Merge pull request #1118 from github/mergeback/v2.1.14-to-main-41a4ada3

Mergeback v2.1.14 refs/heads/releases/v2 into main

.github/check-sarif/action.yml

@@ -0,0 +1,20 @@
+name: Check SARIF
+description: Checks a SARIF file to see if certain queries were run and others were not run.
+inputs:
+  sarif-file:
+    required: true
+    description: The SARIF file to check
+
+  queries-run:
+    required: true
+    description: |
+      Comma separated list of query ids that should be included in this SARIF file.
+
+  queries-not-run:
+    required: true
+    description: |
+      Comma separated list of query ids that should NOT be included in this SARIF file.
+
+runs:
+  using: node12
+  main: index.js

.github/check-sarif/index.js

@@ -0,0 +1,43 @@
+'use strict'
+
+const core = require('@actions/core')
+const fs = require('fs')
+
+const sarif = JSON.parse(fs.readFileSync(core.getInput('sarif-file'), 'utf8'))
+const rules = sarif.runs[0].tool.extensions.flatMap(ext => ext.rules || [])
+const ruleIds = rules.map(rule => rule.id)
+
+// Check that all the expected queries ran
+const expectedQueriesRun = getQueryIdsInput('queries-run')
+const queriesThatShouldHaveRunButDidNot = expectedQueriesRun.filter(queryId => !ruleIds.includes(queryId))
+
+if (queriesThatShouldHaveRunButDidNot.length > 0) {
+  core.setFailed(`The following queries were expected to run but did not: ${queriesThatShouldHaveRunButDidNot.join(', ')}`)
+}
+
+// Check that all the unexpected queries did not run
+const expectedQueriesNotRun = getQueryIdsInput('queries-not-run')
+
+const queriesThatShouldNotHaveRunButDid = expectedQueriesNotRun.filter(queryId => ruleIds.includes(queryId))
+
+if (queriesThatShouldNotHaveRunButDid.length > 0) {
+  core.setFailed(`The following queries were NOT expected to have run but did: ${queriesThatShouldNotHaveRunButDid.join(', ')}`)
+}
+
+
+core.startGroup('All queries run')
+rules.forEach(rule => {
+  core.info(`${rule.id}: ${(rule.properties && rule.properties.name) || rule.name}`)
+})
+core.endGroup()
+
+core.startGroup('Full SARIF')
+core.info(JSON.stringify(sarif, null, 2))
+core.endGroup()
+
+function getQueryIdsInput(name) {
+  return core.getInput(name)
+    .split(',')
+    .map(q => q.trim())
+    .filter(q => q.length > 0)
+}

.github/query-filter-test/action.yml

@@ -0,0 +1,52 @@
+name: Query Filter Test
+description: Runs a test of query filters using the check sarif action
+inputs:
+  sarif-file:
+    required: true
+    description: The SARIF file to check
+
+  queries-run:
+    required: true
+    description: |
+      Comma separated list of query ids that should be included in this SARIF file.
+
+  queries-not-run:
+    required: true
+    description: |
+      Comma separated list of query ids that should NOT be included in this SARIF file.
+
+  config-file:
+    required: true
+    description: |
+      The location of the codeql configuration file to use.
+
+  tools:
+    required: true
+    description: |
+      The url of codeql to use.
+
+runs:
+  using: composite
+  steps:
+    - uses: ./../action/init
+      with:
+        languages: javascript
+        config-file: ${{ inputs.config-file }}
+        tools: ${{ inputs.tools }}
+        db-location: ${{ runner.temp }}/query-filter-test
+    - uses: ./../action/analyze
+      with:
+        output: ${{ runner.temp }}/results
+        upload-database: false
+        upload: false
+      env:
+        TEST_MODE: "true"
+    - name: Check SARIF
+      uses: ./../action/.github/check-sarif
+      with:
+        sarif-file:  ${{ inputs.sarif-file }}
+        queries-run: ${{ inputs.queries-run}}
+        queries-not-run: ${{ inputs.queries-not-run}}
+    - name: Cleanup after test
+      shell: bash
+      run: rm -rf "$RUNNER_TEMP/results" "$RUNNER_TEMP//query-filter-test"

.github/workflows/check-for-conflicts.yml

@@ -4,7 +4,7 @@ name: Check for conflicts
 
 on:
   pull_request:
-    branches: [main, v1, v2]
+    branches: [main, releases/v1, releases/v2]
     # Run checks on reopened draft PRs to support triggering PR checks on draft PRs that were opened
     # by other workflows.
     types: [opened, synchronize, reopened, ready_for_review]

