Skip to content

Commit

Permalink
Merge pull request #1107 from github/update-v2.1.13-31367d4e
Browse files Browse the repository at this point in the history
Merge main into releases/v2
  • Loading branch information
edoardopirovano authored Jun 21, 2022
2 parents 27ea8f8 + 8bd4419 commit d00e8c0
Show file tree
Hide file tree
Showing 47 changed files with 1,280 additions and 138 deletions.
20 changes: 20 additions & 0 deletions .github/check-sarif/action.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,20 @@
name: Check SARIF
description: Checks a SARIF file to see if certain queries were run and others were not run.
inputs:
sarif-file:
required: true
description: The SARIF file to check

queries-run:
required: true
description: |
Comma separated list of query ids that should be included in this SARIF file.
queries-not-run:
required: true
description: |
Comma separated list of query ids that should NOT be included in this SARIF file.
runs:
using: node12
main: index.js
43 changes: 43 additions & 0 deletions .github/check-sarif/index.js
Original file line number Diff line number Diff line change
@@ -0,0 +1,43 @@
'use strict'

const core = require('@actions/core')
const fs = require('fs')

const sarif = JSON.parse(fs.readFileSync(core.getInput('sarif-file'), 'utf8'))
const rules = sarif.runs[0].tool.extensions.flatMap(ext => ext.rules || [])
const ruleIds = rules.map(rule => rule.id)

// Check that all the expected queries ran
const expectedQueriesRun = getQueryIdsInput('queries-run')
const queriesThatShouldHaveRunButDidNot = expectedQueriesRun.filter(queryId => !ruleIds.includes(queryId))

if (queriesThatShouldHaveRunButDidNot.length > 0) {
core.setFailed(`The following queries were expected to run but did not: ${queriesThatShouldHaveRunButDidNot.join(', ')}`)
}

// Check that all the unexpected queries did not run
const expectedQueriesNotRun = getQueryIdsInput('queries-not-run')

const queriesThatShouldNotHaveRunButDid = expectedQueriesNotRun.filter(queryId => ruleIds.includes(queryId))

if (queriesThatShouldNotHaveRunButDid.length > 0) {
core.setFailed(`The following queries were NOT expected to have run but did: ${queriesThatShouldNotHaveRunButDid.join(', ')}`)
}


core.startGroup('All queries run')
rules.forEach(rule => {
core.info(`${rule.id}: ${(rule.properties && rule.properties.name) || rule.name}`)
})
core.endGroup()

core.startGroup('Full SARIF')
core.info(JSON.stringify(sarif, null, 2))
core.endGroup()

function getQueryIdsInput(name) {
return core.getInput(name)
.split(',')
.map(q => q.trim())
.filter(q => q.length > 0)
}
52 changes: 52 additions & 0 deletions .github/query-filter-test/action.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,52 @@
name: Query Filter Test
description: Runs a test of query filters using the check SARIF action
inputs:
sarif-file:
required: true
description: The SARIF file to check

queries-run:
required: true
description: |
Comma separated list of query ids that should be included in this SARIF file.
queries-not-run:
required: true
description: |
Comma separated list of query ids that should NOT be included in this SARIF file.
config-file:
required: true
description: |
The location of the codeql configuration file to use.
tools:
required: true
description: |
The url of codeql to use.
runs:
using: composite
steps:
- uses: ./../action/init
with:
languages: javascript
config-file: ${{ inputs.config-file }}
tools: ${{ inputs.tools }}
db-location: ${{ runner.temp }}/query-filter-test
- uses: ./../action/analyze
with:
output: ${{ runner.temp }}/results
upload-database: false
upload: false
env:
TEST_MODE: "true"
- name: Check SARIF
uses: ./../action/.github/check-sarif
with:
sarif-file: ${{ inputs.sarif-file }}
queries-run: ${{ inputs.queries-run}}
queries-not-run: ${{ inputs.queries-not-run}}
- name: Cleanup after test
shell: bash
run: rm -rf "$RUNNER_TEMP/results" "$RUNNER_TEMP//query-filter-test"
47 changes: 47 additions & 0 deletions .github/workflows/expected-queries-runs.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,47 @@
name: Check queries that ran

on:
push:
branches:
- main
- releases/v1
- releases/v2
pull_request:
types:
- opened
- synchronize
- reopened
- ready_for_review
workflow_dispatch: {}

jobs:
expected-queries:
name: Expected Queries Tests
timeout-minutes: 45
runs-on: ubuntu-latest
steps:
- name: Check out repository
uses: actions/checkout@v3
- name: Prepare test
id: prepare-test
uses: ./.github/prepare-test
with:
version: latest
- uses: ./../action/init
with:
languages: javascript
tools: ${{ steps.prepare-test.outputs.tools-url }}
- uses: ./../action/analyze
with:
output: ${{ runner.temp }}/results
upload-database: false
upload: false
env:
TEST_MODE: true

