Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merge main into v1 #614

Closed
wants to merge 26 commits into from
Closed
Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
26 commits
Select commit Hold shift + click to select a range
7c391e9
Update readme to include section on missing analysis
aeisenberg Jun 25, 2021
571fe40
Merge branch 'main' into aeisenberg/readme-missing-analysis
aeisenberg Jun 28, 2021
d11b2ce
Update changelog and version after v1.0.4
invalid-email-address Jun 28, 2021
5c3c29f
1.0.5
invalid-email-address Jun 28, 2021
3a8e184
Merge pull request #599 from github/aeisenberg/readme-missing-analysis
aeisenberg Jun 28, 2021
8cccc06
Merge branch 'main' into mergeback/v1.0.4-to-main-03450ff6
edoardopirovano Jun 28, 2021
1e61ecb
Merge pull request #603 from github/mergeback/v1.0.4-to-main-03450ff6
edoardopirovano Jun 28, 2021
ef852c0
Support splitting of DB creation and query execution
edoardopirovano Jun 28, 2021
a689115
Allow to be run on workflow_dispatch
aeisenberg Jun 28, 2021
4a7cc17
Merge pull request #605 from github/aeisenberg/pr-checks-dispatch
edoardopirovano Jun 28, 2021
9547001
Run tests against nightly CLI bundles
edoardopirovano Jun 25, 2021
24ef87c
Merge pull request #600 from edoardopirovano/integration-test
edoardopirovano Jun 28, 2021
8f4c2c7
Allow local instead of downloaded CodeQL
edoardopirovano Jun 28, 2021
93214ec
Merge branch 'main' into split-create-analysis
edoardopirovano Jun 28, 2021
53cf5d9
Merge pull request #602 from edoardopirovano/split-create-analysis
edoardopirovano Jun 28, 2021
a7dac5c
Address PR comment.
edoardopirovano Jun 28, 2021
d9050f4
Merge branch 'main' into local-bundle
edoardopirovano Jun 28, 2021
c357ca7
Merge pull request #606 from edoardopirovano/local-bundle
edoardopirovano Jun 28, 2021
68f742b
Clarify missing LoC baseline message
aeisenberg Jun 30, 2021
d939c4b
Update CHANGELOG
aeisenberg Jun 30, 2021
c6b33b9
Merge pull request #608 from github/aeisenberg/baseline-message
aeisenberg Jun 30, 2021
0792832
Remove a TODO and use defautl tools option
aeisenberg Jun 30, 2021
fd614e5
Merge pull request #609 from github/aeisenberg/use-default-tools
aeisenberg Jun 30, 2021
870e8e3
Update CodeQL bundle to 20210702 / 2.5.7
hmakholm Jul 2, 2021
1c26d40
Merge pull request #613 from github/hmakholm/pr/2.5.7
hmakholm Jul 2, 2021
f93405d
1.0.5
invalid-email-address Jul 5, 2021
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
115 changes: 103 additions & 12 deletions .github/workflows/pr-checks.yml
Original file line number Diff line number Diff line change
Expand Up @@ -7,6 +7,7 @@ on:
push:
branches: [main, v1]
pull_request:
workflow_dispatch:

jobs:
lint-js:
Expand Down Expand Up @@ -119,9 +120,6 @@ jobs:
with:
config-file: ".github/codeql/codeql-config-packaging.yml"
languages: javascript
# TODO: this can be removed when cli v2.5.6 is released and available in the tool cache
tools: https://github.com/dsp-testing/aeisenberg-codeql-action-packaging/releases/download/codeql-bundle-20210615/codeql-bundle-linux64.tar.gz

- name: Build code
shell: bash
run: ./build.sh
Expand Down Expand Up @@ -164,8 +162,6 @@ jobs:
config-file: ".github/codeql/codeql-config-packaging2.yml"
languages: javascript
packs: dsp-testing/[email protected], dsp-testing/codeql-pack2
# TODO: this can be removed when cli v2.5.6 is released and available in the tool cache
tools: https://github.com/dsp-testing/aeisenberg-codeql-action-packaging/releases/download/codeql-bundle-20210615/codeql-bundle-linux64.tar.gz

- name: Build code
shell: bash
Expand Down Expand Up @@ -209,8 +205,6 @@ jobs:
config-file: ".github/codeql/codeql-config-packaging3.yml"
packs: +dsp-testing/[email protected]
languages: javascript
# TODO: this can be removed when cli v2.5.6 is released and available in the tool cache
tools: https://github.com/dsp-testing/aeisenberg-codeql-action-packaging/releases/download/codeql-bundle-20210615/codeql-bundle-linux64.tar.gz

