Compare commits

..

1 Commits

Author SHA1 Message Date
Asger F
0751ef5c72 JS: Use HTTP responses as taint sources 2024-06-13 09:33:06 +02:00
21681 changed files with 380938 additions and 1677115 deletions

View File

@@ -1,10 +1,8 @@
common --enable_platform_specific_config common --enable_platform_specific_config
common --enable_bzlmod
# because we use --override_module with `%workspace%`, the lock file is not stable # because we use --override_module with `%workspace%`, the lock file is not stable
common --lockfile_mode=off common --lockfile_mode=off
# Build release binaries by default, can be overwritten to in local.bazelrc and set to `fastbuild` or `dbg`
build --compilation_mode opt
# when building from this repository in isolation, the internal repository will not be found at .. # when building from this repository in isolation, the internal repository will not be found at ..
# where `MODULE.bazel` looks for it. The following will get us past the module loading phase, so # where `MODULE.bazel` looks for it. The following will get us past the module loading phase, so
# that we can build things that do not rely on that # that we can build things that do not rely on that
@@ -12,31 +10,18 @@ common --override_module=semmle_code=%workspace%/misc/bazel/semmle_code_stub
build --repo_env=CC=clang --repo_env=CXX=clang++ build --repo_env=CC=clang --repo_env=CXX=clang++
# print test output, like sembuild does. build:linux --cxxopt=-std=c++20
# Set to `errors` if this is too verbose. # we currently cannot built the swift extractor for ARM
test --test_output all build:macos --cxxopt=-std=c++20 --copt=-arch --copt=x86_64 --linkopt=-arch --linkopt=x86_64
# we use transitions that break builds of `...`, so for `test` to work with that we need the following build:windows --cxxopt=/std:c++20 --cxxopt=/Zc:preprocessor
test --build_tests_only
# this requires developer mode, but is required to have pack installer functioning # this requires developer mode, but is required to have pack installer functioning
startup --windows_enable_symlinks startup --windows_enable_symlinks
common --enable_runfiles common --enable_runfiles
# with the above, we can avoid building python zips which is the default on windows as that's expensive
build --nobuild_python_zip
common --registry=file:///%workspace%/misc/bazel/registry common --registry=file:///%workspace%/misc/bazel/registry
common --registry=https://bcr.bazel.build common --registry=https://bcr.bazel.build
common --@rules_dotnet//dotnet/settings:strict_deps=false common --@rules_dotnet//dotnet/settings:strict_deps=false
# Reduce this eventually to empty, once we've fixed all our usages of java, and https://github.com/bazel-contrib/rules_go/issues/4193 is fixed
common --incompatible_autoload_externally="+@rules_java,+@rules_shell"
build --java_language_version=17
build --tool_java_language_version=17
build --tool_java_runtime_version=remotejdk_17
build --java_runtime_version=remotejdk_17
build --@rules_python//python/config_settings:python_version=3.12
try-import %workspace%/local.bazelrc try-import %workspace%/local.bazelrc

View File

@@ -8,5 +8,3 @@ common --registry=https://bcr.bazel.build
# its implementation packages without providing any code itself. # its implementation packages without providing any code itself.
# We either can depend on internal implementation details, or turn of strict deps. # We either can depend on internal implementation details, or turn of strict deps.
common --@rules_dotnet//dotnet/settings:strict_deps=false common --@rules_dotnet//dotnet/settings:strict_deps=false
build --@rules_python//python/config_settings:python_version=3.12

View File

@@ -1 +1 @@
8.1.1 7.1.2

View File

@@ -1,7 +0,0 @@
FROM mcr.microsoft.com/devcontainers/base:ubuntu-24.04
USER root
# Install needed packages according to https://codeql.github.com/docs/codeql-overview/system-requirements/
# most come from the base image, but we need to install some additional ones
RUN DEBIAN_FRONTEND=noninteractive apt update && apt install -y sudo man-db python3.12 npm unminimize
RUN yes | unminimize

View File

@@ -7,10 +7,6 @@
"ms-vscode.test-adapter-converter", "ms-vscode.test-adapter-converter",
"slevesque.vscode-zipexplorer" "slevesque.vscode-zipexplorer"
], ],
"build": {
// Path is relative to the devcontainer.json file.
"dockerfile": "Dockerfile.codespaces"
},
"settings": { "settings": {
"files.watcherExclude": { "files.watcherExclude": {
"**/target/**": true "**/target/**": true