.github/workflows/expected-queries-runs.yml

@@ -0,0 +1,49 @@
+name: Expected queries runs
+env:
+  GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+
+on:
+  push:
+    branches:
+    - main
+    - releases/v1
+    - releases/v2
+  pull_request:
+    types:
+    - opened
+    - synchronize
+    - reopened
+    - ready_for_review
+  workflow_dispatch: {}
+
+jobs:
+  expected-queries:
+    name: Expected Queries Tests
+    timeout-minutes: 45
+    runs-on: ubuntu-latest
+    steps:
+    - name: Check out repository
+      uses: actions/checkout@v3
+    - name: Prepare test
+      id: prepare-test
+      uses: ./.github/prepare-test
+      with:
+        version: latest
+    - uses: ./../action/init
+      with:
+        languages: javascript
+        tools: ${{ steps.prepare-test.outputs.tools-url }}
+    - uses: ./../action/analyze
+      with:
+        output: ${{ runner.temp }}/results
+        upload-database: false
+        upload: false
+      env:
+        TEST_MODE: true
+
+    - name: Check Sarif
+      uses: ./../action/.github/check-sarif
+      with:
+        sarif-file: ${{ runner.temp }}/results/javascript.sarif
+        queries-run: js/incomplete-hostname-regexp,js/path-injection
+        queries-not-run: foo,bar

.github/workflows/script/update-required-checks.sh

@@ -21,7 +21,7 @@ fi
 echo "Getting checks for $GITHUB_SHA"
 
 # Ignore any checks with "https://", CodeQL, LGTM, and Update checks.
-CHECKS="$(gh api repos/github/codeql-action/commits/${GITHUB_SHA}/check-runs --paginate | jq --slurp --compact-output --raw-output '[.[].check_runs | .[].name | select(contains("https://") or . == "CodeQL" or . == "LGTM.com" or contains("Update") | not)] | sort')"
+CHECKS="$(gh api repos/github/codeql-action/commits/${GITHUB_SHA}/check-runs --paginate | jq --slurp --compact-output --raw-output '[.[].check_runs | .[].name | select(contains("https://") or . == "CodeQL" or . == "LGTM.com" or contains("Update") or contains("update") | not)] | unique | sort')"
 
 echo "$CHECKS" | jq
 

CHANGELOG.md

@@ -1,5 +1,17 @@
 # CodeQL Action Changelog
 
+## [UNRELEASED]
+
+No user facing changes.
+
+## 2.1.14 - 22 Jun 2022
+
+No user facing changes.
+
+## 2.1.13 - 21 Jun 2022
+
+- Update default CodeQL bundle version to 2.9.4. [#1100](https://github.com/github/codeql-action/pull/1100)
+
 ## 2.1.12 - 01 Jun 2022
 
 - Update default CodeQL bundle version to 2.9.3. [#1084](https://github.com/github/codeql-action/pull/1084)

lib/analyze.js

@@ -18,11 +18,15 @@ var __importStar = (this && this.__importStar) || function (mod) {
     __setModuleDefault(result, mod);
     return result;
 };
+var __importDefault = (this && this.__importDefault) || function (mod) {
+    return (mod && mod.__esModule) ? mod : { "default": mod };
+};
 Object.defineProperty(exports, "__esModule", { value: true });
 exports.runCleanup = exports.runFinalize = exports.runQueries = exports.CodeQLAnalysisError = void 0;
 const fs = __importStar(require("fs"));
 const path = __importStar(require("path"));
 const toolrunner = __importStar(require("@actions/exec/lib/toolrunner"));
+const del_1 = __importDefault(require("del"));
 const yaml = __importStar(require("js-yaml"));
 const analysisPaths = __importStar(require("./analysis-paths"));
 const codeql_1 = require("./codeql");
@@ -244,13 +248,8 @@ async function runFinalize(outputDir, threadsFlag, memoryFlag, config, logger) {
         // Delete the tracer config env var to avoid tracing ourselves
         delete process.env[sharedEnv.ODASA_TRACER_CONFIGURATION];
     }
-    // After switching to Node16, this entire block can be replaced with `await fs.promises.rm(outputDir, { recursive: true, force: true });`.
     try {
-        await fs.promises.rmdir(outputDir, {
-            recursive: true,
-            maxRetries: 5,
-            retryDelay: 2000,
-        });
+        await (0, del_1.default)(outputDir, { force: true });
     }
     catch (error) {
         if ((error === null || error === void 0 ? void 0 : error.code) !== "ENOENT") {

lib/api-compatibility.json

@@ -1 +1 @@
-{ "maximumVersion": "3.5", "minimumVersion": "3.1" }
+{ "maximumVersion": "3.6", "minimumVersion": "3.2" }

lib/codeql.js

@@ -77,7 +77,7 @@ const CODEQL_VERSION_SARIF_GROUP = "2.5.3";
 exports.CODEQL_VERSION_COUNTS_LINES = "2.6.2";
 const CODEQL_VERSION_CUSTOM_QUERY_HELP = "2.7.1";
 exports.CODEQL_VERSION_ML_POWERED_QUERIES = "2.7.5";
-const CODEQL_VERSION_LUA_TRACER_CONFIG = "2.9.3";
+const CODEQL_VERSION_LUA_TRACER_CONFIG = "2.10.0";
 /**
  * This variable controls using the new style of tracing from the CodeQL
  * CLI. In particular, with versions above this we will use both indirect

