" : "main.js",
+          "uriBaseId" : "%SRCROOT%",
+          "index" : 0
+        }
+      },
+      {
+        "location": {
+          "uri": "src/promiseUtils.js",
+          "uriBaseId": "%SRCROOT%",
+          "index": 1
+        }
+      },
+      {
+        "location": {
+          "uri": "src/LiveQueryClient.js",
+          "uriBaseId": "%SRCROOT%",
+          "index": 2
+        }
+      },
+      {
+        "location": {
+          "uri": "src/ParseObject.js",
+          "uriBaseId": "%SRCROOT%",
+          "index": 3
+        }
+      } ],
+      "results" : [ {
+        "ruleId" : "js/unused-local-variable",
+        "ruleIndex" : 0,
+        "message" : {
+          "text" : "Unused variable foo."
+        },
+        "locations" : [ {
+          "physicalLocation" : {
+            "artifactLocation" : {
+              "uri" : "main.js",
+              "uriBaseId" : "%SRCROOT%",
+              "index" : 0
+            },
+            "region" : {
+              "startLine" : 2,
+              "startColumn" : 7,
+              "endColumn" : 10
+            }
+          }
+        } ],
+        "partialFingerprints" : {
+          "primaryLocationLineHash" : "39fa2ee980eb94b0:1",
+          "primaryLocationStartColumnFingerprint" : "4"
+        }
+      }],
+      "newlineSequences" : [ "\r\n", "\n", " ", " " ],
+      "columnKind" : "utf16CodeUnits",
+      "properties" : {
+        "semmle.formatSpecifier" : "sarif-latest"
+      }
+    }
+  ]
+}
--- a/src/upload-lib.test.ts
+++ b/src/upload-lib.test.ts
@@ -9,10 +9,16 @@ import * as sinon from "sinon";
 import * as analyses from "./analyses";
 import { AnalysisKind, CodeQuality, CodeScanning } from "./analyses";
 import * as api from "./api-client";
+import * as diffUtils from "./diff-informed-analysis-utils";
 import { getRunnerLogger, Logger } from "./logging";
 import { setupTests } from "./testing-utils";
 import * as uploadLib from "./upload-lib";
-import { GitHubVariant, initializeEnvironment, withTmpDir } from "./util";
+import {
+  GitHubVariant,
+  initializeEnvironment,
+  SarifFile,
+  withTmpDir,
+} from "./util";

 setupTests(test);

@@ -960,3 +966,30 @@ for (const analysis of [CodeScanning, CodeQuality]) {
    });
  });
 }
+
+function runFilterAlertsByDiffRange(
+  input: SarifFile,
+  diffRanges: diffUtils.DiffThunkRange[],
+): SarifFile {
+  sinon.stub(diffUtils, "readDiffRangesJsonFile").returns(diffRanges);
+  return uploadLib.filterAlertsByDiffRange(getRunnerLogger(true), input);
+}
+
+test("filterAlertsByDiffRange filters out alerts outside diff-range", (t) => {
+  const input = uploadLib.readSarifFile(
+    `${__dirname}/../src/testdata/valid-sarif.sarif`,
+  );
+  const actualOutput = runFilterAlertsByDiffRange(input, [
+    {
+      path: "main.js",
+      startLine: 1,
+      endLine: 3,
+    },
+  ]);
+
+  const expectedOutput = uploadLib.readSarifFile(
+    `${__dirname}/../src/testdata/valid-sarif-diff-filtered.sarif`,
+  );
+
+  t.deepEqual(actualOutput, expectedOutput);
+});
--- a/src/upload-lib.ts
+++ b/src/upload-lib.ts
@@ -1134,14 +1134,15 @@ export class InvalidSarifUploadError extends Error {
  }
 }

-function filterAlertsByDiffRange(logger: Logger, sarif: SarifFile): SarifFile {
+export function filterAlertsByDiffRange(
+  logger: Logger,
+  sarif: SarifFile,
+): SarifFile {
  const diffRanges = readDiffRangesJsonFile(logger);
  if (!diffRanges?.length) {
    return sarif;
  }

-  const checkoutPath = actionsUtil.getRequiredInput("checkout_path");
-
  for (const run of sarif.runs) {
    if (run.results) {
      run.results = run.results.filter((result) => {
@@ -1156,11 +1157,6 @@ function filterAlertsByDiffRange(logger: Logger, sarif: SarifFile): SarifFile {
          if (!locationUri || locationStartLine === undefined) {
            return false;
          }
-          // CodeQL always uses forward slashes as the path separator, so on Windows we
-          // need to replace any backslashes with forward slashes.
-          const locationPath = path
-            .join(checkoutPath, locationUri)
-            .replaceAll(path.sep, "/");
          // Alert filtering here replicates the same behavior as the restrictAlertsTo
          // extensible predicate in CodeQL. See the restrictAlertsTo documentation
          // https://codeql.github.com/codeql-standard-libraries/csharp/codeql/util/AlertFiltering.qll/predicate.AlertFiltering$restrictAlertsTo.3.html
@@ -1168,7 +1164,7 @@ function filterAlertsByDiffRange(logger: Logger, sarif: SarifFile): SarifFile {
          // of an alert location.
          return diffRanges.some(
            (range) =>
-              range.path === locationPath &&
+              range.path === locationUri &&
              ((range.startLine <= locationStartLine &&
                range.endLine >= locationStartLine) ||
                (range.startLine === 0 && range.endLine === 0)),
Author	SHA1	Message	Date
Kasper Svendsen	4eb247591f	Move conversion of PR diff-range paths to absolute paths	2025-11-12 08:10:40 +01:00
Kasper Svendsen	df4e1992c0	Add unit test for diffRangeExtensionPackContents	2025-11-12 08:10:40 +01:00
Kasper Svendsen	d18f3acf74	Move diff-range extension pack generation into testable function	2025-11-12 08:10:39 +01:00
Kasper Svendsen	035c1179af	upload-lib: Unit test filterAlertsByDiffRange	2025-11-12 08:10:39 +01:00