View File

@@ -0,0 +1,9 @@
# See here for image contents: https://github.com/microsoft/vscode-dev-containers/tree/v0.236.0/containers/cpp/.devcontainer/base.Dockerfile
# [Choice] Debian / Ubuntu version (use Debian 11, Ubuntu 18.04/22.04 on local arm64/Apple Silicon): debian-11, debian-10, ubuntu-22.04, ubuntu-20.04, ubuntu-18.04
FROM mcr.microsoft.com/vscode/devcontainers/cpp:0-ubuntu-22.04
USER root
ADD root.sh /tmp/root.sh
ADD update-codeql.sh /usr/local/bin/update-codeql
RUN bash /tmp/root.sh && rm /tmp/root.sh

View File

@@ -0,0 +1,25 @@
{
"extensions": [
"github.vscode-codeql",
"hbenl.vscode-test-explorer",
"ms-vscode.test-adapter-converter",
"slevesque.vscode-zipexplorer",
"ms-vscode.cpptools"
],
"settings": {
"files.watcherExclude": {
"**/target/**": true
},
"codeQL.runningQueries.memory": 2048
},
"build": {
"dockerfile": "Dockerfile",
},
"runArgs": [
"--cap-add=SYS_PTRACE",
"--security-opt",
"seccomp=unconfined"
],
"remoteUser": "vscode",
"onCreateCommand": ".devcontainer/swift/user.sh"
}

View File

@@ -0,0 +1,22 @@
set -xe
BAZELISK_VERSION=v1.12.0
BAZELISK_DOWNLOAD_SHA=6b0bcb2ea15bca16fffabe6fda75803440375354c085480fe361d2cbf32501db
apt-get update
export DEBIAN_FRONTEND=noninteractive
apt-get -y install --no-install-recommends \
zlib1g-dev \
uuid-dev \
python3-distutils \
python3-pip \
bash-completion
# Install Bazel
curl -fSsL -o /usr/local/bin/bazelisk https://github.com/bazelbuild/bazelisk/releases/download/${BAZELISK_VERSION}/bazelisk-linux-amd64
echo "${BAZELISK_DOWNLOAD_SHA} */usr/local/bin/bazelisk" | sha256sum --check -
chmod 0755 /usr/local/bin/bazelisk
ln -s bazelisk /usr/local/bin/bazel
# install latest codeql
update-codeql

View File

@@ -0,0 +1,20 @@
#!/bin/bash -e
URL=https://github.com/github/codeql-cli-binaries/releases
LATEST_VERSION=$(curl -L -s -H 'Accept: application/json' $URL/latest | sed -e 's/.*"tag_name":"\([^"]*\)".*/\1/')
CURRENT_VERSION=v$(codeql version 2>/dev/null | sed -ne 's/.*release \([0-9.]*\)\./\1/p')
if [[ $CURRENT_VERSION != $LATEST_VERSION ]]; then
if [[ $UID != 0 ]]; then
echo "update required, please run this script with sudo:"
echo " sudo $0"
exit 1
fi
ZIP=$(mktemp codeql.XXXX.zip)
curl -fSqL -o $ZIP $URL/download/$LATEST_VERSION/codeql-linux64.zip
unzip -q $ZIP -d /opt
rm $ZIP
ln -sf /opt/codeql/codeql /usr/local/bin/codeql
echo installed version $LATEST_VERSION
else
echo current version $CURRENT_VERSION is up-to-date
fi

13
.devcontainer/swift/user.sh Executable file
View File

@@ -0,0 +1,13 @@
set -xe
# add the workspace to the codeql search path
mkdir -p /home/vscode/.config/codeql
echo "--search-path /workspaces/codeql" > /home/vscode/.config/codeql/config
# create a swift extractor pack with the current state
cd /workspaces/codeql
bazel run swift/create-extractor-pack
#install and set up pre-commit
python3 -m pip install pre-commit --no-warn-script-location
$HOME/.local/bin/pre-commit install