lib/config-utils.test.js

@@ -925,4 +925,10 @@ const mlPoweredQueriesMacro = ava_1.default.macro({
 (0, ava_1.default)(mlPoweredQueriesMacro, "2.9.0", true, undefined, "security-and-quality", "~0.2.0");
 // Test that we don't inject an ML-powered query pack if the user has already specified one.
 (0, ava_1.default)(mlPoweredQueriesMacro, "2.9.0", true, "codeql/javascript-experimental-atm-queries@0.0.1", "security-and-quality", "0.0.1");
+// Test that ML-powered queries are run on all platforms running `security-extended` on CodeQL
+// CLI 2.9.3+.
+(0, ava_1.default)(mlPoweredQueriesMacro, "2.9.3", true, undefined, "security-extended", "~0.3.0");
+// Test that ML-powered queries are run on all platforms running `security-and-quality` on CodeQL
+// CLI 2.9.3+.
+(0, ava_1.default)(mlPoweredQueriesMacro, "2.9.3", true, undefined, "security-and-quality", "~0.3.0");
 //# sourceMappingURL=config-utils.test.js.map

lib/defaults.json

@@ -1,3 +1,3 @@
 {
-    "bundleVersion": "codeql-bundle-20220527"
+    "bundleVersion": "codeql-bundle-20220615"
 }

lib/languages.js

@@ -11,6 +11,7 @@ var Language;
     Language["javascript"] = "javascript";
     Language["python"] = "python";
     Language["ruby"] = "ruby";
+    Language["swift"] = "swift";
 })(Language = exports.Language || (exports.Language = {}));
 // Additional names for languages
 const LANGUAGE_ALIASES = {
@@ -35,7 +36,7 @@ function parseLanguage(language) {
 }
 exports.parseLanguage = parseLanguage;
 function isTracedLanguage(language) {
-    return (["cpp", "java", "csharp"].includes(language) ||
+    return (["cpp", "java", "csharp", "swift"].includes(language) ||
         (process.env["CODEQL_EXTRACTOR_GO_BUILD_TRACING"] === "on" &&
             language === Language.go));
 }

lib/languages.js.map

@@ -1 +1 @@
-{"version":3,"file":"languages.js","sourceRoot":"","sources":["../src/languages.ts"],"names":[],"mappings":";;;AAAA,wCAAwC;AACxC,IAAY,QAQX;AARD,WAAY,QAAQ;IAClB,6BAAiB,CAAA;IACjB,uBAAW,CAAA;IACX,qBAAS,CAAA;IACT,yBAAa,CAAA;IACb,qCAAyB,CAAA;IACzB,6BAAiB,CAAA;IACjB,yBAAa,CAAA;AACf,CAAC,EARW,QAAQ,GAAR,gBAAQ,KAAR,gBAAQ,QAQnB;AAED,iCAAiC;AACjC,MAAM,gBAAgB,GAAiC;IACrD,CAAC,EAAE,QAAQ,CAAC,GAAG;IACf,KAAK,EAAE,QAAQ,CAAC,GAAG;IACnB,IAAI,EAAE,QAAQ,CAAC,MAAM;IACrB,UAAU,EAAE,QAAQ,CAAC,UAAU;CAChC,CAAC;AAEF,gGAAgG;AAChG,SAAgB,aAAa,CAAC,QAAgB;IAC5C,0BAA0B;IAC1B,QAAQ,GAAG,QAAQ,CAAC,WAAW,EAAE,CAAC;IAElC,6BAA6B;IAC7B,IAAI,QAAQ,IAAI,QAAQ,EAAE;QACxB,OAAO,QAAoB,CAAC;KAC7B;IAED,yBAAyB;IACzB,IAAI,QAAQ,IAAI,gBAAgB,EAAE;QAChC,OAAO,gBAAgB,CAAC,QAAQ,CAAC,CAAC;KACnC;IAED,OAAO,SAAS,CAAC;AACnB,CAAC;AAfD,sCAeC;AAED,SAAgB,gBAAgB,CAAC,QAAkB;IACjD,OAAO,CACL,CAAC,KAAK,EAAE,MAAM,EAAE,QAAQ,CAAC,CAAC,QAAQ,CAAC,QAAQ,CAAC;QAC5C,CAAC,OAAO,CAAC,GAAG,CAAC,mCAAmC,CAAC,KAAK,IAAI;YACxD,QAAQ,KAAK,QAAQ,CAAC,EAAE,CAAC,CAC5B,CAAC;AACJ,CAAC;AAND,4CAMC;AAED,SAAgB,iBAAiB,CAAC,QAAkB;IAClD,OAAO,CAAC,gBAAgB,CAAC,QAAQ,CAAC,CAAC;AACrC,CAAC;AAFD,8CAEC"}
+{"version":3,"file":"languages.js","sourceRoot":"","sources":["../src/languages.ts"],"names":[],"mappings":";;;AAAA,wCAAwC;AACxC,IAAY,QASX;AATD,WAAY,QAAQ;IAClB,6BAAiB,CAAA;IACjB,uBAAW,CAAA;IACX,qBAAS,CAAA;IACT,yBAAa,CAAA;IACb,qCAAyB,CAAA;IACzB,6BAAiB,CAAA;IACjB,yBAAa,CAAA;IACb,2BAAe,CAAA;AACjB,CAAC,EATW,QAAQ,GAAR,gBAAQ,KAAR,gBAAQ,QASnB;AAED,iCAAiC;AACjC,MAAM,gBAAgB,GAAiC;IACrD,CAAC,EAAE,QAAQ,CAAC,GAAG;IACf,KAAK,EAAE,QAAQ,CAAC,GAAG;IACnB,IAAI,EAAE,QAAQ,CAAC,MAAM;IACrB,UAAU,EAAE,QAAQ,CAAC,UAAU;CAChC,CAAC;AAEF,gGAAgG;AAChG,SAAgB,aAAa,CAAC,QAAgB;IAC5C,0BAA0B;IAC1B,QAAQ,GAAG,QAAQ,CAAC,WAAW,EAAE,CAAC;IAElC,6BAA6B;IAC7B,IAAI,QAAQ,IAAI,QAAQ,EAAE;QACxB,OAAO,QAAoB,CAAC;KAC7B;IAED,yBAAyB;IACzB,IAAI,QAAQ,IAAI,gBAAgB,EAAE;QAChC,OAAO,gBAAgB,CAAC,QAAQ,CAAC,CAAC;KACnC;IAED,OAAO,SAAS,CAAC;AACnB,CAAC;AAfD,sCAeC;AAED,SAAgB,gBAAgB,CAAC,QAAkB;IACjD,OAAO,CACL,CAAC,KAAK,EAAE,MAAM,EAAE,QAAQ,EAAE,OAAO,CAAC,CAAC,QAAQ,CAAC,QAAQ,CAAC;QACrD,CAAC,OAAO,CAAC,GAAG,CAAC,mCAAmC,CAAC,KAAK,IAAI;YACxD,QAAQ,KAAK,QAAQ,CAAC,EAAE,CAAC,CAC5B,CAAC;AACJ,CAAC;AAND,4CAMC;AAED,SAAgB,iBAAiB,CAAC,QAAkB;IAClD,OAAO,CAAC,gBAAgB,CAAC,QAAQ,CAAC,CAAC;AACrC,CAAC;AAFD,8CAEC"}