- name: Build code
shell: bash
Expand All @@ -234,13 +228,67 @@ jobs:
exit 1
fi

# Tests a split workflow where database construction and query execution happen in different steps
test-split-workflow:
needs: [check-js, check-node-modules]
runs-on: ubuntu-latest

steps:
- uses: actions/checkout@v2
- name: Move codeql-action
shell: bash
run: |
mkdir ../action
mv * .github ../action/
mv ../action/tests/multi-language-repo/{*,.github} .
mv ../action/.github/workflows .github
- uses: ./../action/init
with:
config-file: ".github/codeql/codeql-config-packaging3.yml"
packs: +dsp-testing/[email protected]
languages: javascript
tools: latest
- name: Build code
shell: bash
run: ./build.sh
- uses: ./../action/analyze
with:
skip-queries: true
output: "${{ runner.temp }}/results"
env:
TEST_MODE: true
- name: Assert No Results
run: |
if [ "$(ls -A $RUNNER_TEMP/results)" ]; then
echo "Expected results directory to be empty after skipping query execution!"
exit 1
fi
- uses: ./../action/analyze
with:
output: "${{ runner.temp }}/results"
env:
TEST_MODE: true
- name: Assert Results
run: |
cd "$RUNNER_TEMP/results"
# We should have 3 hits from these rules
EXPECTED_RULES="javascript/example/empty-or-one-block javascript/example/empty-or-one-block javascript/example/two-block"

# use tr to replace newlines with spaces and xargs to trim leading and trailing whitespace
RULES="$(cat javascript.sarif | jq -r '.runs[0].results[].ruleId' | sort | tr "\n" " " | xargs)"
echo "Found matching rules '$RULES'"
if [ "$RULES" != "$EXPECTED_RULES" ]; then
echo "Did not match expected rules '$EXPECTED_RULES'."
exit 1
fi

# Identify the CodeQL tool versions to integration test against.
check-codeql-versions:
needs: [check-js, check-node-modules]
runs-on: ubuntu-latest
outputs:
versions: ${{ steps.compare.outputs.versions }}
nightly-url: ${{ steps.get-url.outputs.nightly-url }}

steps:
- uses: actions/checkout@v2
Expand All @@ -266,22 +314,45 @@ jobs:
with:
tools: latest
languages: javascript
- name: Compare default and latest CodeQL bundle versions
- name: Remove empty database
# allows us to run init a third time
run: |
rm -rf "$RUNNER_TEMP/codeql_databases"
- name: Get nightly release URL
id: get-url
env:
GITHUB_TOKEN: '${{ secrets.GITHUB_TOKEN }}'
shell: bash
# This workflow step gets an unstable testing version of the CodeQL CLI. It should not be used outside of these tests.
run: |
export LATEST=`gh release list --repo dsp-testing/codeql-cli-nightlies -L 1 | cut -f 3`
echo "::set-output name=nightly-url::https://github.com/dsp-testing/codeql-cli-nightlies/releases/download/$LATEST/codeql-bundle.tar.gz"
- name: Init with a CodeQL bundle from a nightly release
id: init-nightly
uses: ./../action/init
with:
tools: ${{ steps.get-url.outputs.nightly-url }}
languages: javascript
- name: Compare CodeQL bundle versions
id: compare
env:
CODEQL_DEFAULT: ${{ steps.init-default.outputs.codeql-path }}
CODEQL_LATEST: ${{ steps.init-latest.outputs.codeql-path }}
CODEQL_NIGHTLY: ${{ steps.init-nightly.outputs.codeql-path }}
NIGHTLY_URL: ${{ steps.get-url.outputs.nightly-url }}
run: |
CODEQL_VERSION_DEFAULT="$("$CODEQL_DEFAULT" version --format terse)"
CODEQL_VERSION_LATEST="$("$CODEQL_LATEST" version --format terse)"
CODEQL_VERSION_NIGHTLY="$("$CODEQL_NIGHTLY" version --format terse)"
echo "Default CodeQL bundle version is $CODEQL_VERSION_DEFAULT"
echo "Latest CodeQL bundle version is $CODEQL_VERSION_LATEST"
echo "Nightly CodeQL bundle version is $CODEQL_VERSION_NIGHTLY"
if [[ "$CODEQL_VERSION_DEFAULT" == "$CODEQL_VERSION_LATEST" ]]; then
# Just use `tools: null` to avoid duplication in the integration tests.
VERSIONS_JSON='[null]'
# Skip `tools: latest` since it would be the same as `tools: null`
VERSIONS_JSON="[null, \"$NIGHTLY_URL\"]"
else
# Use both `tools: null` and `tools: latest` in the integration tests.
VERSIONS_JSON='[null, "latest"]'
# Run integration tests with all three bundles.
VERSIONS_JSON="[null, \"$NIGHTLY_URL\", \"latest\"]"
fi
# Output a JSON-encoded list with the distinct versions to test against.
echo "Suggested matrix config for integration tests: $VERSIONS_JSON"
Expand Down Expand Up @@ -803,3 +874,23 @@ jobs:
# Deliberately don't use TEST_MODE here. This is specifically testing
# the compatibility with the API.
runner/dist/codeql-runner-linux upload --sarif-file src/testdata/empty-sarif.sarif --repository $GITHUB_REPOSITORY --commit $GITHUB_SHA --ref $GITHUB_REF --github-url $GITHUB_SERVER_URL --github-auth ${{ github.token }}

