Merge pull request #1013 from github/henrymercer/ml-powered-query-pack-v0.2.0

Run version `~0.2.0` of the ML-powered query pack on v2.8.4+ of the CLI

.github/workflows/__analyze-ref-input.yml

@@ -12,6 +12,7 @@ on:
     branches:
     - main
     - v1
+    - v2
   pull_request:
     types:
     - opened
@@ -69,7 +70,7 @@ jobs:
     runs-on: ${{ matrix.os }}
     steps:
     - name: Check out repository
-      uses: actions/checkout@v2
+      uses: actions/checkout@v3
     - name: Prepare test
       id: prepare-test
       uses: ./.github/prepare-test

.github/workflows/__debug-artifacts.yml

@@ -12,6 +12,7 @@ on:
     branches:
     - main
     - v1
+    - v2
   pull_request:
     types:
     - opened
@@ -53,7 +54,7 @@ jobs:
     runs-on: ${{ matrix.os }}
     steps:
     - name: Check out repository
-      uses: actions/checkout@v2
+      uses: actions/checkout@v3
     - name: Prepare test
       id: prepare-test
       uses: ./.github/prepare-test
@@ -70,7 +71,7 @@ jobs:
       run: ./build.sh
     - uses: ./../action/analyze
       id: analysis
-    - uses: actions/download-artifact@v2
+    - uses: actions/download-artifact@v3
       with:
         name: my-debug-artifacts-${{ matrix.os }}-${{ matrix.version }}
     - shell: bash

.github/workflows/__extractor-ram-threads.yml

@@ -12,6 +12,7 @@ on:
     branches:
     - main
     - v1
+    - v2
   pull_request:
     types:
     - opened
@@ -31,7 +32,7 @@ jobs:
     runs-on: ${{ matrix.os }}
     steps:
     - name: Check out repository
-      uses: actions/checkout@v2
+      uses: actions/checkout@v3
     - name: Prepare test
       id: prepare-test
       uses: ./.github/prepare-test

.github/workflows/__go-custom-queries.yml

@@ -12,6 +12,7 @@ on:
     branches:
     - main
     - v1
+    - v2
   pull_request:
     types:
     - opened
@@ -69,13 +70,13 @@ jobs:
     runs-on: ${{ matrix.os }}
     steps:
     - name: Check out repository
-      uses: actions/checkout@v2
+      uses: actions/checkout@v3
     - name: Prepare test
       id: prepare-test
       uses: ./.github/prepare-test
       with:
         version: ${{ matrix.version }}
-    - uses: actions/setup-go@v2
+    - uses: actions/setup-go@v3
       with:
         go-version: ^1.13.1
     - uses: ./../action/init

.github/workflows/__go-custom-tracing-autobuild.yml

@@ -12,6 +12,7 @@ on:
     branches:
     - main
     - v1
+    - v2
   pull_request:
     types:
     - opened
@@ -53,13 +54,13 @@ jobs:
     runs-on: ${{ matrix.os }}
     steps:
     - name: Check out repository
-      uses: actions/checkout@v2
+      uses: actions/checkout@v3
     - name: Prepare test
       id: prepare-test
       uses: ./.github/prepare-test
       with:
         version: ${{ matrix.version }}
-    - uses: actions/setup-go@v2
+    - uses: actions/setup-go@v3
       with:
         go-version: ^1.13.1
     - uses: ./../action/init

.github/workflows/__go-custom-tracing.yml

@@ -12,6 +12,7 @@ on:
     branches:
     - main
     - v1
+    - v2
   pull_request:
     types:
     - opened
@@ -69,13 +70,13 @@ jobs:
     runs-on: ${{ matrix.os }}
     steps:
     - name: Check out repository
-      uses: actions/checkout@v2
+      uses: actions/checkout@v3
     - name: Prepare test
       id: prepare-test
       uses: ./.github/prepare-test
       with:
         version: ${{ matrix.version }}
-    - uses: actions/setup-go@v2
+    - uses: actions/setup-go@v3
       with:
         go-version: ^1.13.1
     - uses: ./../action/init

.github/workflows/__javascript-source-root.yml

@@ -12,6 +12,7 @@ on:
     branches:
     - main
     - v1
+    - v2
   pull_request:
     types:
     - opened
@@ -35,7 +36,7 @@ jobs:
     runs-on: ${{ matrix.os }}
     steps:
     - name: Check out repository
-      uses: actions/checkout@v2
+      uses: actions/checkout@v3
     - name: Prepare test
       id: prepare-test
       uses: ./.github/prepare-test

.github/workflows/__ml-powered-queries.yml

@@ -0,0 +1,119 @@
+# Warning: This file is generated automatically, and should not be modified.
+# Instead, please modify the template in the pr-checks directory and run:
+#     pip install ruamel.yaml && python3 sync.py
+# to regenerate this file.
+
+name: PR Check - ML-powered queries
+env:
+  GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+  GO111MODULE: auto
+on:
+  push:
+    branches:
+    - main
+    - v1
+    - v2
+  pull_request:
+    types:
+    - opened
+    - synchronize
+    - reopened
+    - ready_for_review
+  workflow_dispatch: {}
+jobs:
+  ml-powered-queries:
+    strategy:
+      matrix:
+        include:
+        - os: ubuntu-latest
+          version: stable-20220120
+        - os: macos-latest
+          version: stable-20220120
+        - os: windows-latest
+          version: stable-20220120
+        - os: ubuntu-latest
+          version: cached
+        - os: macos-latest
+          version: cached
+        - os: windows-latest
+          version: cached
+        - os: ubuntu-latest
+          version: latest
+        - os: macos-latest
+          version: latest
+        - os: windows-latest
+          version: latest
+        - os: ubuntu-latest
+          version: nightly-latest
+        - os: macos-latest
+          version: nightly-latest
+        - os: windows-latest
+          version: nightly-latest
+    name: ML-powered queries
+    timeout-minutes: 45
+    runs-on: ${{ matrix.os }}
+    steps:
+    - name: Check out repository
+      uses: actions/checkout@v3
+    - name: Prepare test
+      id: prepare-test
+      uses: ./.github/prepare-test
+      with:
+        version: ${{ matrix.version }}
+    - uses: ./../action/init
+      with:
+        languages: javascript
+        queries: security-extended
+        source-root: ./../action/tests/ml-powered-queries-repo
+        tools: ${{ steps.prepare-test.outputs.tools-url }}
+
+    - uses: ./../action/analyze
+      with:
+        output: ${{ runner.temp }}/results
+        upload-database: false
+      env:
+        TEST_MODE: true
+
+    - name: Upload SARIF
+      uses: actions/upload-artifact@v3
+      with:
+        name: ml-powered-queries-${{ matrix.os }}-${{ matrix.version }}.sarif.json
+        path: ${{ runner.temp }}/results/javascript.sarif
+        retention-days: 7
+
+    - name: Check results
+      env:
+        IS_WINDOWS: ${{ matrix.os == 'windows-latest' }}
+      shell: bash
+      run: |
+        cd "$RUNNER_TEMP/results"
+        # We should run at least the ML-powered queries in `expected_rules`.
+        expected_rules="js/ml-powered/nosql-injection js/ml-powered/path-injection js/ml-powered/sql-injection js/ml-powered/xss"
+
+        for rule in ${expected_rules}; do
+          found_rule=$(jq --arg rule "${rule}" '[.runs[0].tool.extensions[].rules | select(. != null) |
+            flatten | .[].id] | any(. == $rule)' javascript.sarif)
+          echo "Did find rule '${rule}': ${found_rule}"
+          if [[ "${found_rule}" != "true" && "${IS_WINDOWS}" != "true" ]]; then
+            echo "Expected SARIF output to contain rule '${rule}', but found no such rule."
+            exit 1
+          elif [[ "${found_rule}" == "true" && "${IS_WINDOWS}" == "true" ]]; then
+            echo "Found rule '${rule}' in the SARIF output which shouldn't have been part of the analysis."
+            exit 1
+          fi
+        done
+
+        # We should have at least one alert from an ML-powered query.
+        num_alerts=$(jq '[.runs[0].results[] |
+          select(.properties.score != null and (.rule.id | startswith("js/ml-powered/")))] | length' \
+          javascript.sarif)
+        echo "Found ${num_alerts} alerts from ML-powered queries.";
+        if [[ "${num_alerts}" -eq 0 && "${IS_WINDOWS}" != "true" ]]; then
+          echo "Expected to find at least one alert from an ML-powered query but found ${num_alerts}."
+          exit 1
+        elif [[ "${num_alerts}" -ne 0 && "${IS_WINDOWS}" == "true" ]]; then
+          echo "Expected not to find any alerts from an ML-powered query but found ${num_alerts}."
+          exit 1
+        fi
+    env:
+      INTERNAL_CODEQL_ACTION_DEBUG_LOC: true

.github/workflows/__multi-language-autodetect.yml

@@ -12,6 +12,7 @@ on:
     branches:
     - main
     - v1
+    - v2
   pull_request:
     types:
     - opened
@@ -53,7 +54,7 @@ jobs:
     runs-on: ${{ matrix.os }}
     steps:
     - name: Check out repository
-      uses: actions/checkout@v2
+      uses: actions/checkout@v3
     - name: Prepare test
       id: prepare-test
       uses: ./.github/prepare-test

.github/workflows/__packaging-config-inputs-js.yml

@@ -12,6 +12,7 @@ on:
     branches:
     - main
     - v1
+    - v2
   pull_request:
     types:
     - opened
@@ -33,7 +34,7 @@ jobs:
     runs-on: ${{ matrix.os }}
     steps:
     - name: Check out repository
-      uses: actions/checkout@v2
+      uses: actions/checkout@v3
     - name: Prepare test
       id: prepare-test
       uses: ./.github/prepare-test