lib/util.js

@@ -552,10 +552,17 @@ exports.ML_POWERED_JS_QUERIES_PACK_NAME = "codeql/javascript-experimental-atm-qu
  * queries beta.
  */
 async function getMlPoweredJsQueriesPack(codeQL) {
-    if (await codeQlVersionAbove(codeQL, "2.8.4")) {
-        return `${exports.ML_POWERED_JS_QUERIES_PACK_NAME}@~0.2.0`;
+    let version;
+    if (await codeQlVersionAbove(codeQL, "2.9.3")) {
+        version = `~0.3.0`;
     }
-    return `${exports.ML_POWERED_JS_QUERIES_PACK_NAME}@~0.1.0`;
+    else if (await codeQlVersionAbove(codeQL, "2.8.4")) {
+        version = `~0.2.0`;
+    }
+    else {
+        version = `~0.1.0`;
+    }
+    return `${exports.ML_POWERED_JS_QUERIES_PACK_NAME}@${version}`;
 }
 exports.getMlPoweredJsQueriesPack = getMlPoweredJsQueriesPack;
 /**

node_modules/.package-lock.json

@@ -1,6 +1,6 @@
 {
   "name": "codeql",
-  "version": "2.1.12",
+  "version": "2.1.15",
   "lockfileVersion": 2,
   "requires": true,
   "packages": {
@@ -469,6 +469,12 @@
       "integrity": "sha512-rr+OQyAjxze7GgWrSaJwydHStIhHq2lvY3BOC2Mj7KnzI7XK0Uw1TOOdI9lDoajEbSWLiYgoo4f1R51erQfhPQ==",
       "dev": true
     },
+    "node_modules/@types/js-yaml": {
+      "version": "4.0.5",
+      "resolved": "https://registry.npmjs.org/@types/js-yaml/-/js-yaml-4.0.5.tgz",
+      "integrity": "sha512-FhpRzf927MNQdRZP0J5DLIdTXhjLYzeUTmLAu69mnVksLH9CJY3IuSeEgbKUki7GQZm0WqDkGzyxju2EZGD2wA==",
+      "dev": true
+    },
     "node_modules/@types/json-schema": {
       "version": "7.0.8",
       "resolved": "https://registry.npmjs.org/@types/json-schema/-/json-schema-7.0.8.tgz",

node_modules/@types/js-yaml/LICENSE

@@ -0,0 +1,21 @@
+    MIT License
+
+    Copyright (c) Microsoft Corporation.
+
+    Permission is hereby granted, free of charge, to any person obtaining a copy
+    of this software and associated documentation files (the "Software"), to deal
+    in the Software without restriction, including without limitation the rights
+    to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+    copies of the Software, and to permit persons to whom the Software is
+    furnished to do so, subject to the following conditions:
+
+    The above copyright notice and this permission notice shall be included in all
+    copies or substantial portions of the Software.
+
+    THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+    IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+    FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+    AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+    LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+    OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+    SOFTWARE

node_modules/@types/js-yaml/README.md

@@ -0,0 +1,16 @@
+# Installation
+> `npm install --save @types/js-yaml`
+
+# Summary
+This package contains type definitions for js-yaml (https://github.com/nodeca/js-yaml).
+
+# Details
+Files were exported from https://github.com/DefinitelyTyped/DefinitelyTyped/tree/master/types/js-yaml.
+
+### Additional Details
+ * Last updated: Fri, 19 Nov 2021 18:01:12 GMT
+ * Dependencies: none
+ * Global values: `jsyaml`
+
+# Credits
+These definitions were written by [Bart van der Schoor](https://github.com/Bartvds), [Sebastian Clausen](https://github.com/sclausen), [ExE Boss](https://github.com/ExE-Boss), [Armaan Tobaccowalla](https://github.com/ArmaanT), and [Linus Unnebäck](https://github.com/LinusU).