38
.gitattributes vendored
View File

@@ -50,41 +50,33 @@
*.dll -text *.dll -text
*.pdb -text *.pdb -text
/java/ql/test/stubs/**/*.java linguist-generated=true java/ql/test/stubs/**/*.java linguist-generated=true
/java/ql/test/experimental/stubs/**/*.java linguist-generated=true java/ql/test/experimental/stubs/**/*.java linguist-generated=true
/java/kotlin-extractor/deps/*.jar filter=lfs diff=lfs merge=lfs -text
# Force git not to modify line endings for go or html files under the go/ql directory # Force git not to modify line endings for go or html files under the go/ql directory
/go/ql/**/*.go -text go/ql/**/*.go -text
/go/ql/**/*.html -text go/ql/**/*.html -text
# Force git not to modify line endings for go dbschemes # Force git not to modify line endings for go dbschemes
/go/*.dbscheme -text go/*.dbscheme -text
# Preserve unusual line ending from codeql-go merge # Preserve unusual line ending from codeql-go merge
/go/extractor/opencsv/CSVReader.java -text go/extractor/opencsv/CSVReader.java -text
# For some languages, upgrade script testing references really old dbscheme # For some languages, upgrade script testing references really old dbscheme
# files from legacy upgrades that have CRLF line endings. Since upgrade # files from legacy upgrades that have CRLF line endings. Since upgrade
# resolution relies on object hashes, we must suppress line ending conversion # resolution relies on object hashes, we must suppress line ending conversion
# for those testing dbscheme files. # for those testing dbscheme files.
/*/ql/lib/upgrades/initial/*.dbscheme -text */ql/lib/upgrades/initial/*.dbscheme -text
# Auto-generated modeling for Python # Auto-generated modeling for Python
/python/ql/lib/semmle/python/frameworks/data/internal/subclass-capture/*.yml linguist-generated=true python/ql/lib/semmle/python/frameworks/data/internal/subclass-capture/*.yml linguist-generated=true
# auto-generated bazel lock file # auto-generated bazel lock file
/ruby/extractor/cargo-bazel-lock.json linguist-generated=true ruby/extractor/cargo-bazel-lock.json linguist-generated=true
/ruby/extractor/cargo-bazel-lock.json -merge ruby/extractor/cargo-bazel-lock.json -merge
# auto-generated files for the C# build # auto-generated files for the C# build
/csharp/paket.lock linguist-generated=true csharp/paket.lock linguist-generated=true
# needs eol=crlf, as `paket` touches this file and saves it as crlf # needs eol=crlf, as `paket` touches this file and saves it als crlf
/csharp/.paket/Paket.Restore.targets linguist-generated=true eol=crlf csharp/.paket/Paket.Restore.targets linguist-generated=true eol=crlf
/csharp/paket.main.bzl linguist-generated=true csharp/paket.main.bzl linguist-generated=true
/csharp/paket.main_extension.bzl linguist-generated=true csharp/paket.main_extension.bzl linguist-generated=true
# ripunzip tool
/misc/ripunzip/ripunzip-* filter=lfs diff=lfs merge=lfs -text
# swift prebuilt resources
/swift/third_party/resources/*.zip filter=lfs diff=lfs merge=lfs -text
/swift/third_party/resources/*.tar.zst filter=lfs diff=lfs merge=lfs -text

View File

@@ -4,13 +4,8 @@ queries:
- uses: security-and-quality - uses: security-and-quality
paths-ignore: paths-ignore:
- '/actions/ql/test'
- '/cpp/' - '/cpp/'
- '/java/' - '/java/'
- '/python/' - '/python/'
- '/javascript/ql/test' - '/javascript/ql/test'
- '/javascript/ql/integration-tests'
- '/javascript/extractor/tests' - '/javascript/extractor/tests'
- '/javascript/extractor/parser-tests'
- '/javascript/ql/src/'
- '/rust/ql'

View File

@@ -1,4 +0,0 @@
When reviewing code:
* do not review changes in files with `.expected` extension (they are automatically ensured to be correct).
* in `.ql` and `.qll` files, do not try to review the code itself as you don't understand the programming language
well enough to make comments in these languages. You can still check for typos or comment improvements.