.github/workflows/__packaging-config-js.yml

@@ -12,6 +12,7 @@ on:
     branches:
     - main
     - v1
+    - v2
   pull_request:
     types:
     - opened
@@ -33,7 +34,7 @@ jobs:
     runs-on: ${{ matrix.os }}
     steps:
     - name: Check out repository
-      uses: actions/checkout@v2
+      uses: actions/checkout@v3
     - name: Prepare test
       id: prepare-test
       uses: ./.github/prepare-test

.github/workflows/__packaging-inputs-js.yml

@@ -12,6 +12,7 @@ on:
     branches:
     - main
     - v1
+    - v2
   pull_request:
     types:
     - opened
@@ -33,7 +34,7 @@ jobs:
     runs-on: ${{ matrix.os }}
     steps:
     - name: Check out repository
-      uses: actions/checkout@v2
+      uses: actions/checkout@v3
     - name: Prepare test
       id: prepare-test
       uses: ./.github/prepare-test

.github/workflows/__remote-config.yml

@@ -12,6 +12,7 @@ on:
     branches:
     - main
     - v1
+    - v2
   pull_request:
     types:
     - opened
@@ -69,7 +70,7 @@ jobs:
     runs-on: ${{ matrix.os }}
     steps:
     - name: Check out repository
-      uses: actions/checkout@v2
+      uses: actions/checkout@v3
     - name: Prepare test
       id: prepare-test
       uses: ./.github/prepare-test

.github/workflows/__rubocop-multi-language.yml

@@ -12,6 +12,7 @@ on:
     branches:
     - main
     - v1
+    - v2
   pull_request:
     types:
     - opened
@@ -41,7 +42,7 @@ jobs:
     runs-on: ${{ matrix.os }}
     steps:
     - name: Check out repository
-      uses: actions/checkout@v2
+      uses: actions/checkout@v3
     - name: Prepare test
       id: prepare-test
       uses: ./.github/prepare-test

.github/workflows/__split-workflow.yml

@@ -12,6 +12,7 @@ on:
     branches:
     - main
     - v1
+    - v2
   pull_request:
     types:
     - opened
@@ -33,7 +34,7 @@ jobs:
     runs-on: ${{ matrix.os }}
     steps:
     - name: Check out repository
-      uses: actions/checkout@v2
+      uses: actions/checkout@v3
     - name: Prepare test
       id: prepare-test
       uses: ./.github/prepare-test

.github/workflows/__test-local-codeql.yml

@@ -12,6 +12,7 @@ on:
     branches:
     - main
     - v1
+    - v2
   pull_request:
     types:
     - opened
@@ -31,7 +32,7 @@ jobs:
     runs-on: ${{ matrix.os }}
     steps:
     - name: Check out repository
-      uses: actions/checkout@v2
+      uses: actions/checkout@v3
     - name: Prepare test
       id: prepare-test
       uses: ./.github/prepare-test

.github/workflows/__test-proxy.yml

@@ -12,6 +12,7 @@ on:
     branches:
     - main
     - v1
+    - v2
   pull_request:
     types:
     - opened
@@ -31,7 +32,7 @@ jobs:
     runs-on: ${{ matrix.os }}
     steps:
     - name: Check out repository
-      uses: actions/checkout@v2
+      uses: actions/checkout@v3
     - name: Prepare test
       id: prepare-test
       uses: ./.github/prepare-test

.github/workflows/__test-ruby.yml

@@ -12,6 +12,7 @@ on:
     branches:
     - main
     - v1
+    - v2
   pull_request:
     types:
     - opened
@@ -41,7 +42,7 @@ jobs:
     runs-on: ${{ matrix.os }}
     steps:
     - name: Check out repository
-      uses: actions/checkout@v2
+      uses: actions/checkout@v3
     - name: Prepare test
       id: prepare-test
       uses: ./.github/prepare-test

.github/workflows/__unset-environment.yml

@@ -12,6 +12,7 @@ on:
     branches:
     - main
     - v1
+    - v2
   pull_request:
     types:
     - opened
@@ -41,7 +42,7 @@ jobs:
     runs-on: ${{ matrix.os }}
     steps:
     - name: Check out repository
-      uses: actions/checkout@v2
+      uses: actions/checkout@v3
     - name: Prepare test
       id: prepare-test
       uses: ./.github/prepare-test

.github/workflows/__upload-ref-sha-input.yml

@@ -12,6 +12,7 @@ on:
     branches:
     - main
     - v1
+    - v2
   pull_request:
     types:
     - opened
@@ -69,7 +70,7 @@ jobs:
     runs-on: ${{ matrix.os }}
     steps:
     - name: Check out repository
-      uses: actions/checkout@v2
+      uses: actions/checkout@v3
     - name: Prepare test
       id: prepare-test
       uses: ./.github/prepare-test

.github/workflows/__with-checkout-path.yml

@@ -12,6 +12,7 @@ on:
     branches:
     - main
     - v1
+    - v2
   pull_request:
     types:
     - opened
@@ -69,13 +70,13 @@ jobs:
     runs-on: ${{ matrix.os }}
     steps:
     - name: Check out repository
-      uses: actions/checkout@v2
+      uses: actions/checkout@v3
     - name: Prepare test
       id: prepare-test
       uses: ./.github/prepare-test
       with:
         version: ${{ matrix.version }}
-    - uses: actions/checkout@v2
+    - uses: actions/checkout@v3
       with:
         ref: 474bbf07f9247ffe1856c6a0f94aeeb10e7afee6
         path: x/y/z/some-path

.github/workflows/check-expected-release-files.yml

@@ -15,7 +15,7 @@ jobs:
 
     steps:
       - name: Checkout CodeQL Action
-        uses: actions/checkout@v2
+        uses: actions/checkout@v3
       - name: Check Expected Release Files
         run: |
           bundle_version="$(cat "./src/defaults.json" | jq -r ".bundleVersion")"

.github/workflows/codeql.yml

@@ -20,7 +20,7 @@ jobs:
       security-events: write
 
     steps:
-    - uses: actions/checkout@v2
+    - uses: actions/checkout@v3
     - name: Init with default CodeQL bundle from the VM image
       id: init-default
       uses: ./init
@@ -75,7 +75,7 @@ jobs:
       security-events: write
 
     steps:
-    - uses: actions/checkout@v2
+    - uses: actions/checkout@v3
     - uses: ./init
       id: init
       with:

.github/workflows/post-release-mergeback.yml

@@ -34,8 +34,8 @@ jobs:
           GITHUB_CONTEXT: '${{ toJson(github) }}'
         run: echo "$GITHUB_CONTEXT"
 
-      - uses: actions/checkout@v2
+      - uses: actions/checkout@v3
-      - uses: actions/setup-node@v2
+      - uses: actions/setup-node@v3
 
       - name: Update git config
         run: |

.github/workflows/pr-checks.yml

@@ -2,7 +2,7 @@ name: PR Checks (Basic Checks and Runner)
 
 on:
   push:
-    branches: [main, v1]
+    branches: [main, v1, v2]
   pull_request:
     # Run checks on reopened draft PRs to support triggering PR checks on draft PRs that were opened
     # by other workflows.
@@ -16,7 +16,7 @@ jobs:
     timeout-minutes: 45
 
     steps:
-      - uses: actions/checkout@v2
+      - uses: actions/checkout@v3
       - name: Run Lint
         run: npm run-script lint
 
@@ -30,7 +30,7 @@ jobs:
         node-types-version: [12.12, current]
 
     steps:
-      - uses: actions/checkout@v2
+      - uses: actions/checkout@v3
 
       - name: Update version of @types/node
         if: matrix.node-types-version != 'current'
@@ -46,11 +46,13 @@ jobs:
           # `npm install` on Linux.
           npm install
 
-          git config --global user.email "github-actions@github.com"
+          if [ ! -z "$(git status --porcelain)" ]; then
-          git config --global user.name "github-actions[bot]"
+            git config --global user.email "github-actions@github.com"
-          # The period in `git add --all .` ensures that we stage deleted files too.
+            git config --global user.name "github-actions[bot]"
-          git add --all .
+            # The period in `git add --all .` ensures that we stage deleted files too.
-          git commit -m "Use @types/node=${NODE_TYPES_VERSION}"
+            git add --all .
+            git commit -m "Use @types/node=${NODE_TYPES_VERSION}"
+          fi
 
       - name: Check generated JS
         run: .github/workflows/script/check-js.sh
@@ -61,7 +63,7 @@ jobs:
     timeout-minutes: 45
 
     steps:
-      - uses: actions/checkout@v2
+      - uses: actions/checkout@v3
       - name: Check node modules up to date
         run: .github/workflows/script/check-node-modules.sh
 
@@ -71,9 +73,9 @@ jobs:
     timeout-minutes: 45
 
     steps:
-      - uses: actions/checkout@v2
+      - uses: actions/checkout@v3
       - name: Set up Python
-        uses: actions/setup-python@v2
+        uses: actions/setup-python@v3
         with:
           python-version: 3.8
       - name: Install dependencies
@@ -93,7 +95,7 @@ jobs:
     timeout-minutes: 45
 
     steps:
-      - uses: actions/checkout@v2
+      - uses: actions/checkout@v3
       - name: npm run-script test
         run: npm run-script test
 
