mirror of
https://github.com/github/codeql-action.git
synced 2025-12-31 19:50:32 +08:00
760583e70d
* Bump actions/setup-go from 3 to 4 Bumps [actions/setup-go](https://github.com/actions/setup-go) from 3 to 4. - [Release notes](https://github.com/actions/setup-go/releases) - [Commits](https://github.com/actions/setup-go/compare/v3...v4) --- updated-dependencies: - dependency-name: actions/setup-go dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <support@github.com> * Update autogenerated workflows * Bump setup-go from v3 to v4 --------- Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
136 lines
4.8 KiB
YAML
Generated
136 lines
4.8 KiB
YAML
Generated
# Warning: This file is generated automatically, and should not be modified.
|
|
# Instead, please modify the template in the pr-checks directory and run:
|
|
# pip install ruamel.yaml && python3 sync.py
|
|
# to regenerate this file.
|
|
|
|
name: PR Check - ML-powered queries
|
|
env:
|
|
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
|
|
GO111MODULE: auto
|
|
CODEQL_EXTRACTOR_JAVA_AGENT_DISABLE_KOTLIN: 'true'
|
|
on:
|
|
push:
|
|
branches:
|
|
- main
|
|
- releases/v2
|
|
pull_request:
|
|
types:
|
|
- opened
|
|
- synchronize
|
|
- reopened
|
|
- ready_for_review
|
|
workflow_dispatch: {}
|
|
jobs:
|
|
ml-powered-queries:
|
|
strategy:
|
|
matrix:
|
|
include:
|
|
- os: ubuntu-20.04
|
|
version: stable-20220120
|
|
- os: macos-latest
|
|
version: stable-20220120
|
|
- os: windows-2019
|
|
version: stable-20220120
|
|
- os: ubuntu-latest
|
|
version: cached
|
|
- os: macos-latest
|
|
version: cached
|
|
- os: windows-latest
|
|
version: cached
|
|
- os: ubuntu-latest
|
|
version: latest
|
|
- os: macos-latest
|
|
version: latest
|
|
- os: windows-latest
|
|
version: latest
|
|
- os: ubuntu-latest
|
|
version: nightly-latest
|
|
- os: macos-latest
|
|
version: nightly-latest
|
|
- os: windows-latest
|
|
version: nightly-latest
|
|
name: ML-powered queries
|
|
timeout-minutes: 45
|
|
runs-on: ${{ matrix.os }}
|
|
steps:
|
|
- name: Check out repository
|
|
uses: actions/checkout@v3
|
|
- name: Prepare test
|
|
id: prepare-test
|
|
uses: ./.github/prepare-test
|
|
with:
|
|
version: ${{ matrix.version }}
|
|
- name: Set up Go
|
|
if: matrix.os == 'ubuntu-20.04' || matrix.os == 'windows-2019'
|
|
uses: actions/setup-go@v4
|
|
with:
|
|
go-version: ^1.13.1
|
|
- uses: ./../action/init
|
|
with:
|
|
languages: javascript
|
|
queries: security-extended
|
|
source-root: ./../action/tests/ml-powered-queries-repo
|
|
tools: ${{ steps.prepare-test.outputs.tools-url }}
|
|
|
|
- uses: ./../action/analyze
|
|
with:
|
|
output: ${{ runner.temp }}/results
|
|
upload-database: false
|
|
|
|
- name: Upload SARIF
|
|
uses: actions/upload-artifact@v3
|
|
with:
|
|
name: ml-powered-queries-${{ matrix.os }}-${{ matrix.version }}.sarif.json
|
|
path: ${{ runner.temp }}/results/javascript.sarif
|
|
retention-days: 7
|
|
|
|
- name: Check sarif
|
|
uses: ./../action/.github/check-sarif
|
|
# Running on Windows requires CodeQL CLI 2.9.0+.
|
|
if: "!(matrix.version == 'stable-20220120' && runner.os == 'Windows')"
|
|
with:
|
|
sarif-file: ${{ runner.temp }}/results/javascript.sarif
|
|
queries-run: js/ml-powered/nosql-injection,js/ml-powered/path-injection,js/ml-powered/sql-injection,js/ml-powered/xss
|
|
queries-not-run: foo,bar
|
|
|
|
- name: Check results
|
|
env:
|
|
# Running on Windows requires CodeQL CLI 2.9.0+.
|
|
SHOULD_RUN_ML_POWERED_QUERIES: ${{ !(matrix.version == 'stable-20220120' &&
|
|
runner.os == 'Windows') }}
|
|
shell: bash
|
|
run: |
|
|
echo "Expecting ML-powered queries to be run: ${SHOULD_RUN_ML_POWERED_QUERIES}"
|
|
|
|
cd "$RUNNER_TEMP/results"
|
|
# We should run at least the ML-powered queries in `expected_rules`.
|
|
expected_rules="js/ml-powered/nosql-injection js/ml-powered/path-injection js/ml-powered/sql-injection js/ml-powered/xss"
|
|
|
|
for rule in ${expected_rules}; do
|
|
found_rule=$(jq --arg rule "${rule}" '[.runs[0].tool.extensions[].rules | select(. != null) |
|
|
flatten | .[].id] | any(. == $rule)' javascript.sarif)
|
|
echo "Did find rule '${rule}': ${found_rule}"
|
|
if [[ "${found_rule}" != "true" && "${SHOULD_RUN_ML_POWERED_QUERIES}" == "true" ]]; then
|
|
echo "Expected SARIF output to contain rule '${rule}', but found no such rule."
|
|
exit 1
|
|
elif [[ "${found_rule}" == "true" && "${SHOULD_RUN_ML_POWERED_QUERIES}" != "true" ]]; then
|
|
echo "Found rule '${rule}' in the SARIF output which shouldn't have been part of the analysis."
|
|
exit 1
|
|
fi
|
|
done
|
|
|
|
# We should have at least one alert from an ML-powered query.
|
|
num_alerts=$(jq '[.runs[0].results[] |
|
|
select(.properties.score != null and (.rule.id | startswith("js/ml-powered/")))] | length' \
|
|
javascript.sarif)
|
|
echo "Found ${num_alerts} alerts from ML-powered queries.";
|
|
if [[ "${num_alerts}" -eq 0 && "${SHOULD_RUN_ML_POWERED_QUERIES}" == "true" ]]; then
|
|
echo "Expected to find at least one alert from an ML-powered query but found ${num_alerts}."
|
|
exit 1
|
|
elif [[ "${num_alerts}" -ne 0 && "${SHOULD_RUN_ML_POWERED_QUERIES}" != "true" ]]; then
|
|
echo "Expected not to find any alerts from an ML-powered query but found ${num_alerts}."
|
|
exit 1
|
|
fi
|
|
env:
|
|
CODEQL_ACTION_TEST_MODE: true
|