diff --git a/.github/action/dist/index.js b/.github/action/dist/index.js index c482d87b4f2..501ce250969 100644 --- a/.github/action/dist/index.js +++ b/.github/action/dist/index.js @@ -28596,7 +28596,7 @@ var __importStar = (this && this.__importStar) || function (mod) { return result; }; Object.defineProperty(exports, "__esModule", ({ value: true })); -exports.codeqlDatabaseAnalyze = exports.codeqlDatabaseCreate = exports.installPack = exports.downloadPack = exports.runCommandJson = exports.runCommand = exports.newCodeQL = void 0; +exports.codeqlDatabaseAnalyze = exports.codeqlDatabaseCreate = exports.downloadPack = exports.runCommandJson = exports.runCommand = exports.newCodeQL = void 0; const fs = __importStar(__nccwpck_require__(7147)); const path = __importStar(__nccwpck_require__(1017)); const core = __importStar(__nccwpck_require__(2186)); @@ -28675,18 +28675,6 @@ async function downloadPack(codeql) { return false; } exports.downloadPack = downloadPack; -async function installPack(codeql, dir) { - try { - await runCommand(codeql, ["pack", "install"], path.join(dir, "/ql/lib")); - await runCommand(codeql, ["pack", "install"], path.join(dir, "/ql/src")); - return true; - } - catch (error) { - core.warning("Failed to install local packs ..."); - } - return false; -} -exports.installPack = installPack; async function codeqlDatabaseCreate(codeql) { // get runner temp directory for database var temp = process.env["RUNNER_TEMP"]; @@ -28734,84 +28722,6 @@ async function codeqlDatabaseAnalyze(codeql, database_path) { exports.codeqlDatabaseAnalyze = codeqlDatabaseAnalyze; -/***/ }), - -/***/ 1772: -/***/ (function(__unused_webpack_module, exports, __nccwpck_require__) { - -"use strict"; - -var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) { - if (k2 === undefined) k2 = k; - var desc = Object.getOwnPropertyDescriptor(m, k); - if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) { - desc = { enumerable: true, get: function() { return m[k]; } }; - } - Object.defineProperty(o, k2, desc); -}) : (function(o, m, k, k2) { - if (k2 === undefined) k2 = k; - o[k2] = m[k]; -})); -var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) { - Object.defineProperty(o, "default", { enumerable: true, value: v }); -}) : function(o, v) { - o["default"] = v; -}); -var __importStar = (this && this.__importStar) || function (mod) { - if (mod && mod.__esModule) return mod; - var result = {}; - if (mod != null) for (var k in mod) if (k !== "default" && Object.prototype.hasOwnProperty.call(mod, k)) __createBinding(result, mod, k); - __setModuleDefault(result, mod); - return result; -}; -Object.defineProperty(exports, "__esModule", ({ value: true })); -exports.clonePackRepo = exports.runCommandJson = exports.runCommand = exports.newGHConfig = void 0; -const path = __importStar(__nccwpck_require__(1017)); -const core = __importStar(__nccwpck_require__(2186)); -const toolrunner = __importStar(__nccwpck_require__(8159)); -async function newGHConfig() { - return { - path: "/usr/bin/", - }; -} -exports.newGHConfig = newGHConfig; -async function runCommand(config, args) { - var bin = path.join(config.path, "gh"); - let output = ""; - var options = { - listeners: { - stdout: (data) => { - output += data.toString(); - }, - }, - }; - await new toolrunner.ToolRunner(bin, args, options).exec(); - core.debug(`Finished running command :: ${bin} ${args.join(" ")}`); - return output.trim(); -} -exports.runCommand = runCommand; -async function runCommandJson(config, args) { - return JSON.parse(await runCommand(config, args)); -} -exports.runCommandJson = runCommandJson; -async function clonePackRepo(gh, path) { - try { - await runCommand(gh, [ - "repo", - "clone", - "GitHubSecurityLab/codeql-actions", - path, - ]); - return