@@ -104,7 +106,7 @@ jobs:
     runs-on: ubuntu-latest
 
     steps:
-      - uses: actions/checkout@v2
+      - uses: actions/checkout@v3
 
       - name: Build runner
         run: |
@@ -133,7 +135,7 @@ jobs:
     runs-on: windows-latest
 
     steps:
-      - uses: actions/checkout@v2
+      - uses: actions/checkout@v3
 
       - name: Build runner
         run: |
@@ -158,7 +160,7 @@ jobs:
     runs-on: macos-latest
 
     steps:
-      - uses: actions/checkout@v2
+      - uses: actions/checkout@v3
 
       - name: Build runner
         run: |
@@ -183,7 +185,7 @@ jobs:
     runs-on: ubuntu-latest
 
     steps:
-      - uses: actions/checkout@v2
+      - uses: actions/checkout@v3
 
       - name: Move codeql-action
         shell: bash
@@ -223,7 +225,7 @@ jobs:
     runs-on: windows-2019
 
     steps:
-      - uses: actions/checkout@v2
+      - uses: actions/checkout@v3
 
       - name: Move codeql-action
         shell: bash
@@ -251,7 +253,7 @@ jobs:
           & $Env:CODEQL_RUNNER dotnet build /p:UseSharedCompilation=false
 
       - name: Upload tracer logs
-        uses: actions/upload-artifact@v2
+        uses: actions/upload-artifact@v3
         with:
           name: tracer-logs
           path: ./codeql-runner/compound-build-tracer.log
@@ -269,7 +271,7 @@ jobs:
     runs-on: macos-latest
 
     steps:
-      - uses: actions/checkout@v2
+      - uses: actions/checkout@v3
 
       - name: Move codeql-action
         shell: bash
@@ -308,7 +310,7 @@ jobs:
     runs-on: ubuntu-latest
 
     steps:
-      - uses: actions/checkout@v2
+      - uses: actions/checkout@v3
 
       - name: Move codeql-action
         shell: bash
@@ -347,7 +349,7 @@ jobs:
     runs-on: windows-2019
 
     steps:
-      - uses: actions/checkout@v2
+      - uses: actions/checkout@v3
 
       - name: Move codeql-action
         shell: bash
@@ -385,7 +387,7 @@ jobs:
     timeout-minutes: 45
 
     steps:
-      - uses: actions/checkout@v2
+      - uses: actions/checkout@v3
 
       - name: Move codeql-action
         shell: bash
@@ -425,7 +427,7 @@ jobs:
     if: ${{ github.event_name != 'pull_request' || github.event.pull_request.base.repo.id == github.event.pull_request.head.repo.id }}
 
     steps:
-      - uses: actions/checkout@v2
+      - uses: actions/checkout@v3
 
       - name: Build runner
         run: |
@@ -446,7 +448,7 @@ jobs:
     timeout-minutes: 45
 
     steps:
-      - uses: actions/checkout@v2
+      - uses: actions/checkout@v3
 
       - name: Build runner
         run: |

.github/workflows/python-deps.yml

@@ -2,7 +2,7 @@ name: Test Python Package Installation on Linux and Mac
 
 on:
   push:
-    branches: [main, v1]
+    branches: [main, v1, v2]
   pull_request:
     # Run checks on reopened draft PRs to support triggering PR checks on draft PRs that were opened
     # by other workflows.
@@ -25,7 +25,7 @@ jobs:
 
     steps:
     # Checks-out your repository under $GITHUB_WORKSPACE, so your job can access it
-    - uses: actions/checkout@v2
+    - uses: actions/checkout@v3
 
     - name: Initialize CodeQL
       uses: ./init
@@ -71,7 +71,7 @@ jobs:
 
     steps:
     # Checks-out your repository under $GITHUB_WORKSPACE, so your job can access it
-    - uses: actions/checkout@v2
+    - uses: actions/checkout@v3
 
     - name: Initialize CodeQL
       uses: ./init
@@ -122,9 +122,9 @@ jobs:
 
     steps:
     # Checks-out your repository under $GITHUB_WORKSPACE, so your job can access it
-    - uses: actions/checkout@v2
+    - uses: actions/checkout@v3
 
-    - uses: actions/setup-python@v2
+    - uses: actions/setup-python@v3
       with:
         python-version: ${{ matrix.python_version }}
 

.github/workflows/release-runner.yml

@@ -1,55 +0,0 @@
-name: Release runner
-
-on:
-  workflow_dispatch:
-    inputs:
-      bundle-tag:
-        description: 'Tag of the bundle release (e.g., "codeql-bundle-20200826")'
-        required: false
-
-jobs:
-  release-runner:
-    timeout-minutes: 45
-    runs-on: ubuntu-latest
-    env:
-      RELEASE_TAG: "${{ github.event.inputs.bundle-tag }}"
-
-    strategy:
-      matrix:
-        extension: ["linux", "macos", "win.exe"]
-
-    steps:
-      - uses: actions/checkout@v2
-
-      - name: Build runner
-        run: |
-          cd runner
-          npm install
-          npm run build-runner
-
-      - uses: actions/upload-artifact@v2
-        with:
-          name: codeql-runner-${{matrix.extension}}
-          path: runner/dist/codeql-runner-${{matrix.extension}}
-
-      - name: Resolve Upload URL for the release
-        if: ${{ github.event.inputs.bundle-tag != null }}
-        id: save_url
-        run: |
-          UPLOAD_URL=$(curl -sS \
-                "https://api.github.com/repos/${GITHUB_REPOSITORY}/releases/tags/${RELEASE_TAG}" \
-                -H "Accept: application/json" \
-                -H "Authorization: Bearer ${{ secrets.GITHUB_TOKEN }}" | jq .upload_url | sed s/\"//g)
-          echo ${UPLOAD_URL}
-          echo "::set-output name=upload_url::${UPLOAD_URL}"
-
-      - name: Upload Platform Package
-        if: ${{ github.event.inputs.bundle-tag != null }}
-        uses: actions/upload-release-asset@v1
-        env:
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-        with:
-          upload_url: ${{ steps.save_url.outputs.upload_url }}
-          asset_path: runner/dist/codeql-runner-${{matrix.extension}}
-          asset_name: codeql-runner-${{matrix.extension}}
-          asset_content_type: application/octet-stream

.github/workflows/split.yml

@@ -1,74 +0,0 @@
-#
-# Split the CodeQL Bundle into platform bundles
-#
-# Instructions:
-#  1. Upload the new codeql-bundle (codeql-bundle.tar.gz) as an asset of the
-#     release (codeql-bundle-20200826)
-#  2. Take note of the CLI Release used by the bundle (e.g., v2.2.5)
-#  3. Manually launch this workflow file (via the Actions UI) specifying
-#     - The CLI Release (e.g., v2.2.5)
-#     - The release tag (e.g., codeql-bundle-20200826)
-#  4. If everything succeeds you should see 3 new assets.
-#
-
-name: Split Bundle
-
-on:
- workflow_dispatch:
-    inputs:
-      cli-release:
-        description: 'CodeQL CLI Release (e.g., "v2.2.5")'
-        required: true
-      bundle-tag:
-        description: 'Tag of the bundle release (e.g., "codeql-bundle-20200826")'
-        required: true
-
-jobs:
-  build:
-    runs-on: ubuntu-latest
-    timeout-minutes: 45
-    env:
-      CLI_RELEASE: "${{ github.event.inputs.cli-release }}"
-      RELEASE_TAG: "${{ github.event.inputs.bundle-tag }}"
-
-    strategy:
-      fail-fast: false
-      matrix:
-        platform: ["linux64", "osx64", "win64"]
-
-    steps:
-      - name: Resolve Upload URL for the release
-        id: save_url
-        run: |
-          UPLOAD_URL=$(curl -sS \
-               "https://api.github.com/repos/${GITHUB_REPOSITORY}/releases/tags/${RELEASE_TAG}" \
-               -H "Accept: application/json" \
-               -H "Authorization: Bearer ${{ secrets.GITHUB_TOKEN }}" | jq .upload_url | sed s/\"//g)
-          echo ${UPLOAD_URL}
-          echo "::set-output name=upload_url::${UPLOAD_URL}"
-
-      - name: Download CodeQL CLI and Bundle
-        run: |
-          wget --no-verbose "https://github.com/${GITHUB_REPOSITORY}/releases/download/${RELEASE_TAG}/codeql-bundle.tar.gz"
-          wget --no-verbose "https://github.com/github/codeql-cli-binaries/releases/download/${CLI_RELEASE}/codeql-${{matrix.platform}}.zip"
-
-      - name: Create Platform Package
-        # Replace the codeql-binaries with the platform specific ones
-        run: |
-          gunzip codeql-bundle.tar.gz
-          tar -f codeql-bundle.tar --delete codeql
-          unzip -q codeql-${{matrix.platform}}.zip
-          tar -f codeql-bundle.tar --append codeql
-          gzip codeql-bundle.tar
-          mv codeql-bundle.tar.gz codeql-bundle-${{matrix.platform}}.tar.gz
-          du -sh codeql-bundle-${{matrix.platform}}.tar.gz
-
-      - name: Upload Platform Package
-        uses: actions/upload-release-asset@v1
-        env:
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-        with:
-          upload_url: ${{ steps.save_url.outputs.upload_url }}
-          asset_path: ./codeql-bundle-${{matrix.platform}}.tar.gz
-          asset_name: codeql-bundle-${{matrix.platform}}.tar.gz
-          asset_content_type: application/tar+gzip