node_modules/@types/js-yaml/index.d.mts

@@ -0,0 +1,2 @@
+export * from "./index.js";
+export { default } from "./index.js";

node_modules/@types/js-yaml/index.d.ts

@@ -0,0 +1,154 @@
+// Type definitions for js-yaml 4.0
+// Project: https://github.com/nodeca/js-yaml
+// Definitions by: Bart van der Schoor <https://github.com/Bartvds>
+//                 Sebastian Clausen <https://github.com/sclausen>
+//                 ExE Boss <https://github.com/ExE-Boss>
+//                 Armaan Tobaccowalla <https://github.com/ArmaanT>
+//                 Linus Unnebäck <https://github.com/LinusU>
+// Definitions: https://github.com/DefinitelyTyped/DefinitelyTyped
+// TypeScript Version: 2.2
+
+export as namespace jsyaml;
+
+export function load(str: string, opts?: LoadOptions): unknown;
+
+export class Type {
+    constructor(tag: string, opts?: TypeConstructorOptions);
+    kind: 'sequence' | 'scalar' | 'mapping' | null;
+    resolve(data: any): boolean;
+    construct(data: any, type?: string): any;
+    instanceOf: object | null;
+    predicate: ((data: object) => boolean) | null;
+    represent: ((data: object) => any) | { [x: string]: (data: object) => any } | null;
+    representName: ((data: object) => any) | null;
+    defaultStyle: string | null;
+    multi: boolean;
+    styleAliases: { [x: string]: any };
+}
+
+export class Schema {
+    constructor(definition: SchemaDefinition | Type[] | Type);
+    extend(types: SchemaDefinition | Type[] | Type): Schema;
+}
+
+export function loadAll(str: string, iterator?: null, opts?: LoadOptions): unknown[];
+export function loadAll(str: string, iterator: (doc: unknown) => void, opts?: LoadOptions): void;
+
+export function dump(obj: any, opts?: DumpOptions): string;
+
+export interface LoadOptions {
+    /** string to be used as a file path in error/warning messages. */
+    filename?: string | undefined;
+    /** function to call on warning messages. */
+    onWarning?(this: null, e: YAMLException): void;
+    /** specifies a schema to use. */
+    schema?: Schema | undefined;
+    /** compatibility with JSON.parse behaviour. */
+    json?: boolean | undefined;
+    /** listener for parse events */
+    listener?(this: State, eventType: EventType, state: State): void;
+}
+
+export type EventType = 'open' | 'close';
+
+export interface State {
+    input: string;
+    filename: string | null;
+    schema: Schema;
+    onWarning: (this: null, e: YAMLException) => void;
+    json: boolean;
+    length: number;
+    position: number;
+    line: number;
+    lineStart: number;
+    lineIndent: number;
+    version: null | number;
+    checkLineBreaks: boolean;
+    kind: string;
+    result: any;
+    implicitTypes: Type[];
+}
+
+export interface DumpOptions {
+    /** indentation width to use (in spaces). */
+    indent?: number | undefined;
+    /** when true, will not add an indentation level to array elements */
+    noArrayIndent?: boolean | undefined;
+    /** do not throw on invalid types (like function in the safe schema) and skip pairs and single values with such types. */
+    skipInvalid?: boolean | undefined;
+    /** specifies level of nesting, when to switch from block to flow style for collections. -1 means block style everwhere */
+    flowLevel?: number | undefined;
+    /** Each tag may have own set of styles.    - "tag" => "style" map. */
+    styles?: { [x: string]: any } | undefined;
+    /** specifies a schema to use. */
+    schema?: Schema | undefined;
+    /** if true, sort keys when dumping YAML. If a function, use the function to sort the keys. (default: false) */
+    sortKeys?: boolean | ((a: any, b: any) => number) | undefined;
+    /** set max line width. (default: 80) */
+    lineWidth?: number | undefined;
+    /** if true, don't convert duplicate objects into references (default: false) */
+    noRefs?: boolean | undefined;
+    /** if true don't try to be compatible with older yaml versions. Currently: don't quote "yes", "no" and so on, as required for YAML 1.1 (default: false) */
+    noCompatMode?: boolean | undefined;
+    /**
+     * if true flow sequences will be condensed, omitting the space between `key: value` or `a, b`. Eg. `'[a,b]'` or `{a:{b:c}}`.
+     * Can be useful when using yaml for pretty URL query params as spaces are %-encoded. (default: false).
+     */
+    condenseFlow?: boolean | undefined;
+    /** strings will be quoted using this quoting style. If you specify single quotes, double quotes will still be used for non-printable characters. (default: `'`) */
+    quotingType?: "'" | '"' | undefined;
+    /** if true, all non-key strings will be quoted even if they normally don't need to. (default: false) */
+    forceQuotes?: boolean | undefined;
+    /** callback `function (key, value)` called recursively on each key/value in source object (see `replacer` docs for `JSON.stringify`). */
+    replacer?: ((key: string, value: any) => any) | undefined;
+}
+
+export interface TypeConstructorOptions {
+    kind?: 'sequence' | 'scalar' | 'mapping' | undefined;
+    resolve?: ((data: any) => boolean) | undefined;
+    construct?: ((data: any, type?: string) => any) | undefined;
+    instanceOf?: object | undefined;
+    predicate?: ((data: object) => boolean) | undefined;
+    represent?: ((data: object) => any) | { [x: string]: (data: object) => any } | undefined;
+    representName?: ((data: object) => any) | undefined;
+    defaultStyle?: string | undefined;
+    multi?: boolean | undefined;
+    styleAliases?: { [x: string]: any } | undefined;
+}
+
+export interface SchemaDefinition {
+    implicit?: Type[] | undefined;
+    explicit?: Type[] | undefined;
+}
+
+/** only strings, arrays and plain objects: http://www.yaml.org/spec/1.2/spec.html#id2802346 */
+export let FAILSAFE_SCHEMA: Schema;
+/** only strings, arrays and plain objects: http://www.yaml.org/spec/1.2/spec.html#id2802346 */
+export let JSON_SCHEMA: Schema;
+/** same as JSON_SCHEMA: http://www.yaml.org/spec/1.2/spec.html#id2804923 */
+export let CORE_SCHEMA: Schema;
+/** all supported YAML types */
+export let DEFAULT_SCHEMA: Schema;
+
+export interface Mark {
+    buffer: string;
+    column: number;
+    line: number;
+    name: string;
+    position: number;
+    snippet: string;
+}
+
+export class YAMLException extends Error {
+    constructor(reason?: string, mark?: Mark);
+
+    toString(compact?: boolean): string;
+
+    name: string;
+
+    reason: string;
+
+    message: string;
+
+    mark: Mark;
+}

