Merge pull request #620 from github/rneatherway-patch-1

Suggest limiting push/pull_request triggers

.github/depandabot.yml

@@ -0,0 +1,9 @@
+version: 2
+updates:
+  - package-ecosystem: "npm"
+    directory: "/"
+    schedule:
+      interval: "weekly"
+      day: "thursday" # Gives us a working day to merge this before our typical release
+    labels:
+      - "Update dependencies"

.github/workflows/pr-checks.yml

@@ -27,7 +27,7 @@ jobs:
       run: .github/workflows/script/check-js.sh
 
   check-node-modules:
-    runs-on: ubuntu-latest
+    runs-on: macos-latest
 
     steps:
     - uses: actions/checkout@v2

.github/workflows/script/check-node-modules.sh

@@ -7,6 +7,7 @@ if [ ! -z "$(git status --porcelain)" ]; then
     >&2 echo "Failed: Repo should be clean before testing!"
     exit 1
 fi
+sudo npm install --force -g npm@latest
 # Reinstall modules and then clean to remove absolute paths
 # Use 'npm ci' instead of 'npm install' as this is intended to be reproducible
 npm ci

.github/workflows/update-dependencies.yml

@@ -0,0 +1,39 @@
+name: Update dependencies
+on:
+  pull_request_target:
+    types: [opened, synchronize, reopened, labeled]
+
+jobs:
+  update:
+    name: Update dependencies
+    runs-on: macos-latest
+    if: contains(github.event.pull_request.labels.*.name, 'Update dependencies')
+    steps:
+    - name: Checkout repository
+      uses: actions/checkout@v2
+
+    - name: Remove PR label
+      env:
+        REPOSITORY: '${{ github.repository }}'
+        PR_NUMBER: '${{ github.event.pull_request.number }}'
+        GITHUB_TOKEN: '${{ secrets.GITHUB_TOKEN }}'
+      run: |
+        gh api "repos/$REPOSITORY/issues/$PR_NUMBER/labels/Update%20dependencies" -X DELETE
+
+    - name: Push updated dependencies
+      env:
+        BRANCH: '${{ github.head_ref }}'
+      run: |
+        git fetch
+        git checkout $BRANCH
+        sudo npm install --force -g npm@latest
+        npm install
+        npm ci
+        npm run removeNPMAbsolutePaths
+        if [ ! -z "$(git status --porcelain)" ]; then
+          git config --global user.email "github-actions@github.com"
+          git config --global user.name "github-actions[bot]"
+          git add node_modules
+          git commit -am "Update checked-in dependencies"
+          git push origin "$BRANCH"
+        fi

CHANGELOG.md

@@ -1,5 +1,13 @@
 # CodeQL Action and CodeQL Runner Changelog
 
+## [UNRELEASED]
+
+No user facing changes.
+
+## 1.0.7 - 21 Jul 2021
+
+No user facing changes.
+
 ## 1.0.6 - 19 Jul 2021
 
 - The `init` step of the Action now supports a `source-root` input as a path to the root source-code directory. By default, the path is relative to `$GITHUB_WORKSPACE`. [#607](https://github.com/github/codeql-action/pull/607)

README.md

@@ -22,7 +22,9 @@ name: "Code Scanning - Action"
 
 on:
   push:
+    branches: [main]
   pull_request:
+    branches: [main]
   schedule:
     #        ┌───────────── minute (0 - 59)
     #        │  ┌───────────── hour (0 - 23)

lib/analyze.js

@@ -219,12 +219,14 @@ async function runCleanup(config, cleanupLevel, logger) {
 }
 exports.runCleanup = runCleanup;
 async function injectLinesOfCode(sarifFile, language, locPromise) {
+    var _a;
     const lineCounts = await locPromise;
     const idPrefix = count_loc_1.getIdPrefix(language);
     if (language in lineCounts) {
         const sarif = JSON.parse(fs.readFileSync(sarifFile, "utf8"));
         if (Array.isArray(sarif.runs)) {
             for (const run of sarif.runs) {
+                // Old style: Baseline is inserted when rule ID has suffix /summary/lines-of-code
                 const ruleId = `${idPrefix}/summary/lines-of-code`;
                 run.properties = run.properties || {};
                 run.properties.metricResults = run.properties.metricResults || [];
@@ -235,6 +237,15 @@ async function injectLinesOfCode(sarifFile, language, locPromise) {
                 if (rule) {
                     rule.baseline = lineCounts[language];
                 }
+                // New style: Baseline is inserted when matching rule has tag lines-of-code
+                for (const metric of run.properties.metricResults) {
+                    if (metric.rule && metric.rule.toolComponent) {
+                        const matchingRule = run.tool.extensions[metric.rule.toolComponent.index].rules[metric.rule.index];
+                        if ((_a = matchingRule.properties.tags) === null || _a === void 0 ? void 0 : _a.includes("lines-of-code")) {
+                            metric.baseline = lineCounts[language];
+                        }
+                    }
+                }
             }
         }
         fs.writeFileSync(sarifFile, JSON.stringify(sarif));