.github/workflows/update-dependencies.yml

@@ -11,7 +11,7 @@ jobs:
     if: contains(github.event.pull_request.labels.*.name, 'Update dependencies') && (github.event.pull_request.head.repo.full_name == 'github/codeql-action')
     steps:
     - name: Checkout repository
-      uses: actions/checkout@v2
+      uses: actions/checkout@v3
 
     - name: Remove PR label
       env:

.github/workflows/update-release-branch.yml

@@ -23,13 +23,13 @@ jobs:
         GITHUB_CONTEXT: '${{ toJson(github) }}'
       run: echo "$GITHUB_CONTEXT"
 
-    - uses: actions/checkout@v2
+    - uses: actions/checkout@v3
       with:
         # Need full history so we calculate diffs
         fetch-depth: 0
 
     - name: Set up Python
-      uses: actions/setup-python@v2
+      uses: actions/setup-python@v3
       with:
         python-version: 3.8
 

.github/workflows/update-supported-enterprise-server-versions.yml

@@ -13,13 +13,13 @@ jobs:
 
     steps:
       - name: Setup Python
-        uses: actions/setup-python@v2
+        uses: actions/setup-python@v3
         with:
           python-version: "3.7"
       - name: Checkout CodeQL Action
-        uses: actions/checkout@v2
+        uses: actions/checkout@v3
       - name: Checkout Enterprise Releases
-        uses: actions/checkout@v2
+        uses: actions/checkout@v3
         with:
           repository: github/enterprise-releases
           ssh-key: ${{ secrets.ENTERPRISE_RELEASES_SSH_KEY }}

CHANGELOG.md

@@ -1,5 +1,9 @@
 # CodeQL Action Changelog
 
+## [UNRELEASED]
+
+No user facing changes.
+
 ## 2.1.6 - 30 Mar 2022
 
 - [v2+ only] The CodeQL Action now runs on Node.js v16. [#1000](https://github.com/github/codeql-action/pull/1000)

README.md

@@ -52,11 +52,11 @@ jobs:
 
     steps:
       - name: Checkout repository
-        uses: actions/checkout@v2
+        uses: actions/checkout@v3
 
       # Initializes the CodeQL tools for scanning.
       - name: Initialize CodeQL
-        uses: github/codeql-action/init@v1
+        uses: github/codeql-action/init@v2
         # Override language selection by uncommenting this and choosing your languages
         # with:
         #   languages: go, javascript, csharp, python, cpp, java
@@ -64,7 +64,7 @@ jobs:
       # Autobuild attempts to build any compiled languages (C/C++, C#, or Java).
       # If this step fails, then you should remove it and run the build manually (see below).
       - name: Autobuild
-        uses: github/codeql-action/autobuild@v1
+        uses: github/codeql-action/autobuild@v2
 
       # ℹ️ Command-line programs to run using the OS shell.
       # 📚 https://git.io/JvXDl
@@ -78,14 +78,14 @@ jobs:
       #     make release
 
       - name: Perform CodeQL Analysis
-        uses: github/codeql-action/analyze@v1
+        uses: github/codeql-action/analyze@v2
 ```
 
 If you prefer to integrate this within an existing CI workflow, it should end up looking something like this:
 
 ```yaml
 - name: Initialize CodeQL
-  uses: github/codeql-action/init@v1
+  uses: github/codeql-action/init@v2
   with:
     languages: go, javascript
 
@@ -95,7 +95,7 @@ If you prefer to integrate this within an existing CI workflow, it should end up
     make release
 
 - name: Perform CodeQL Analysis
-  uses: github/codeql-action/analyze@v1
+  uses: github/codeql-action/analyze@v2
 ```
 
 ### Configuration file
@@ -103,7 +103,7 @@ If you prefer to integrate this within an existing CI workflow, it should end up
 Use the `config-file` parameter of the `init` action to enable the configuration file. The value of `config-file` is the path to the configuration file you want to use. This example loads the configuration file `./.github/codeql/codeql-config.yml`.
 
 ```yaml
-- uses: github/codeql-action/init@v1
+- uses: github/codeql-action/init@v2
   with:
     config-file: ./.github/codeql/codeql-config.yml
 ```
@@ -111,7 +111,7 @@ Use the `config-file` parameter of the `init` action to enable the configuration
 The configuration file can be located in a different repository. This is useful if you want to share the same configuration across multiple repositories. If the configuration file is in a private repository you can also specify an `external-repository-token` option. This should be a personal access token that has read access to any repositories containing referenced config files and queries.
 
 ```yaml
-- uses: github/codeql-action/init@v1
+- uses: github/codeql-action/init@v2
   with:
     config-file: owner/repo/codeql-config.yml@branch
     external-repository-token: ${{ secrets.EXTERNAL_REPOSITORY_TOKEN }}
@@ -122,7 +122,7 @@ For information on how to write a configuration file, see "[Using a custom confi
 If you only want to customise the queries used, you can specify them in your workflow instead of creating a config file, using the `queries` property of the `init` action:
 
 ```yaml
-- uses: github/codeql-action/init@v1
+- uses: github/codeql-action/init@v2
   with:
     queries: <local-or-remote-query>,<another-query>
 ```
@@ -130,7 +130,7 @@ If you only want to customise the queries used, you can specify them in your wor
 By default, this will override any queries specified in a config file. If you wish to use both sets of queries, prefix the list of queries in the workflow with `+`:
 
 ```yaml
-- uses: github/codeql-action/init@v1
+- uses: github/codeql-action/init@v2
   with:
     queries: +<local-or-remote-query>,<another-query>
 ```

lib/actions-util.js

@@ -455,7 +455,7 @@ async function getRef() {
         return ref;
     }
     const head = await (0, exports.getCommitOid)(checkoutPath, "HEAD");
-    // in actions/checkout@v2 we can check if git rev-parse HEAD == GITHUB_SHA
+    // in actions/checkout@v2+ we can check if git rev-parse HEAD == GITHUB_SHA
     // in actions/checkout@v1 this may not be true as it checks out the repository
     // using GITHUB_REF. There is a subtle race condition where
     // git rev-parse GITHUB_REF != GITHUB_SHA, so we must check

lib/codeql.js

@@ -474,9 +474,8 @@ async function getCodeQLForCmd(cmd, checkVersion) {
                 if (config.injectedMlQueries) {
                     // We need to inject the ML queries into the original user input before
                     // we pass this on to the CLI, to make sure these get run.
-                    let packString = util_1.ML_POWERED_JS_QUERIES_PACK.packName;
+                    const pack = await util.getMlPoweredJsQueriesPack(codeql);
-                    if (util_1.ML_POWERED_JS_QUERIES_PACK.version)
+                    const packString = pack.packName + (pack.version ? `@${pack.version}` : "");
-                        packString = `${packString}@${util_1.ML_POWERED_JS_QUERIES_PACK.version}`;
                     if (augmentedConfig.packs === undefined)
                         augmentedConfig.packs = [];
                     if (Array.isArray(augmentedConfig.packs)) {

lib/config-utils.js

@@ -130,15 +130,18 @@ async function addBuiltinSuiteQueries(languages, codeQL, resultMap, packs, suite
     // If we're running the JavaScript security-extended analysis (or a superset of it), the repo is
     // opted into the ML-powered queries beta, and a user hasn't already added the ML-powered query
     // pack, then add the ML-powered query pack so that we run ML-powered queries.
-    if (languages.includes("javascript") &&
+    if (
+    // Disable ML-powered queries on Windows
+    process.platform !== "win32" &&
+        languages.includes("javascript") &&
         (found === "security-extended" || found === "security-and-quality") &&
-        !((_a = packs.javascript) === null || _a === void 0 ? void 0 : _a.some((pack) => pack.packName === util_1.ML_POWERED_JS_QUERIES_PACK.packName)) &&
+        !((_a = packs.javascript) === null || _a === void 0 ? void 0 : _a.some((pack) => pack.packName === util_1.ML_POWERED_JS_QUERIES_PACK_NAME)) &&
         (await featureFlags.getValue(feature_flags_1.FeatureFlag.MlPoweredQueriesEnabled)) &&
         (await (0, util_1.codeQlVersionAbove)(codeQL, codeql_1.CODEQL_VERSION_ML_POWERED_QUERIES))) {
         if (!packs.javascript) {
             packs.javascript = [];
         }
-        packs.javascript.push(util_1.ML_POWERED_JS_QUERIES_PACK);
+        packs.javascript.push(await (0, util_1.getMlPoweredJsQueriesPack)(codeQL));
         injectedMlQueries = true;
     }
     const suites = languages.map((l) => `${l}-${suiteName}.qls`);