8
.github/labeler.yml vendored
View File

@@ -30,18 +30,10 @@ Ruby:
- ruby/**/* - ruby/**/*
- change-notes/**/*ruby* - change-notes/**/*ruby*
Rust:
- rust/**/*
- change-notes/**/*rust*
Swift: Swift:
- swift/**/* - swift/**/*
- change-notes/**/*swift* - change-notes/**/*swift*
Actions:
- actions/**/*
- change-notes/**/*actions*
documentation: documentation:
- "**/*.qhelp" - "**/*.qhelp"
- "**/*.md" - "**/*.md"

View File

@@ -6,18 +6,18 @@ on:
ripunzip-version: ripunzip-version:
description: "what reference to checktout from google/runzip" description: "what reference to checktout from google/runzip"
required: false required: false
default: v2.0.2 default: v1.2.1
openssl-version: openssl-version:
description: "what reference to checkout from openssl/openssl for Linux" description: "what reference to checkout from openssl/openssl for Linux"
required: false required: false
default: openssl-3.5.0 default: openssl-3.3.0
jobs: jobs:
build: build:
strategy: strategy:
fail-fast: false fail-fast: false
matrix: matrix:
os: [ubuntu-22.04, macos-13, windows-2022] os: [ubuntu-20.04, macos-12, windows-2019]
runs-on: ${{ matrix.os }} runs-on: ${{ matrix.os }}
steps: steps:
- uses: actions/checkout@v4 - uses: actions/checkout@v4

View File

@@ -24,5 +24,5 @@ jobs:
extra_args: > extra_args: >
buildifier --all-files 2>&1 || buildifier --all-files 2>&1 ||
( (
echo -e "In order to format all bazel files, please run:\n bazel run //misc/bazel/buildifier"; exit 1 echo -e "In order to format all bazel files, please run:\n bazel run //misc/bazel:buildifier"; exit 1
) )

View File

@@ -1,23 +0,0 @@
name: Check overlay annotations
on:
push:
branches:
- main
- 'rc/*'
pull_request:
branches:
- main
- 'rc/*'
permissions:
contents: read
jobs:
sync:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- name: Check overlay annotations
run: python config/add-overlay-annotations.py --check java

View File

@@ -30,8 +30,7 @@ jobs:
run: | run: |
EXIT_CODE=0 EXIT_CODE=0
# TODO: remove the shared exception from the regex when coverage of qlpacks without dbschemes is supported # TODO: remove the shared exception from the regex when coverage of qlpacks without dbschemes is supported
# TODO: remove the actions exception once https://github.com/github/codeql-team/issues/3656 is fixed changed_lib_packs="$(git diff --name-only --diff-filter=ACMRT HEAD^ HEAD | { grep -Po '^(?!(shared))[a-z]*/ql/lib' || true; } | sort -u)"
changed_lib_packs="$(git diff --name-only --diff-filter=ACMRT HEAD^ HEAD | { grep -Po '^(?!(shared|actions))[a-z]*/ql/lib' || true; } | sort -u)"
for pack_dir in ${changed_lib_packs}; do for pack_dir in ${changed_lib_packs}; do
lang="${pack_dir%/ql/lib}" lang="${pack_dir%/ql/lib}"
codeql generate library-doc-coverage --output="${RUNNER_TEMP}/${lang}-current.txt" --dir="${pack_dir}" codeql generate library-doc-coverage --output="${RUNNER_TEMP}/${lang}-current.txt" --dir="${pack_dir}"

View File

@@ -18,10 +18,6 @@ on:
jobs: jobs:
CodeQL-Build: CodeQL-Build:
strategy:
fail-fast: false
matrix:
language: ['actions', 'csharp']
runs-on: ubuntu-latest runs-on: ubuntu-latest
@@ -34,7 +30,7 @@ jobs:
- name: Setup dotnet - name: Setup dotnet
uses: actions/setup-dotnet@v4 uses: actions/setup-dotnet@v4
with: with:
dotnet-version: 9.0.100 dotnet-version: 8.0.101
- name: Checkout repository - name: Checkout repository
uses: actions/checkout@v4 uses: actions/checkout@v4
@@ -42,8 +38,9 @@ jobs:
# Initializes the CodeQL tools for scanning. # Initializes the CodeQL tools for scanning.
- name: Initialize CodeQL - name: Initialize CodeQL
uses: github/codeql-action/init@main uses: github/codeql-action/init@main
# Override language selection by uncommenting this and choosing your languages
with: with:
languages: ${{ matrix.language }} languages: csharp
config-file: ./.github/codeql/codeql-config.yml config-file: ./.github/codeql/codeql-config.yml
# Autobuild attempts to build any compiled languages (C/C++, C#, or Java). # Autobuild attempts to build any compiled languages (C/C++, C#, or Java).