lib/analyze.test.js

@@ -88,6 +88,35 @@ ava_1.default("status report fields and search path setting", async (t) => {
                                     ],
                                 },
                             },
+                            // variant 3 references a rule with the lines-of-code tag
+                            {
+                                tool: {
+                                    extensions: [
+                                        {
+                                            rules: [
+                                                {
+                                                    properties: {
+                                                        tags: ["lines-of-code"],
+                                                    },
+                                                },
+                                            ],
+                                        },
+                                    ],
+                                },
+                                properties: {
+                                    metricResults: [
+                                        {
+                                            rule: {
+                                                index: 0,
+                                                toolComponent: {
+                                                    index: 0,
+                                                },
+                                            },
+                                            value: 123,
+                                        },
+                                    ],
+                                },
+                            },
                             {},
                         ],
                     }));
@@ -180,8 +209,20 @@ ava_1.default("status report fields and search path setting", async (t) => {
                 baseline: lineCount,
             },
         ]);
+        t.deepEqual(sarif.runs[2].properties.metricResults, [
+            {
+                rule: {
+                    index: 0,
+                    toolComponent: {
+                        index: 0,
+                    },
+                },
+                value: 123,
+                baseline: lineCount,
+            },
+        ]);
         // when the rule doesn't exist, it should not be added
-        t.deepEqual(sarif.runs[2].properties.metricResults, []);
+        t.deepEqual(sarif.runs[3].properties.metricResults, []);
     }
     function verifyQuerySuites(tmpDir) {
         const qlsContent = [

node_modules/.package-lock.json

@@ -1,6 +1,6 @@
 {
   "name": "codeql",
-  "version": "1.0.6",
+  "version": "1.0.8",
   "lockfileVersion": 2,
   "requires": true,
   "packages": {
@@ -1243,7 +1243,6 @@
       "dependencies": {
         "anymatch": "~3.1.1",
         "braces": "~3.0.2",
-        "fsevents": "~2.1.2",
         "glob-parent": "~5.1.0",
         "is-binary-path": "~2.1.0",
         "is-glob": "~4.0.1",
@@ -3220,9 +3219,6 @@
     "node_modules/jsonfile": {
       "version": "4.0.0",
       "license": "MIT",
-      "dependencies": {
-        "graceful-fs": "^4.1.6"
-      },
       "optionalDependencies": {
         "graceful-fs": "^4.1.6"
       }

node_modules/glob-parent/CHANGELOG.md

@@ -4,6 +4,13 @@
 
 - eliminate ReDoS ([#36](https://github.com/gulpjs/glob-parent/issues/36)) ([f923116](https://github.com/gulpjs/glob-parent/commit/f9231168b0041fea3f8f954b3cceb56269fc6366))
 
+### [6.0.1](https://www.github.com/gulpjs/glob-parent/compare/v6.0.0...v6.0.1) (2021-07-20)
+
+
+### Bug Fixes
+
+* Resolve ReDoS vulnerability from CVE-2021-35065 ([#49](https://www.github.com/gulpjs/glob-parent/issues/49)) ([3e9f04a](https://www.github.com/gulpjs/glob-parent/commit/3e9f04a3b4349db7e1962d87c9a7398cda51f339))
+
 ## [6.0.0](https://www.github.com/gulpjs/glob-parent/compare/v5.1.2...v6.0.0) (2021-05-03)
 
 ### ⚠ BREAKING CHANGES

node_modules/glob-parent/index.js

@@ -6,7 +6,6 @@ var isWin32 = require('os').platform() === 'win32';
 
 var slash = '/';
 var backslash = /\\/g;
-var enclosure = /[{[].*\/.*[}\]]$/;
 var globby = /(^|[^\\])([{[]|\([^)]+$)/;
 var escaped = /\\([!*?|[\](){}])/g;
 
@@ -24,7 +23,7 @@ module.exports = function globParent(str, opts) {
   }
 
   // special case for strings ending in enclosure containing path separator
-  if (enclosure.test(str)) {
+  if (isEnclosure(str)) {
     str += slash;
   }
 