lib/config-utils.test.js

@@ -911,11 +911,20 @@ const mlPoweredQueriesMacro = ava_1.default.macro({
         ? `${expectedVersionString} are`
         : "aren't"} loaded for packs: ${packsInput}, queries: ${queriesInput} using CLI v${codeQLVersion} when feature flag is ${isMlPoweredQueriesFlagEnabled ? "enabled" : "disabled"}`,
 });
-// macro, isMlPoweredQueriesFlagEnabled, packsInput, queriesInput, versionString
+// macro, codeQLVersion, isMlPoweredQueriesFlagEnabled, packsInput, queriesInput, expectedVersionString
+// Test that ML-powered queries aren't run on v2.7.4 of the CLI.
 (0, ava_1.default)(mlPoweredQueriesMacro, "2.7.4", true, undefined, "security-extended", undefined);
+// Test that ML-powered queries aren't run when the feature flag is off.
 (0, ava_1.default)(mlPoweredQueriesMacro, "2.7.5", false, undefined, "security-extended", undefined);
+// Test that ML-powered queries aren't run when the user hasn't specified that we should run the
+// `security-extended` or `security-and-quality` query suite.
 (0, ava_1.default)(mlPoweredQueriesMacro, "2.7.5", true, undefined, undefined, undefined);
-(0, ava_1.default)(mlPoweredQueriesMacro, "2.7.5", true, undefined, "security-extended", "~0.1.0");
+// Test that ML-powered queries are run on non-Windows platforms running `security-extended`.
-(0, ava_1.default)(mlPoweredQueriesMacro, "2.7.5", true, undefined, "security-and-quality", "~0.1.0");
+(0, ava_1.default)(mlPoweredQueriesMacro, "2.7.5", true, undefined, "security-extended", process.platform === "win32" ? undefined : "~0.1.0");
-(0, ava_1.default)(mlPoweredQueriesMacro, "2.7.5", true, "codeql/javascript-experimental-atm-queries@0.0.1", "security-and-quality", "0.0.1");
+// Test that ML-powered queries are run on non-Windows platforms running `security-and-quality`.
+(0, ava_1.default)(mlPoweredQueriesMacro, "2.7.5", true, undefined, "security-and-quality", process.platform === "win32" ? undefined : "~0.1.0");
+// Test that we don't inject an ML-powered query pack if the user has already specified one.
+(0, ava_1.default)(mlPoweredQueriesMacro, "2.7.5", true, "codeql/javascript-experimental-atm-queries@0.0.1", "security-and-quality", process.platform === "win32" ? undefined : "0.0.1");
+// Test that the ~0.2.0 version of ML-powered queries is run on v2.8.4 of the CLI.
+(0, ava_1.default)(mlPoweredQueriesMacro, "2.8.4", true, undefined, "security-extended", process.platform === "win32" ? undefined : "~0.2.0");
 //# sourceMappingURL=config-utils.test.js.map

lib/util.js

@@ -22,7 +22,7 @@ var __importDefault = (this && this.__importDefault) || function (mod) {
     return (mod && mod.__esModule) ? mod : { "default": mod };
 };
 Object.defineProperty(exports, "__esModule", { value: true });
-exports.getMlPoweredJsQueriesStatus = exports.ML_POWERED_JS_QUERIES_PACK = exports.isGoodVersion = exports.delay = exports.bundleDb = exports.codeQlVersionAbove = exports.getCachedCodeQlVersion = exports.cacheCodeQlVersion = exports.isGitHubGhesVersionBelow = exports.isHTTPError = exports.UserError = exports.HTTPError = exports.getRequiredEnvParam = exports.isActions = exports.getMode = exports.enrichEnvironment = exports.initializeEnvironment = exports.Mode = exports.assertNever = exports.getGitHubAuth = exports.apiVersionInRange = exports.DisallowedAPIVersionReason = exports.checkGitHubVersionInRange = exports.getGitHubVersion = exports.GitHubVariant = exports.parseGitHubUrl = exports.getCodeQLDatabasePath = exports.getThreadsFlag = exports.getThreadsFlagValue = exports.getAddSnippetsFlag = exports.getMemoryFlag = exports.getMemoryFlagValue = exports.withTmpDir = exports.getToolNames = exports.getExtraOptionsEnvParam = exports.DEFAULT_DEBUG_DATABASE_NAME = exports.DEFAULT_DEBUG_ARTIFACT_NAME = exports.GITHUB_DOTCOM_URL = void 0;
+exports.getMlPoweredJsQueriesStatus = exports.getMlPoweredJsQueriesPack = exports.ML_POWERED_JS_QUERIES_PACK_NAME = exports.isGoodVersion = exports.delay = exports.bundleDb = exports.codeQlVersionAbove = exports.getCachedCodeQlVersion = exports.cacheCodeQlVersion = exports.isGitHubGhesVersionBelow = exports.isHTTPError = exports.UserError = exports.HTTPError = exports.getRequiredEnvParam = exports.isActions = exports.getMode = exports.enrichEnvironment = exports.initializeEnvironment = exports.Mode = exports.assertNever = exports.getGitHubAuth = exports.apiVersionInRange = exports.DisallowedAPIVersionReason = exports.checkGitHubVersionInRange = exports.getGitHubVersion = exports.GitHubVariant = exports.parseGitHubUrl = exports.getCodeQLDatabasePath = exports.getThreadsFlag = exports.getThreadsFlagValue = exports.getAddSnippetsFlag = exports.getMemoryFlag = exports.getMemoryFlagValue = exports.withTmpDir = exports.getToolNames = exports.getExtraOptionsEnvParam = exports.DEFAULT_DEBUG_DATABASE_NAME = exports.DEFAULT_DEBUG_ARTIFACT_NAME = exports.GITHUB_DOTCOM_URL = void 0;
 const fs = __importStar(require("fs"));
 const os = __importStar(require("os"));
 const path = __importStar(require("path"));
@@ -545,24 +545,26 @@ function isGoodVersion(versionSpec) {
     return !BROKEN_VERSIONS.includes(versionSpec);
 }
 exports.isGoodVersion = isGoodVersion;
+exports.ML_POWERED_JS_QUERIES_PACK_NAME = "codeql/javascript-experimental-atm-queries";
 /**
- * The ML-powered JS query pack to add to the analysis if a repo is opted into the ML-powered
+ * Gets the ML-powered JS query pack to add to the analysis if a repo is opted into the ML-powered
  * queries beta.
  */
-exports.ML_POWERED_JS_QUERIES_PACK = {
+async function getMlPoweredJsQueriesPack(codeQL) {
-    packName: "codeql/javascript-experimental-atm-queries",
+    if (await codeQlVersionAbove(codeQL, "2.8.4")) {
-    version: "~0.1.0",
+        return { packName: exports.ML_POWERED_JS_QUERIES_PACK_NAME, version: "~0.2.0" };
-};
+    }
+    return { packName: exports.ML_POWERED_JS_QUERIES_PACK_NAME, version: "~0.1.0" };
+}
+exports.getMlPoweredJsQueriesPack = getMlPoweredJsQueriesPack;
 /**
  * Get information about ML-powered JS queries to populate status reports with.
  *
  * This will be:
  *
- * - The version string if the analysis is using the ML-powered query pack that will be added to the
+ * - The version string if the analysis is using a single version of the ML-powered query pack.
- *   analysis if the repo is opted into the ML-powered queries beta, i.e.
+ * - "latest" if the version string of the ML-powered query pack is undefined. This is unlikely to
- *   {@link ML_POWERED_JS_QUERIES_PACK.version}. If the version string
+ *   occur in practice (see comment below).
- *   {@link ML_POWERED_JS_QUERIES_PACK.version} is undefined, then the status report string will be
- *   "latest", however this shouldn't occur in practice (see comment below).
  * - "false" if the analysis won't run any ML-powered JS queries.
  * - "other" in all other cases.
  *
@@ -572,30 +574,25 @@ exports.ML_POWERED_JS_QUERIES_PACK = {
  * version of the CodeQL Action. For instance, we might want to compare the `~0.1.0` and `~0.0.2`
  * version strings.
  *
- * We restrict the set of strings we report here by excluding other version strings and combinations
- * of version strings. We do this to limit the cardinality of the ML-powered JS queries status
- * report field, since some platforms that ingest this status report bill based on the cardinality
- * of its fields.
- *
  * This function lives here rather than in `init-action.ts` so it's easier to test, since tests for
  * `init-action.ts` would each need to live in their own file. See `analyze-action-env.ts` for an
  * explanation as to why this is.
  */
 function getMlPoweredJsQueriesStatus(config) {
-    const mlPoweredJsQueryPacks = (config.packs.javascript || []).filter((pack) => pack.packName === exports.ML_POWERED_JS_QUERIES_PACK.packName);
+    const mlPoweredJsQueryPacks = (config.packs.javascript || []).filter((pack) => pack.packName === exports.ML_POWERED_JS_QUERIES_PACK_NAME);
-    if (mlPoweredJsQueryPacks.length === 0) {
+    switch (mlPoweredJsQueryPacks.length) {
-        return "false";
+        case 1:
+            // We should always specify an explicit version string in `getMlPoweredJsQueriesPack`,
+            // otherwise we won't be able to make changes to the pack unless those changes are compatible
+            // with each version of the CodeQL Action. Therefore in practice we should only hit the
+            // `latest` case here when customers have explicitly added the ML-powered query pack to their
+            // CodeQL config.
+            return mlPoweredJsQueryPacks[0].version || "latest";
+        case 0:
+            return "false";
+        default:
+            return "other";
     }
-    const firstVersionString = mlPoweredJsQueryPacks[0].version;
-    if (mlPoweredJsQueryPacks.length === 1 &&
-        exports.ML_POWERED_JS_QUERIES_PACK.version === firstVersionString) {
-        // We should always specify an explicit version string in `ML_POWERED_JS_QUERIES_PACK`,
-        // otherwise we won't be able to make changes to the pack unless those changes are compatible
-        // with each version of the CodeQL Action. Therefore in practice, we should never hit the
-        // `latest` case here.
-        return exports.ML_POWERED_JS_QUERIES_PACK.version || "latest";
-    }
-    return "other";
 }
 exports.getMlPoweredJsQueriesStatus = getMlPoweredJsQueriesStatus;
 //# sourceMappingURL=util.js.map