node_modules/@types/js-yaml/package.json

@@ -0,0 +1,53 @@
+{
+  "name": "@types/js-yaml",
+  "version": "4.0.5",
+  "description": "TypeScript definitions for js-yaml",
+  "homepage": "https://github.com/DefinitelyTyped/DefinitelyTyped/tree/master/types/js-yaml",
+  "license": "MIT",
+  "contributors": [
+    {
+      "name": "Bart van der Schoor",
+      "url": "https://github.com/Bartvds",
+      "githubUsername": "Bartvds"
+    },
+    {
+      "name": "Sebastian Clausen",
+      "url": "https://github.com/sclausen",
+      "githubUsername": "sclausen"
+    },
+    {
+      "name": "ExE Boss",
+      "url": "https://github.com/ExE-Boss",
+      "githubUsername": "ExE-Boss"
+    },
+    {
+      "name": "Armaan Tobaccowalla",
+      "url": "https://github.com/ArmaanT",
+      "githubUsername": "ArmaanT"
+    },
+    {
+      "name": "Linus Unnebäck",
+      "url": "https://github.com/LinusU",
+      "githubUsername": "LinusU"
+    }
+  ],
+  "main": "",
+  "types": "index.d.ts",
+  "repository": {
+    "type": "git",
+    "url": "https://github.com/DefinitelyTyped/DefinitelyTyped.git",
+    "directory": "types/js-yaml"
+  },
+  "scripts": {},
+  "dependencies": {},
+  "typesPublisherContentHash": "6f40877154edac83ffa22d53a6aca74f151a0d094074c81ce7fb21df57ea5725",
+  "typeScriptVersion": "3.8",
+  "exports": {
+    ".": {
+      "types": {
+        "import": "./index.d.mts",
+        "default": "./index.d.ts"
+      }
+    }
+  }
+}

package-lock.json

@@ -1,12 +1,12 @@
 {
   "name": "codeql",
-  "version": "2.1.12",
+  "version": "2.1.15",
   "lockfileVersion": 2,
   "requires": true,
   "packages": {
     "": {
       "name": "codeql",
-      "version": "2.1.12",
+      "version": "2.1.15",
       "license": "MIT",
       "dependencies": {
         "@actions/artifact": "^1.0.0",
@@ -38,6 +38,7 @@
       },
       "devDependencies": {
         "@ava/typescript": "3.0.1",
+        "@types/js-yaml": "^4.0.5",
         "@types/long": "4.0.1",
         "@types/node": "16.11.22",
         "@types/semver": "^7.3.8",
@@ -521,6 +522,12 @@
       "integrity": "sha512-rr+OQyAjxze7GgWrSaJwydHStIhHq2lvY3BOC2Mj7KnzI7XK0Uw1TOOdI9lDoajEbSWLiYgoo4f1R51erQfhPQ==",
       "dev": true
     },
+    "node_modules/@types/js-yaml": {
+      "version": "4.0.5",
+      "resolved": "https://registry.npmjs.org/@types/js-yaml/-/js-yaml-4.0.5.tgz",
+      "integrity": "sha512-FhpRzf927MNQdRZP0J5DLIdTXhjLYzeUTmLAu69mnVksLH9CJY3IuSeEgbKUki7GQZm0WqDkGzyxju2EZGD2wA==",
+      "dev": true
+    },
     "node_modules/@types/json-schema": {
       "version": "7.0.8",
       "resolved": "https://registry.npmjs.org/@types/json-schema/-/json-schema-7.0.8.tgz",
@@ -5885,6 +5892,12 @@
       "integrity": "sha512-rr+OQyAjxze7GgWrSaJwydHStIhHq2lvY3BOC2Mj7KnzI7XK0Uw1TOOdI9lDoajEbSWLiYgoo4f1R51erQfhPQ==",
       "dev": true
     },
+    "@types/js-yaml": {
+      "version": "4.0.5",
+      "resolved": "https://registry.npmjs.org/@types/js-yaml/-/js-yaml-4.0.5.tgz",
+      "integrity": "sha512-FhpRzf927MNQdRZP0J5DLIdTXhjLYzeUTmLAu69mnVksLH9CJY3IuSeEgbKUki7GQZm0WqDkGzyxju2EZGD2wA==",
+      "dev": true
+    },
     "@types/json-schema": {
       "version": "7.0.8",
       "resolved": "https://registry.npmjs.org/@types/json-schema/-/json-schema-7.0.8.tgz",