- name: Check Sarif
uses: ./../action/.github/check-sarif
with:
sarif-file: ${{ runner.temp }}/results/javascript.sarif
queries-run: js/incomplete-hostname-regexp,js/path-injection
queries-not-run: foo,bar
56 changes: 56 additions & 0 deletions .github/workflows/query-filters.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,56 @@
name: Query filters tests

on:
push:
branches:
- main
- releases/v1
- releases/v2
pull_request:
types:
- opened
- synchronize
- reopened
- ready_for_review
workflow_dispatch: {}

jobs:
query-filters:
name: Query Filters Tests
timeout-minutes: 45
runs-on: ubuntu-latest
steps:
- name: Check out repository
uses: actions/checkout@v3
- name: Prepare test
id: prepare-test
uses: ./.github/prepare-test
with:
version: latest

- name: Check SARIF for default queries with Single include, Single exclude
uses: ./../action/.github/query-filter-test
with:
sarif-file: ${{ runner.temp }}/results/javascript.sarif
queries-run: js/zipslip
queries-not-run: js/path-injection
config-file: ./.github/codeql/codeql-config-query-filters1.yml
tools: ${{ steps.prepare-test.outputs.tools-url }}

- name: Check SARIF for query packs with Single include, Single exclude
uses: ./../action/.github/query-filter-test
with:
sarif-file: ${{ runner.temp }}/results/javascript.sarif
queries-run: js/zipslip,javascript/example/empty-or-one-block
queries-not-run: js/path-injection
config-file: ./.github/codeql/codeql-config-query-filters2.yml
tools: ${{ steps.prepare-test.outputs.tools-url }}

- name: Check SARIF for query packs and local queries with Single include, Single exclude
uses: ./../action/.github/query-filter-test
with:
sarif-file: ${{ runner.temp }}/results/javascript.sarif
queries-run: js/zipslip,javascript/example/empty-or-one-block,inrepo-javascript-querypack/show-ifs
queries-not-run: js/path-injection,complex-python-querypack/show-ifs,complex-python-querypack/foo/bar/show-ifs
config-file: ./.github/codeql/codeql-config-query-filters3.yml
tools: ${{ steps.prepare-test.outputs.tools-url }}
2 changes: 1 addition & 1 deletion .github/workflows/script/update-required-checks.sh
Original file line number Diff line number Diff line change
Expand Up @@ -21,7 +21,7 @@ fi
echo "Getting checks for $GITHUB_SHA"

# Ignore any checks with "https://", CodeQL, LGTM, and Update checks.
CHECKS="$(gh api repos/github/codeql-action/commits/${GITHUB_SHA}/check-runs --paginate | jq --slurp --compact-output --raw-output '[.[].check_runs | .[].name | select(contains("https://") or . == "CodeQL" or . == "LGTM.com" or contains("Update") | not)] | sort')"
CHECKS="$(gh api repos/github/codeql-action/commits/${GITHUB_SHA}/check-runs --paginate | jq --slurp --compact-output --raw-output '[.[].check_runs | .[].name | select(contains("https://") or . == "CodeQL" or . == "LGTM.com" or contains("Update") | not)] | unique | sort')"

echo "$CHECKS" | jq

Expand Down
5 changes: 5 additions & 0 deletions CHANGELOG.md
Original file line number Diff line number Diff line change
@@ -1,5 +1,10 @@
# CodeQL Action Changelog

## 2.1.13 - 21 Jun 2022

- Add the ability to filter queries from a code scanning run by using the `query-filters` option in the code scanning configuration file. [#1098](https://github.com/github/codeql-action/pull/1098)
- Update default CodeQL bundle version to 2.9.4. [#1100](https://github.com/github/codeql-action/pull/1100)

## 2.1.12 - 01 Jun 2022

- Update default CodeQL bundle version to 2.9.3. [#1084](https://github.com/github/codeql-action/pull/1084)
Expand Down
2 changes: 1 addition & 1 deletion lib/actions-util.js.map

Large diffs are not rendered by default.

2 changes: 1 addition & 1 deletion lib/actions-util.test.js.map

Large diffs are not rendered by default.

78 changes: 59 additions & 19 deletions lib/analyze.js

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

Loading

0 comments on commit d00e8c0

Please sign in to comment.