lib/util.test.js

@@ -205,32 +205,43 @@ async function mockStdInForAuthExpectError(t, mockLogger, ...text) {
     await t.throwsAsync(async () => util.getGitHubAuth(mockLogger, undefined, true, stdin));
 }
 const ML_POWERED_JS_STATUS_TESTS = [
+    // If no packs are loaded, status is false.
     [[], "false"],
+    // If another pack is loaded but not the ML-powered query pack, status is false.
     [[{ packName: "someOtherPack" }], "false"],
+    // If the ML-powered query pack is loaded with a specific version, status is that version.
     [
-        [{ packName: "someOtherPack" }, util.ML_POWERED_JS_QUERIES_PACK],
+        [{ packName: util.ML_POWERED_JS_QUERIES_PACK_NAME, version: "~0.1.0" }],
-        util.ML_POWERED_JS_QUERIES_PACK.version,
+        "~0.1.0",
-    ],
-    [[util.ML_POWERED_JS_QUERIES_PACK], util.ML_POWERED_JS_QUERIES_PACK.version],
-    [[{ packName: util.ML_POWERED_JS_QUERIES_PACK.packName }], "other"],
-    [
-        [{ packName: util.ML_POWERED_JS_QUERIES_PACK.packName, version: "~0.0.1" }],
-        "other",
-    ],
-    [
-        [
-            { packName: util.ML_POWERED_JS_QUERIES_PACK.packName, version: "0.0.1" },
-            { packName: util.ML_POWERED_JS_QUERIES_PACK.packName, version: "0.0.2" },
-        ],
-        "other",
     ],
+    // If the ML-powered query pack is loaded with a specific version and another pack is loaded, the
+    // status is the version of the ML-powered query pack.
     [
         [
             { packName: "someOtherPack" },
-            { packName: util.ML_POWERED_JS_QUERIES_PACK.packName },
+            { packName: util.ML_POWERED_JS_QUERIES_PACK_NAME, version: "~0.1.0" },
+        ],
+        "~0.1.0",
+    ],
+    // If the ML-powered query pack is loaded without a version, the status is "latest".
+    [[{ packName: util.ML_POWERED_JS_QUERIES_PACK_NAME }], "latest"],
+    // If the ML-powered query pack is loaded with two different versions, the status is "other".
+    [
+        [
+            { packName: util.ML_POWERED_JS_QUERIES_PACK_NAME, version: "0.0.1" },
+            { packName: util.ML_POWERED_JS_QUERIES_PACK_NAME, version: "0.0.2" },
         ],
         "other",
     ],
+    // If the ML-powered query pack is loaded with no specific version, and another pack is loaded,
+    // the status is "latest".
+    [
+        [
+            { packName: "someOtherPack" },
+            { packName: util.ML_POWERED_JS_QUERIES_PACK_NAME },
+        ],
+        "latest",
+    ],
 ];
 for (const [packs, expectedStatus] of ML_POWERED_JS_STATUS_TESTS) {
     const packDescriptions = `[${packs

node_modules/.package-lock.json

@@ -1,6 +1,6 @@
 {
   "name": "codeql",
-  "version": "2.1.6",
+  "version": "2.1.7",
   "lockfileVersion": 2,
   "requires": true,
   "packages": {

package-lock.json

@@ -1,12 +1,12 @@
 {
   "name": "codeql",
-  "version": "2.1.6",
+  "version": "2.1.7",
   "lockfileVersion": 2,
   "requires": true,
   "packages": {
     "": {
       "name": "codeql",
-      "version": "2.1.6",
+      "version": "2.1.7",
       "license": "MIT",
       "dependencies": {
         "@actions/artifact": "^1.0.0",

package.json

@@ -1,6 +1,6 @@
 {
   "name": "codeql",
-  "version": "2.1.6",
+  "version": "2.1.7",
   "private": true,
   "description": "CodeQL action",
   "scripts": {

pr-checks/checks/debug-artifacts.yml

@@ -13,7 +13,7 @@ steps:
     run: ./build.sh
   - uses: ./../action/analyze
     id: analysis
-  - uses: actions/download-artifact@v2
+  - uses: actions/download-artifact@v3
     with:
       name: my-debug-artifacts-${{ matrix.os }}-${{ matrix.version }}
   - shell: bash

pr-checks/checks/go-custom-queries.yml

@@ -1,7 +1,7 @@
 name: "Go: Custom queries"
 description: "Checks that Go works in conjunction with a config file specifying custom queries"
 steps:
-  - uses: actions/setup-go@v2
+  - uses: actions/setup-go@v3
     with:
       go-version: "^1.13.1"
   - uses: ./../action/init

pr-checks/checks/go-custom-tracing-autobuild.yml

@@ -4,7 +4,7 @@ os: ["ubuntu-latest", "macos-latest"]
 env:
   CODEQL_EXTRACTOR_GO_BUILD_TRACING: "true"
 steps:
-  - uses: actions/setup-go@v2
+  - uses: actions/setup-go@v3
     with:
       go-version: "^1.13.1"
   - uses: ./../action/init

pr-checks/checks/go-custom-tracing.yml

@@ -3,7 +3,7 @@ description: "Checks that Go tracing works"
 env:
   CODEQL_EXTRACTOR_GO_BUILD_TRACING: "true"
 steps:
-  - uses: actions/setup-go@v2
+  - uses: actions/setup-go@v3
     with:
       go-version: "^1.13.1"
   - uses: ./../action/init

pr-checks/checks/ml-powered-queries.yml

@@ -0,0 +1,67 @@
+name: "ML-powered queries"
+description: "Tests that ML-powered queries are run with the security-extended suite and that they produce alerts on a test DB"
+versions: [
+    # Latest release in 2.7.x series
+    "stable-20220120",
+    "cached",
+    "latest",
+    "nightly-latest",
+  ]
+# Test on all three platforms since ML-powered queries use native code
+os: ["ubuntu-latest", "macos-latest", "windows-latest"]
+steps:
+  - uses: ./../action/init
+    with:
+      languages: javascript
+      queries: security-extended
+      source-root: ./../action/tests/ml-powered-queries-repo
+      tools: ${{ steps.prepare-test.outputs.tools-url }}
+
+  - uses: ./../action/analyze
+    with:
+      output: "${{ runner.temp }}/results"
+      upload-database: false
+    env:
+      TEST_MODE: true
+
+  - name: Upload SARIF
+    uses: actions/upload-artifact@v3
+    with:
+      name: ml-powered-queries-${{ matrix.os }}-${{ matrix.version }}.sarif.json
+      path: "${{ runner.temp }}/results/javascript.sarif"
+      retention-days: 7
+
+  - name: Check results
+    env:
+      IS_WINDOWS: ${{ matrix.os == 'windows-latest' }}
+    shell: bash
+    run: |
+      cd "$RUNNER_TEMP/results"
+      # We should run at least the ML-powered queries in `expected_rules`.
+      expected_rules="js/ml-powered/nosql-injection js/ml-powered/path-injection js/ml-powered/sql-injection js/ml-powered/xss"
+
+      for rule in ${expected_rules}; do
+        found_rule=$(jq --arg rule "${rule}" '[.runs[0].tool.extensions[].rules | select(. != null) |
+          flatten | .[].id] | any(. == $rule)' javascript.sarif)
+        echo "Did find rule '${rule}': ${found_rule}"
+        if [[ "${found_rule}" != "true" && "${IS_WINDOWS}" != "true" ]]; then
+          echo "Expected SARIF output to contain rule '${rule}', but found no such rule."
+          exit 1
+        elif [[ "${found_rule}" == "true" && "${IS_WINDOWS}" == "true" ]]; then
+          echo "Found rule '${rule}' in the SARIF output which shouldn't have been part of the analysis."
+          exit 1
+        fi
+      done
+
+      # We should have at least one alert from an ML-powered query.
+      num_alerts=$(jq '[.runs[0].results[] |
+        select(.properties.score != null and (.rule.id | startswith("js/ml-powered/")))] | length' \
+        javascript.sarif)
+      echo "Found ${num_alerts} alerts from ML-powered queries.";
+      if [[ "${num_alerts}" -eq 0 && "${IS_WINDOWS}" != "true" ]]; then
+        echo "Expected to find at least one alert from an ML-powered query but found ${num_alerts}."
+        exit 1
+      elif [[ "${num_alerts}" -ne 0 && "${IS_WINDOWS}" == "true" ]]; then
+        echo "Expected not to find any alerts from an ML-powered query but found ${num_alerts}."
+        exit 1
+      fi

pr-checks/checks/with-checkout-path.yml

@@ -7,7 +7,7 @@ os: [ubuntu-latest, macos-latest, windows-2019]
 steps:
   # Check out the actions repo again, but at a different location.
   # choose an arbitrary SHA so that we can later test that the commit_oid is not from main
-  - uses: actions/checkout@v2
+  - uses: actions/checkout@v3
     with:
       ref: 474bbf07f9247ffe1856c6a0f94aeeb10e7afee6
       path: x/y/z/some-path

pr-checks/sync.py

@@ -49,7 +49,7 @@ for file in os.listdir('checks'):
     steps = [
         {
             'name': 'Check out repository',
-            'uses': 'actions/checkout@v2'
+            'uses': 'actions/checkout@v3'
         },
         {
             'name': 'Prepare test',
@@ -108,7 +108,7 @@ for file in os.listdir('checks'):
             },
             'on': {
                 'push': {
-                    'branches': ['main', 'v1']
+                    'branches': ['main', 'v1', 'v2']
                 },
                 'pull_request': {
                     'types': ["opened", "synchronize", "reopened", "ready_for_review"]

src/actions-util.ts

@@ -544,7 +544,7 @@ export async function getRef(): Promise<string> {
 
   const head = await getCommitOid(checkoutPath, "HEAD");
 