package.json

@@ -1,6 +1,6 @@
 {
   "name": "codeql",
-  "version": "2.1.12",
+  "version": "2.1.15",
   "private": true,
   "description": "CodeQL action",
   "scripts": {
@@ -53,6 +53,7 @@
   ],
   "devDependencies": {
     "@ava/typescript": "3.0.1",
+    "@types/js-yaml": "^4.0.5",
     "@types/long": "4.0.1",
     "@types/node": "16.11.22",
     "@types/semver": "^7.3.8",

src/actions-util.test.ts

@@ -269,7 +269,7 @@ test("getWorkflowErrors() when on.push is correct with empty objects", (t) => {
 on:
   push:
   pull_request:
-`)
+`) as actionsutil.Workflow
   );
 
   t.deepEqual(...errorCodes(errors, []));
@@ -441,7 +441,7 @@ on:
   push:
     branches: ["main"]
   pull_request:
-`)
+`) as actionsutil.Workflow
   );
 
   t.deepEqual(
@@ -559,7 +559,7 @@ test("getWorkflowErrors() when branches contain dots", (t) => {
     pull_request:
       # The branches below must be a subset of the branches above
       branches: [4.1, master]
-`)
+`) as actionsutil.Workflow
   );
 
   t.deepEqual(...errorCodes(errors, []));
@@ -575,7 +575,7 @@ on:
   pull_request:
     # The branches below must be a subset of the branches above
     branches: [master]
-`)
+`) as actionsutil.Workflow
   );
 
   t.deepEqual(...errorCodes(errors, []));
@@ -604,7 +604,7 @@ jobs:
 
   test3:
     steps: []
-`)
+`) as actionsutil.Workflow
   );
 
   t.deepEqual(
@@ -635,7 +635,7 @@ jobs:
 
   test3:
     steps: []
-`)
+`) as actionsutil.Workflow
   );
 
   t.deepEqual(...errorCodes(errors, []));
@@ -645,7 +645,7 @@ test("getWorkflowErrors() when on is missing", (t) => {
   const errors = actionsutil.getWorkflowErrors(
     yaml.load(`
 name: "CodeQL"
-`)
+`) as actionsutil.Workflow
   );
 
   t.deepEqual(...errorCodes(errors, []));
@@ -658,7 +658,7 @@ test("getWorkflowErrors() with a different on setup", (t) => {
         yaml.load(`
 name: "CodeQL"
 on: "workflow_dispatch"
-`)
+`) as actionsutil.Workflow
       ),
       []
     )
@@ -670,7 +670,7 @@ on: "workflow_dispatch"
         yaml.load(`
 name: "CodeQL"
 on: [workflow_dispatch]
-`)
+`) as actionsutil.Workflow
       ),
       []
     )
@@ -683,7 +683,7 @@ on: [workflow_dispatch]
 name: "CodeQL"
 on:
   workflow_dispatch: {}
-`)
+`) as actionsutil.Workflow
       ),
       []
     )
@@ -699,7 +699,7 @@ name: "CodeQL"
 on:
   push:
     branches: [master]
-`)
+`) as actionsutil.Workflow
       ),
       []
     )
@@ -711,7 +711,7 @@ on:
         yaml.load(`
 name: "CodeQL"
 on: ["push"]
-`)
+`) as actionsutil.Workflow
       ),
       []
     )

src/actions-util.ts

@@ -191,7 +191,7 @@ interface WorkflowTriggers {
   pull_request?: WorkflowTrigger | null;
 }
 
-interface Workflow {
+export interface Workflow {
   jobs?: { [key: string]: WorkflowJob };
   on?: string | string[] | WorkflowTriggers;
 }
@@ -411,7 +411,7 @@ export async function getWorkflow(): Promise<Workflow> {
     relativePath
   );
 
-  return yaml.load(fs.readFileSync(absolutePath, "utf-8"));
+  return yaml.load(fs.readFileSync(absolutePath, "utf-8")) as Workflow;
 }
 