multi-language-repo_test-local-codeql:
needs: [check-js, check-node-modules, check-codeql-versions]
runs-on: ubuntu-latest

steps:
- uses: actions/checkout@v2
- name: Move codeql-action
run: |
wget ${{ needs.check-codeql-versions.outputs.nightly-url }}
mkdir ../action
mv * .github ../action/
mv ../action/tests/multi-language-repo/{*,.github} .
mv ../action/.github/workflows .github
- uses: ./../action/init
with:
tools: ../action/codeql-bundle.tar.gz
- name: Build code
run: ./build.sh
- uses: ./../action/analyze
5 changes: 5 additions & 0 deletions CHANGELOG.md
Original file line number Diff line number Diff line change
@@ -1,5 +1,10 @@
# CodeQL Action and CodeQL Runner Changelog

## 1.0.5 - 05 Jul 2021

- The `analyze` step of the Action now supports a `skip-queries` option to merely build the CodeQL database without analyzing. This functionality is not present in the runner. Additionally, the step will no longer fail if it encounters a finalized database, and will instead continue with query execution. [#602](https://github.com/github/codeql-action/pull/602)
- Update the warning message when the baseline lines of code count is unavailable. [#608](https://github.com/github/codeql-action/pull/608)

## 1.0.4 - 28 Jun 2021

- Fix `RUNNER_TEMP environment variable must be set` when using runner. [#594](https://github.com/github/codeql-action/pull/594)
Expand Down
8 changes: 8 additions & 0 deletions README.md
Original file line number Diff line number Diff line change
Expand Up @@ -128,3 +128,11 @@ By default, this will override any queries specified in a config file. If you wi
## Troubleshooting

Read about [troubleshooting code scanning](https://help.github.com/en/github/finding-security-vulnerabilities-and-errors-in-your-code/troubleshooting-code-scanning).

### Note on "missing analysis" message

The very first time code scanning is run and if it is on a pull request, you will probably get a message mentioning a "missing analysis". This is expected.

After code scanning has analyzed the code in a pull request, it needs to compare the analysis of the topic branch (the merge commit of the branch you used to create the pull request) with the analysis of the base branch (the branch into which you want to merge the pull request). This allows code scanning to compute which alerts are newly introduced by the pull request, which alerts were already present in the base branch, and whether any existing alerts are fixed by the changes in the pull request. Initially, if you use a pull request to add code scanning to a repository, the base branch has not yet been analyzed, so it's not possible to compute these details. In this case, when you click through from the results check on the pull request you will see the "Missing analysis for base commit SHA-HASH" message.

For more information and other causes of this message, see [Reasons for the "missing analysis" message](https://docs.github.com/en/code-security/secure-coding/automatically-scanning-your-code-for-vulnerabilities-and-errors/setting-up-code-scanning-for-a-repository#reasons-for-the-missing-analysis-message)
4 changes: 4 additions & 0 deletions analyze/action.yml
Original file line number Diff line number Diff line change
Expand Up @@ -24,6 +24,10 @@ inputs:
description: Specify whether or not to add code snippets to the output sarif file.
required: false
default: "false"
skip-queries:
description: If this option is set, the CodeQL database will be built but no queries will be run on it. Thus, no results will be produced.
required: false
default: "false"
threads:
description: The number of threads to be used by CodeQL.
required: false
Expand Down
32 changes: 23 additions & 9 deletions lib/analyze-action.js

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

Loading