true; - } - catch (error) { - core.warning("Failed to clone pack from GitHub..."); - } - return false; -} -exports.clonePackRepo = clonePackRepo; - - /***/ }), /***/ 6144: @@ -28847,17 +28757,12 @@ exports.run = void 0; const path = __importStar(__nccwpck_require__(1017)); const core = __importStar(__nccwpck_require__(2186)); const cql = __importStar(__nccwpck_require__(950)); -const gh = __importStar(__nccwpck_require__(1772)); /** * The main function for the action. * @returns {Promise} Resolves when the action is complete. */ async function run() { try { - // set up gh - var ghc = await gh.newGHConfig(); - core.debug(`GH CLI found at '${ghc.path}'`); - await gh.runCommand(ghc, ["version"]); // set up codeql var codeql = await cql.newCodeQL(); core.debug(`CodeQL CLI found at '${codeql.path}'`); @@ -28873,21 +28778,17 @@ async function run() { core.setFailed("CodeQL Yaml extractor not installed"); throw new Error("CodeQL Yaml extractor not installed"); } - core.info(`Cloning CodeQL Actions pack into '${codeql.pack}'`); - let pack_path = "/tmp/codeql-actions"; - var pack_cloned = await gh.clonePackRepo(ghc, pack_path); - core.info(`Cloned CodeQL Actions pack into '${pack_path}'`); - if (pack_cloned === false) { - throw new Error("Could not clone the actions ql pack"); + // download pack + core.info(`Downloading CodeQL IaC pack '${codeql.pack}'`); + var pack_downloaded = await cql.downloadPack(codeql); + if (pack_downloaded === false) { + var action_path = path.resolve(path.join(__dirname, "..", "..", "..")); + codeql.pack = path.join(action_path, "ql", "src"); + core.info(`Pack defaulting back to local pack: '${codeql.pack}'`); } - core.info(`Installing CodeQL Actions packs from '${pack_path}'`); - var pack_installed = await cql.installPack(codeql, pack_path); - if (pack_installed === false) { - throw new Error("Could not install the actions ql packs"); + else { + core.info(`Pack downloaded '${codeql.pack}'`); } - core.info(`Pack path: '${pack_path}'`); - codeql.pack = path.join(pack_path, "ql", "src"); - core.info(`Codeql Queries pack path: '${codeql.pack}'`); core.info("Creating CodeQL database..."); var database_path = await cql.codeqlDatabaseCreate(codeql); core.info("Running CodeQL analysis..."); diff --git a/.github/action/src/codeql.ts b/.github/action/src/codeql.ts index 7cb1dab48e5..ad787814448 100644 --- a/.github/action/src/codeql.ts +++ b/.github/action/src/codeql.ts @@ -106,20 +106,6 @@ export async function downloadPack(codeql: CodeQLConfig): Promise { return false; } -export async function installPack( - codeql: CodeQLConfig, - dir: string, -): Promise { - try { - await runCommand(codeql, ["pack", "install"], path.join(dir, "/ql/lib")); - await runCommand(codeql, ["pack", "install"], path.join(dir, "/ql/src")); - return true; - } catch (error) { - core.warning("Failed to install local packs ..."); - } - return false; -} - export async function codeqlDatabaseCreate( codeql: CodeQLConfig, ): Promise { diff --git a/.github/action/src/gh.ts b/.github/action/src/gh.ts deleted file mode 100644 index 668e559e40b..00000000000 --- a/.github/action/src/gh.ts +++ /dev/null @@ -1,59 +0,0 @@ -import * as path from "path"; -import * as core from "@actions/core"; -import * as toolrunner from "@actions/exec/lib/toolrunner"; - -export interface GHConfig { - // The path to the codeql bundle. - path: string; -} - -export async function newGHConfig(): Promise { - return { - path: "/usr/bin/", - }; -} - -export async function runCommand( - config: GHConfig, - args: string[], -): Promise { - var bin = path.join(config.path, "gh"); - let output = ""; - var options = { - listeners: { - stdout: (data: Buffer) => { - output += data.toString(); - }, - }, - }; - - await new