-  // in actions/checkout@v2 we can check if git rev-parse HEAD == GITHUB_SHA
+  // in actions/checkout@v2+ we can check if git rev-parse HEAD == GITHUB_SHA
   // in actions/checkout@v1 this may not be true as it checks out the repository
   // using GITHUB_REF. There is a subtle race condition where
   // git rev-parse GITHUB_REF != GITHUB_SHA, so we must check

src/codeql.ts

@@ -18,7 +18,7 @@ import { Logger } from "./logging";
 import * as toolcache from "./toolcache";
 import { toolrunnerErrorCatcher } from "./toolrunner-error-catcher";
 import * as util from "./util";
-import { isGoodVersion, ML_POWERED_JS_QUERIES_PACK } from "./util";
+import { isGoodVersion } from "./util";
 
 type Options = Array<string | number | boolean>;
 
@@ -741,9 +741,10 @@ async function getCodeQLForCmd(
         if (config.injectedMlQueries) {
           // We need to inject the ML queries into the original user input before
           // we pass this on to the CLI, to make sure these get run.
-          let packString = ML_POWERED_JS_QUERIES_PACK.packName;
+          const pack = await util.getMlPoweredJsQueriesPack(codeql);
-          if (ML_POWERED_JS_QUERIES_PACK.version)
+          const packString =
-            packString = `${packString}@${ML_POWERED_JS_QUERIES_PACK.version}`;
+            pack.packName + (pack.version ? `@${pack.version}` : "");
+
           if (augmentedConfig.packs === undefined) augmentedConfig.packs = [];
           if (Array.isArray(augmentedConfig.packs)) {
             augmentedConfig.packs.push(packString);

src/config-utils.test.ts

@@ -1788,7 +1788,8 @@ const mlPoweredQueriesMacro = test.macro({
     }`,
 });
 
-// macro, isMlPoweredQueriesFlagEnabled, packsInput, queriesInput, versionString
+// macro, codeQLVersion, isMlPoweredQueriesFlagEnabled, packsInput, queriesInput, expectedVersionString
+// Test that ML-powered queries aren't run on v2.7.4 of the CLI.
 test(
   mlPoweredQueriesMacro,
   "2.7.4",
@@ -1797,6 +1798,7 @@ test(
   "security-extended",
   undefined
 );
+// Test that ML-powered queries aren't run when the feature flag is off.
 test(
   mlPoweredQueriesMacro,
   "2.7.5",
@@ -1805,28 +1807,42 @@ test(
   "security-extended",
   undefined
 );
+// Test that ML-powered queries aren't run when the user hasn't specified that we should run the
+// `security-extended` or `security-and-quality` query suite.
 test(mlPoweredQueriesMacro, "2.7.5", true, undefined, undefined, undefined);
+// Test that ML-powered queries are run on non-Windows platforms running `security-extended`.
 test(
   mlPoweredQueriesMacro,
   "2.7.5",
   true,
   undefined,
   "security-extended",
-  "~0.1.0"
+  process.platform === "win32" ? undefined : "~0.1.0"
 );
+// Test that ML-powered queries are run on non-Windows platforms running `security-and-quality`.
 test(
   mlPoweredQueriesMacro,
   "2.7.5",
   true,
   undefined,
   "security-and-quality",
-  "~0.1.0"
+  process.platform === "win32" ? undefined : "~0.1.0"
 );
+// Test that we don't inject an ML-powered query pack if the user has already specified one.
 test(
   mlPoweredQueriesMacro,
   "2.7.5",
   true,
   "codeql/javascript-experimental-atm-queries@0.0.1",
   "security-and-quality",
-  "0.0.1"
+  process.platform === "win32" ? undefined : "0.0.1"
+);
+// Test that the ~0.2.0 version of ML-powered queries is run on v2.8.4 of the CLI.
+test(
+  mlPoweredQueriesMacro,
+  "2.8.4",
+  true,
+  undefined,
+  "security-extended",
+  process.platform === "win32" ? undefined : "~0.2.0"
 );

src/config-utils.ts

@@ -17,8 +17,9 @@ import { Logger } from "./logging";
 import { RepositoryNwo } from "./repository";
 import {
   codeQlVersionAbove,
+  getMlPoweredJsQueriesPack,
   GitHubVersion,
-  ML_POWERED_JS_QUERIES_PACK,
+  ML_POWERED_JS_QUERIES_PACK_NAME,
 } from "./util";
 
 // Property names from the user-supplied config file.
@@ -299,10 +300,12 @@ async function addBuiltinSuiteQueries(
   // opted into the ML-powered queries beta, and a user hasn't already added the ML-powered query
   // pack, then add the ML-powered query pack so that we run ML-powered queries.
   if (
+    // Disable ML-powered queries on Windows
+    process.platform !== "win32" &&
     languages.includes("javascript") &&
     (found === "security-extended" || found === "security-and-quality") &&
     !packs.javascript?.some(
-      (pack) => pack.packName === ML_POWERED_JS_QUERIES_PACK.packName
+      (pack) => pack.packName === ML_POWERED_JS_QUERIES_PACK_NAME
     ) &&
     (await featureFlags.getValue(FeatureFlag.MlPoweredQueriesEnabled)) &&
     (await codeQlVersionAbove(codeQL, CODEQL_VERSION_ML_POWERED_QUERIES))
@@ -310,7 +313,7 @@ async function addBuiltinSuiteQueries(
     if (!packs.javascript) {
       packs.javascript = [];
     }
-    packs.javascript.push(ML_POWERED_JS_QUERIES_PACK);
+    packs.javascript.push(await getMlPoweredJsQueriesPack(codeQL));
     injectedMlQueries = true;
   }
 

src/util.test.ts

@@ -294,32 +294,43 @@ async function mockStdInForAuthExpectError(
 }
 
 const ML_POWERED_JS_STATUS_TESTS: Array<[PackWithVersion[], string]> = [
+  // If no packs are loaded, status is false.
   [[], "false"],
+  // If another pack is loaded but not the ML-powered query pack, status is false.
   [[{ packName: "someOtherPack" }], "false"],
+  // If the ML-powered query pack is loaded with a specific version, status is that version.
   [
-    [{ packName: "someOtherPack" }, util.ML_POWERED_JS_QUERIES_PACK],
+    [{ packName: util.ML_POWERED_JS_QUERIES_PACK_NAME, version: "~0.1.0" }],
-    util.ML_POWERED_JS_QUERIES_PACK.version!,
+    "~0.1.0",
-  ],
-  [[util.ML_POWERED_JS_QUERIES_PACK], util.ML_POWERED_JS_QUERIES_PACK.version!],
-  [[{ packName: util.ML_POWERED_JS_QUERIES_PACK.packName }], "other"],
-  [
-    [{ packName: util.ML_POWERED_JS_QUERIES_PACK.packName, version: "~0.0.1" }],
-    "other",
-  ],
-  [
-    [
-      { packName: util.ML_POWERED_JS_QUERIES_PACK.packName, version: "0.0.1" },
-      { packName: util.ML_POWERED_JS_QUERIES_PACK.packName, version: "0.0.2" },
-    ],
-    "other",
   ],
+  // If the ML-powered query pack is loaded with a specific version and another pack is loaded, the
+  // status is the version of the ML-powered query pack.
   [
     [
       { packName: "someOtherPack" },
-      { packName: util.ML_POWERED_JS_QUERIES_PACK.packName },
+      { packName: util.ML_POWERED_JS_QUERIES_PACK_NAME, version: "~0.1.0" },
+    ],
+    "~0.1.0",
+  ],
+  // If the ML-powered query pack is loaded without a version, the status is "latest".
+  [[{ packName: util.ML_POWERED_JS_QUERIES_PACK_NAME }], "latest"],
+  // If the ML-powered query pack is loaded with two different versions, the status is "other".
+  [
+    [
+      { packName: util.ML_POWERED_JS_QUERIES_PACK_NAME, version: "0.0.1" },
+      { packName: util.ML_POWERED_JS_QUERIES_PACK_NAME, version: "0.0.2" },
     ],
     "other",
   ],
+  // If the ML-powered query pack is loaded with no specific version, and another pack is loaded,
+  // the status is "latest".
+  [
+    [
+      { packName: "someOtherPack" },
+      { packName: util.ML_POWERED_JS_QUERIES_PACK_NAME },
+    ],
+    "latest",
+  ],
 ];
 
 for (const [packs, expectedStatus] of ML_POWERED_JS_STATUS_TESTS) {

src/util.ts

@@ -653,25 +653,30 @@ export function isGoodVersion(versionSpec: string) {
   return !BROKEN_VERSIONS.includes(versionSpec);
 }
 
+export const ML_POWERED_JS_QUERIES_PACK_NAME =
+  "codeql/javascript-experimental-atm-queries";
+
 /**
- * The ML-powered JS query pack to add to the analysis if a repo is opted into the ML-powered
+ * Gets the ML-powered JS query pack to add to the analysis if a repo is opted into the ML-powered
  * queries beta.
  */
-export const ML_POWERED_JS_QUERIES_PACK: PackWithVersion = {
+export async function getMlPoweredJsQueriesPack(
-  packName: "codeql/javascript-experimental-atm-queries",
+  codeQL: CodeQL
-  version: "~0.1.0",
+): Promise<PackWithVersion> {
-};
+  if (await codeQlVersionAbove(codeQL, "2.8.4")) {
+    return { packName: ML_POWERED_JS_QUERIES_PACK_NAME, version: "~0.2.0" };
+  }
+  return { packName: ML_POWERED_JS_QUERIES_PACK_NAME, version: "~0.1.0" };
+}
 