 /**

src/analyze.ts

@@ -2,6 +2,7 @@ import * as fs from "fs";
 import * as path from "path";
 
 import * as toolrunner from "@actions/exec/lib/toolrunner";
+import del from "del";
 import * as yaml from "js-yaml";
 
 import * as analysisPaths from "./analysis-paths";
@@ -151,7 +152,7 @@ function dbIsFinalized(
   try {
     const dbInfo = yaml.load(
       fs.readFileSync(path.resolve(dbPath, "codeql-database.yml"), "utf8")
-    );
+    ) as { inProgress?: boolean };
     return !("inProgress" in dbInfo);
   } catch (e) {
     logger.warning(
@@ -435,13 +436,8 @@ export async function runFinalize(
     delete process.env[sharedEnv.ODASA_TRACER_CONFIGURATION];
   }
 
-  // After switching to Node16, this entire block can be replaced with `await fs.promises.rm(outputDir, { recursive: true, force: true });`.
   try {
-    await fs.promises.rmdir(outputDir, {
-      recursive: true,
-      maxRetries: 5,
-      retryDelay: 2000,
-    } as any);
+    await del(outputDir, { force: true });
   } catch (error: any) {
     if (error?.code !== "ENOENT") {
       throw error;

src/api-compatibility.json

@@ -1 +1 @@
-{"maximumVersion": "3.5", "minimumVersion": "3.1"}
+{"maximumVersion": "3.6", "minimumVersion": "3.2"}

src/codeql.ts

@@ -222,7 +222,7 @@ const CODEQL_VERSION_SARIF_GROUP = "2.5.3";
 export const CODEQL_VERSION_COUNTS_LINES = "2.6.2";
 const CODEQL_VERSION_CUSTOM_QUERY_HELP = "2.7.1";
 export const CODEQL_VERSION_ML_POWERED_QUERIES = "2.7.5";
-const CODEQL_VERSION_LUA_TRACER_CONFIG = "2.9.3";
+const CODEQL_VERSION_LUA_TRACER_CONFIG = "2.10.0";
 
 /**
  * This variable controls using the new style of tracing from the CodeQL

src/config-utils.test.ts

@@ -1865,3 +1865,23 @@ test(
   "security-and-quality",
   "0.0.1"
 );
+// Test that ML-powered queries are run on all platforms running `security-extended` on CodeQL
+// CLI 2.9.3+.
+test(
+  mlPoweredQueriesMacro,
+  "2.9.3",
+  true,
+  undefined,
+  "security-extended",
+  "~0.3.0"
+);
+// Test that ML-powered queries are run on all platforms running `security-and-quality` on CodeQL
+// CLI 2.9.3+.
+test(
+  mlPoweredQueriesMacro,
+  "2.9.3",
+  true,
+  undefined,
+  "security-and-quality",
+  "~0.3.0"
+);

src/config-utils.ts

@@ -1448,7 +1448,7 @@ function getLocalConfig(configFile: string, workspacePath: string): UserConfig {
     throw new Error(getConfigFileDoesNotExistErrorMessage(configFile));
   }
 
-  return yaml.load(fs.readFileSync(configFile, "utf8"));
+  return yaml.load(fs.readFileSync(configFile, "utf8")) as UserConfig;
 }
 
 async function getRemoteConfig(
@@ -1483,7 +1483,9 @@ async function getRemoteConfig(
     throw new Error(getConfigFileFormatInvalidMessage(configFile));
   }
 
-  return yaml.load(Buffer.from(fileContents, "base64").toString("binary"));
+  return yaml.load(
+    Buffer.from(fileContents, "base64").toString("binary")
+  ) as UserConfig;
 }
 
 /**

src/defaults.json

@@ -1,3 +1,3 @@
 {
-  "bundleVersion": "codeql-bundle-20220527"
+  "bundleVersion": "codeql-bundle-20220615"
 }

src/languages.ts

@@ -7,6 +7,7 @@ export enum Language {
   javascript = "javascript",
   python = "python",
   ruby = "ruby",
+  swift = "swift",
 }
 
 // Additional names for languages
@@ -37,7 +38,7 @@ export function parseLanguage(language: string): Language | undefined {
 
 export function isTracedLanguage(language: Language): boolean {
   return (
-    ["cpp", "java", "csharp"].includes(language) ||
+    ["cpp", "java", "csharp", "swift"].includes(language) ||
     (process.env["CODEQL_EXTRACTOR_GO_BUILD_TRACING"] === "on" &&
       language === Language.go)
   );

src/util.ts

@@ -664,10 +664,15 @@ export const ML_POWERED_JS_QUERIES_PACK_NAME =
 export async function getMlPoweredJsQueriesPack(
   codeQL: CodeQL
 ): Promise<string> {
-  if (await codeQlVersionAbove(codeQL, "2.8.4")) {
-    return `${ML_POWERED_JS_QUERIES_PACK_NAME}@~0.2.0`;
+  let version;
+  if (await codeQlVersionAbove(codeQL, "2.9.3")) {
+    version = `~0.3.0`;
+  } else if (await codeQlVersionAbove(codeQL, "2.8.4")) {
+    version = `~0.2.0`;
+  } else {
+    version = `~0.1.0`;
   }
-  return `${ML_POWERED_JS_QUERIES_PACK_NAME}@~0.1.0`;
+  return `${ML_POWERED_JS_QUERIES_PACK_NAME}@${version}`;
 }
 
 /**