toolrunner.ToolRunner(bin, args, options).exec(); - core.debug(`Finished running command :: ${bin} ${args.join(" ")}`); - - return output.trim(); -} - -export async function runCommandJson( - config: GHConfig, - args: string[], -): Promise { - return JSON.parse(await runCommand(config, args)); -} - -export async function clonePackRepo( - gh: GHConfig, - path: string, -): Promise { - try { - await runCommand(gh, [ - "repo", - "clone", - "GitHubSecurityLab/codeql-actions", - path, - ]); - return true; - } catch (error) { - core.warning("Failed to clone pack from GitHub..."); - } - return false; -} diff --git a/.github/action/src/index.ts b/.github/action/src/index.ts index 717782b555c..b07bef25e84 100644 --- a/.github/action/src/index.ts +++ b/.github/action/src/index.ts @@ -1,7 +1,6 @@ import * as path from "path"; import * as core from "@actions/core"; import * as cql from "./codeql"; -import * as gh from "./gh"; /** * The main function for the action. @@ -9,13 +8,6 @@ import * as gh from "./gh"; */ export async function run(): Promise { try { - // set up gh - var ghc = await gh.newGHConfig(); - - core.debug(`GH CLI found at '${ghc.path}'`); - - await gh.runCommand(ghc, ["version"]); - // set up codeql var codeql = await cql.newCodeQL(); @@ -36,26 +28,19 @@ export async function run(): Promise { throw new Error("CodeQL Yaml extractor not installed"); } - core.info(`Cloning CodeQL Actions pack into '${codeql.pack}'`); - let pack_path = "/tmp/codeql-actions"; - var pack_cloned = await gh.clonePackRepo(ghc, pack_path); - core.info(`Cloned CodeQL Actions pack into '${pack_path}'`); + // download pack + core.info(`Downloading CodeQL IaC pack '${codeql.pack}'`); + var pack_downloaded = await cql.downloadPack(codeql); - if (pack_cloned === false) { - throw new Error("Could not clone the actions ql pack"); + if (pack_downloaded === false) { + var action_path = path.resolve(path.join(__dirname, "..", "..", "..")); + codeql.pack = path.join(action_path, "ql", "src"); + + core.info(`Pack defaulting back to local pack: '${codeql.pack}'`); + } else { + core.info(`Pack downloaded '${codeql.pack}'`); } - core.info(`Installing CodeQL Actions packs from '${pack_path}'`); - var pack_installed = await cql.installPack(codeql, pack_path); - - if (pack_installed === false) { - throw new Error("Could not install the actions ql packs"); - } - - core.info(`Pack path: '${pack_path}'`); - codeql.pack = path.join(pack_path, "ql", "src"); - core.info(`Codeql Queries pack path: '${codeql.pack}'`); - core.info("Creating CodeQL database..."); var database_path = await cql.codeqlDatabaseCreate(codeql); diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 7380ae46d07..78fec3b00eb 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -15,7 +15,7 @@ jobs: runs-on: ubuntu-latest steps: - uses: actions/checkout@v4 - - uses: dorny/paths-filter@4512585405083f25c027a35db413c2b3b9006d50 + - uses: dorny/paths-filter@v3 id: changes with: filters: | @@ -26,5 +26,3 @@ jobs: - name: Run action if: steps.changes.outputs.src == 'true' uses: ./ - with: - extractor-version: latest diff --git a/ql/lib/codeql/actions/DataFlow.qll b/ql/lib/codeql/actions/DataFlow.qll index 5040865be1d..1e30061bf45 100644 --- a/ql/lib/codeql/actions/DataFlow.qll +++ b/ql/lib/codeql/actions/DataFlow.qll @@ -7,12 +7,13 @@ module DataFlow { private import codeql.actions.dataflow.internal.DataFlowImplSpecific import DataFlowMake import codeql.actions.dataflow.internal.DataFlowPublic - - /** debug */ + // debug private import codeql.actions.dataflow.internal.TaintTrackingImplSpecific import codeql.dataflow.internal.DataFlowImplConsistency as DFIC + module ActionsConsistency implements DFIC::InputSig { } + module Consistency { - import DFIC::MakeConsistency - } + import DFIC::MakeConsistency + } }