@@ -39,3 +38,26 @@ module.exports = function globParent(str, opts) {
   // remove escape chars and return result
   return str.replace(escaped, '$1');
 };
+
+function isEnclosure(str) {
+  var lastChar = str.slice(-1);
+
+  var enclosureStart;
+  switch (lastChar) {
+    case '}':
+      enclosureStart = '{';
+      break;
+    case ']':
+      enclosureStart = '[';
+      break;
+    default:
+      return false;
+  }
+
+  var foundIndex = str.indexOf(enclosureStart);
+  if (foundIndex < 0) {
+    return false;
+  }
+
+  return str.slice(foundIndex + 1, -1).includes(slash);
+}

node_modules/glob-parent/package.json

@@ -1,6 +1,6 @@
 {
   "name": "glob-parent",
-  "version": "6.0.0",
+  "version": "6.0.1",
   "description": "Extract the non-magic parent path from a glob string.",
   "author": "Gulp Team <team@gulpjs.com> (https://gulpjs.com/)",
   "contributors": [

package-lock.json

@@ -1,12 +1,12 @@
 {
   "name": "codeql",
-  "version": "1.0.6",
+  "version": "1.0.8",
   "lockfileVersion": 2,
   "requires": true,
   "packages": {
     "": {
       "name": "codeql",
-      "version": "1.0.6",
+      "version": "1.0.8",
       "license": "MIT",
       "dependencies": {
         "@actions/artifact": "^0.5.1",
@@ -1297,7 +1297,6 @@
       "dependencies": {
         "anymatch": "~3.1.1",
         "braces": "~3.0.2",
-        "fsevents": "~2.1.2",
         "glob-parent": "~5.1.0",
         "is-binary-path": "~2.1.0",
         "is-glob": "~4.0.1",
@@ -3274,9 +3273,6 @@
     "node_modules/jsonfile": {
       "version": "4.0.0",
       "license": "MIT",
-      "dependencies": {
-        "graceful-fs": "^4.1.6"
-      },
       "optionalDependencies": {
         "graceful-fs": "^4.1.6"
       }

package.json

@@ -1,6 +1,6 @@
 {
   "name": "codeql",
-  "version": "1.0.6",
+  "version": "1.0.8",
   "private": true,
   "description": "CodeQL action",
   "scripts": {

runner/package-lock.json

@@ -1,6 +1,6 @@
 {
   "name": "codeql-runner",
-  "version": "1.0.6",
+  "version": "1.0.8",
   "lockfileVersion": 1,
   "requires": true,
   "dependencies": {

runner/package.json

@@ -1,6 +1,6 @@
 {
   "name": "codeql-runner",
-  "version": "1.0.6",
+  "version": "1.0.8",
   "private": true,
   "description": "CodeQL runner",
   "scripts": {

src/analyze.test.ts

@@ -94,6 +94,35 @@ test("status report fields and search path setting", async (t) => {
                     ],
                   },
                 },
+                // variant 3 references a rule with the lines-of-code tag
+                {
+                  tool: {
+                    extensions: [
+                      {
+                        rules: [
+                          {
+                            properties: {
+                              tags: ["lines-of-code"],
+                            },
+                          },
+                        ],
+                      },
+                    ],
+                  },
+                  properties: {
+                    metricResults: [
+                      {
+                        rule: {
+                          index: 0,
+                          toolComponent: {
+                            index: 0,
+                          },
+                        },
+                        value: 123,
+                      },
+                    ],
+                  },
+                },
                 {},
               ],
             })
@@ -233,8 +262,20 @@ test("status report fields and search path setting", async (t) => {
         baseline: lineCount,
       },
     ]);
+    t.deepEqual(sarif.runs[2].properties.metricResults, [
+      {
+        rule: {
+          index: 0,
+          toolComponent: {
+            index: 0,
+          },
+        },
+        value: 123,
+        baseline: lineCount,
+      },
+    ]);
     // when the rule doesn't exist, it should not be added
-    t.deepEqual(sarif.runs[2].properties.metricResults, []);
+    t.deepEqual(sarif.runs[3].properties.metricResults, []);
   }
 
   function verifyQuerySuites(tmpDir: string) {

src/analyze.ts

@@ -415,8 +415,10 @@ async function injectLinesOfCode(
   const idPrefix = getIdPrefix(language);
   if (language in lineCounts) {
     const sarif = JSON.parse(fs.readFileSync(sarifFile, "utf8"));
+
     if (Array.isArray(sarif.runs)) {
       for (const run of sarif.runs) {
+        // Old style: Baseline is inserted when rule ID has suffix /summary/lines-of-code
         const ruleId = `${idPrefix}/summary/lines-of-code`;
         run.properties = run.properties || {};
         run.properties.metricResults = run.properties.metricResults || [];
@@ -428,8 +430,22 @@ async function injectLinesOfCode(
         if (rule) {
           rule.baseline = lineCounts[language];
         }
+
+        // New style: Baseline is inserted when matching rule has tag lines-of-code
+        for (const metric of run.properties.metricResults) {
+          if (metric.rule && metric.rule.toolComponent) {
+            const matchingRule =
+              run.tool.extensions[metric.rule.toolComponent.index].rules[
+                metric.rule.index
+              ];
+            if (matchingRule.properties.tags?.includes("lines-of-code")) {
+              metric.baseline = lineCounts[language];
+            }
+          }
+        }
       }
     }
+
     fs.writeFileSync(sarifFile, JSON.stringify(sarif));
   }
 }