 /**
  * Get information about ML-powered JS queries to populate status reports with.
  *
  * This will be:
  *
- * - The version string if the analysis is using the ML-powered query pack that will be added to the
+ * - The version string if the analysis is using a single version of the ML-powered query pack.
- *   analysis if the repo is opted into the ML-powered queries beta, i.e.
+ * - "latest" if the version string of the ML-powered query pack is undefined. This is unlikely to
- *   {@link ML_POWERED_JS_QUERIES_PACK.version}. If the version string
+ *   occur in practice (see comment below).
- *   {@link ML_POWERED_JS_QUERIES_PACK.version} is undefined, then the status report string will be
- *   "latest", however this shouldn't occur in practice (see comment below).
  * - "false" if the analysis won't run any ML-powered JS queries.
  * - "other" in all other cases.
  *
@@ -681,32 +686,25 @@ export const ML_POWERED_JS_QUERIES_PACK: PackWithVersion = {
  * version of the CodeQL Action. For instance, we might want to compare the `~0.1.0` and `~0.0.2`
  * version strings.
  *
- * We restrict the set of strings we report here by excluding other version strings and combinations
- * of version strings. We do this to limit the cardinality of the ML-powered JS queries status
- * report field, since some platforms that ingest this status report bill based on the cardinality
- * of its fields.
- *
  * This function lives here rather than in `init-action.ts` so it's easier to test, since tests for
  * `init-action.ts` would each need to live in their own file. See `analyze-action-env.ts` for an
  * explanation as to why this is.
  */
 export function getMlPoweredJsQueriesStatus(config: Config): string {
   const mlPoweredJsQueryPacks = (config.packs.javascript || []).filter(
-    (pack) => pack.packName === ML_POWERED_JS_QUERIES_PACK.packName
+    (pack) => pack.packName === ML_POWERED_JS_QUERIES_PACK_NAME
   );
-  if (mlPoweredJsQueryPacks.length === 0) {
+  switch (mlPoweredJsQueryPacks.length) {
-    return "false";
+    case 1:
+      // We should always specify an explicit version string in `getMlPoweredJsQueriesPack`,
+      // otherwise we won't be able to make changes to the pack unless those changes are compatible
+      // with each version of the CodeQL Action. Therefore in practice we should only hit the
+      // `latest` case here when customers have explicitly added the ML-powered query pack to their
+      // CodeQL config.
+      return mlPoweredJsQueryPacks[0].version || "latest";
+    case 0:
+      return "false";
+    default:
+      return "other";
   }
-  const firstVersionString = mlPoweredJsQueryPacks[0].version;
-  if (
-    mlPoweredJsQueryPacks.length === 1 &&
-    ML_POWERED_JS_QUERIES_PACK.version === firstVersionString
-  ) {
-    // We should always specify an explicit version string in `ML_POWERED_JS_QUERIES_PACK`,
-    // otherwise we won't be able to make changes to the pack unless those changes are compatible
-    // with each version of the CodeQL Action. Therefore in practice, we should never hit the
-    // `latest` case here.
-    return ML_POWERED_JS_QUERIES_PACK.version || "latest";
-  }
-  return "other";
 }

tests/ml-powered-queries-repo/add-note.js

@@ -0,0 +1,21 @@
+const mongoose = require('mongoose');
+
+Logger = require('./logger').Logger;
+Note = require('./models/note').Note;
+
+(async () => {
+  if (process.argv.length != 5) {
+    Logger.log("Creates a private note.  Usage: node add-note.js <token> <title> <body>")
+    return;
+  }
+
+  // Open the default mongoose connection
+  await mongoose.connect('mongodb://localhost:27017/notes', { useFindAndModify: false });
+
+  const [userToken, title, body] = process.argv.slice(2);
+  await Note.create({ title, body, userToken });
+
+  Logger.log(`Created private note with title ${title} and body ${body} belonging to user with token ${userToken}.`);
+
+  await mongoose.connection.close();
+})();

tests/ml-powered-queries-repo/app.js

@@ -0,0 +1,68 @@
+const bodyParser = require('body-parser');
+const express = require('express');
+const mongoose = require('mongoose');
+
+const notesApi = require('./notes-api');
+const usersApi = require('./users-api');
+
+const addSampleData = module.exports.addSampleData = async () => {
+  const [userA, userB] = await User.create([
+    {
+      name: "A",
+      token: "tokenA"
+    },
+    {
+      name: "B",
+      token: "tokenB"
+    }
+  ]);
+
+  await Note.create([
+    {
+      title: "Public note belonging to A",
+      body: "This is a public note belonging to A",
+      isPublic: true,
+      ownerToken: userA.token
+    },
+    {
+      title: "Public note belonging to B",
+      body: "This is a public note belonging to B",
+      isPublic: true,
+      ownerToken: userB.token
+    },
+    {
+      title: "Private note belonging to A",
+      body: "This is a private note belonging to A",
+      ownerToken: userA.token
+    },
+    {
+      title: "Private note belonging to B",
+      body: "This is a private note belonging to B",
+      ownerToken: userB.token
+    }
+  ]);
+}
+
+module.exports.startApp = async () => {
+  // Open the default mongoose connection
+  await mongoose.connect('mongodb://mongo:27017/notes', { useFindAndModify: false });
+  // Drop contents of DB
+  mongoose.connection.dropDatabase();
+  // Add some sample data
+  await addSampleData();
+
+  const app = express();
+
+  app.use(bodyParser.json());
+  app.use(bodyParser.urlencoded());
+
+  app.get('/', async (_req, res) => {
+    res.send('Hello World');
+  });
+
+  app.use('/api/notes', notesApi.router);
+  app.use('/api/users', usersApi.router);
+
+  app.listen(3000);
+  Logger.log('Express started on port 3000');
+};

tests/ml-powered-queries-repo/index.js

@@ -0,0 +1,7 @@
+const startApp = require('./app').startApp;
+
+Logger = require('./logger').Logger;
+Note = require('./models/note').Note;
+User = require('./models/user').User;
+
+startApp();

tests/ml-powered-queries-repo/logger.js

@@ -0,0 +1,5 @@
+module.exports.Logger = class {
+  log(message, ...objs) {
+    console.log(message, objs);
+  }
+};

tests/ml-powered-queries-repo/models/note.js

@@ -0,0 +1,8 @@
+const mongoose = require('mongoose');
+
+module.exports.Note = mongoose.model('Note', new mongoose.Schema({
+  title: String,
+  body: String,
+  ownerToken: String,
+  isPublic: Boolean
+}));

tests/ml-powered-queries-repo/models/user.js

@@ -0,0 +1,6 @@
+const mongoose = require('mongoose');
+
+module.exports.User = mongoose.model('User', new mongoose.Schema({
+  name: String,
+  token: String
+}));

tests/ml-powered-queries-repo/notes-api.js

@@ -0,0 +1,44 @@
+const express = require('express')
+
+const router = module.exports.router = express.Router();
+
+function serializeNote(note) {
+  return {
+    title: note.title,
+    body: note.body
+  };
+}
+
+router.post('/find', async (req, res) => {
+  const notes = await Note.find({
+    ownerToken: req.body.token
+  }).exec();
+  res.json({
+    notes: notes.map(serializeNote)
+  });
+});
+
+router.get('/findPublic', async (_req, res) => {
+  const notes = await Note.find({
+    isPublic: true
+  }).exec();
+  res.json({
+    notes: notes.map(serializeNote)
+  });
+});
+
+router.post('/findVisible', async (req, res) => {
+  const notes = await Note.find({
+    $or: [
+      {
+        isPublic: true
+      },
+      {
+        ownerToken: req.body.token
+      }
+    ]
+  }).exec();
+  res.json({
+    notes: notes.map(serializeNote)
+  });
+});

tests/ml-powered-queries-repo/read-notes.js

@@ -0,0 +1,37 @@
+const mongoose = require('mongoose');
+
+Logger = require('./logger').Logger;
+Note = require('./models/note').Note;
+User = require('./models/user').User;
+
+(async () => {
+  if (process.argv.length != 3) {
+    Logger.log("Outputs all notes visible to a user.  Usage: node read-notes.js <token>")
+    return;
+  }
+
+  // Open the default mongoose connection
+  await mongoose.connect('mongodb://localhost:27017/notes', { useFindAndModify: false });
+
+  const ownerToken = process.argv[2];
+
+  const user = await User.findOne({
+    token: ownerToken
+  }).exec();
+
+  const notes = await Note.find({
+    $or: [
+      { isPublic: true },
+      { ownerToken }
+    ]
+  }).exec();
+
+  notes.map(note => {
+    Logger.log("Title:" + note.title);
+    Logger.log("By:" + user.name);
+    Logger.log("Body:" + note.body);
+    Logger.log();
+  });
+
+  await mongoose.connection.close();
+})();

tests/ml-powered-queries-repo/users-api.js

@@ -0,0 +1,25 @@
+const express = require('express')
+
+Logger = require('./logger').Logger;
+const router = module.exports.router = express.Router();
+
+router.post('/updateName', async (req, res) => {
+  Logger.log("/updateName called with new name", req.body.name);
+  await User.findOneAndUpdate({
+    token: req.body.token
+  }, {
+    name: req.body.name
+  }).exec();
+  res.json({
+    name: req.body.name
+  });
+});
+
+router.post('/getName', async (req, res) => {
+  const user = await User.findOne({
+    token: req.body.token
+  }).exec();
+  res.json({
+    name: user.name
+  });
+});