View File

@@ -7,11 +7,6 @@ on:
- "rc/*" - "rc/*"
- "codeql-cli-*" - "codeql-cli-*"
pull_request: pull_request:
paths:
- '**.ql'
- '**.qll'
- '**/qlpack.yml'
- '**.dbscheme'
permissions: permissions:
contents: read contents: read
@@ -38,9 +33,9 @@ jobs:
# run with --check-only if running in a PR (github.sha != main) # run with --check-only if running in a PR (github.sha != main)
if : ${{ github.event_name == 'pull_request' }} if : ${{ github.event_name == 'pull_request' }}
shell: bash shell: bash
run: codeql query compile -q -j0 */ql/{src,examples} --keep-going --warnings=error --check-only --compilation-cache "${{ steps.query-cache.outputs.cache-dir }}" --compilation-cache-size=500 --ram=56000 run: codeql query compile -q -j0 */ql/{src,examples} --keep-going --warnings=error --check-only --compilation-cache "${{ steps.query-cache.outputs.cache-dir }}" --compilation-cache-size=500
- name: compile queries - full - name: compile queries - full
# do full compile if running on main - this populates the cache # do full compile if running on main - this populates the cache
if : ${{ github.event_name != 'pull_request' }} if : ${{ github.event_name != 'pull_request' }}
shell: bash shell: bash
run: codeql query compile -q -j0 */ql/{src,examples} --keep-going --warnings=error --compilation-cache "${{ steps.query-cache.outputs.cache-dir }}" --compilation-cache-size=500 --ram=56000 run: codeql query compile -q -j0 */ql/{src,examples} --keep-going --warnings=error --compilation-cache "${{ steps.query-cache.outputs.cache-dir }}" --compilation-cache-size=500

View File

@@ -19,7 +19,7 @@ on:
jobs: jobs:
CodeQL-Build: CodeQL-Build:
runs-on: ubuntu-24.04 runs-on: ubuntu-latest
permissions: permissions:
contents: read contents: read
@@ -38,15 +38,17 @@ jobs:
languages: cpp languages: cpp
config-file: ./.github/codeql/codeql-config.yml config-file: ./.github/codeql/codeql-config.yml
- name: Install dependencies - name: "[Ubuntu] Remove GCC 13 from runner image"
shell: bash
run: | run: |
sudo rm -f /etc/apt/sources.list.d/ubuntu-toolchain-r-ubuntu-test-jammy.list
sudo apt-get update sudo apt-get update
sudo apt-get install -y uuid-dev sudo apt-get install -y --allow-downgrades libc6=2.35-* libc6-dev=2.35-* libstdc++6=12.3.0-* libgcc-s1=12.3.0-*
- name: "Build Swift extractor using Bazel" - name: "Build Swift extractor using Bazel"
run: | run: |
bazel clean --expunge bazel clean --expunge
bazel run //swift:install --nouse_action_cache --noremote_accept_cached --noremote_upload_local_results --spawn_strategy=local bazel run //swift:create-extractor-pack --nouse_action_cache --noremote_accept_cached --noremote_upload_local_results --spawn_strategy=local --features=-layering_check
bazel shutdown bazel shutdown
- name: Perform CodeQL Analysis - name: Perform CodeQL Analysis

View File

@@ -5,10 +5,8 @@ on:
paths: paths:
- "csharp/**" - "csharp/**"
- "shared/**" - "shared/**"
- "misc/bazel/**"
- .github/actions/fetch-codeql/action.yml - .github/actions/fetch-codeql/action.yml
- codeql-workspace.yml - codeql-workspace.yml
- "MODULE.bazel"
branches: branches:
- main - main
- "rc/*" - "rc/*"
@@ -16,11 +14,9 @@ on:
paths: paths:
- "csharp/**" - "csharp/**"
- "shared/**" - "shared/**"
- "misc/bazel/**"
- .github/workflows/csharp-qltest.yml - .github/workflows/csharp-qltest.yml
- .github/actions/fetch-codeql/action.yml - .github/actions/fetch-codeql/action.yml
- codeql-workspace.yml - codeql-workspace.yml
- "MODULE.bazel"
branches: branches:
- main - main
- "rc/*" - "rc/*"
@@ -33,24 +29,63 @@ permissions:
contents: read contents: read
jobs: jobs:
qlupgrade:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- uses: ./.github/actions/fetch-codeql
- name: Check DB upgrade scripts
run: |
echo >empty.trap
codeql dataset import -S ql/lib/upgrades/initial/semmlecode.csharp.dbscheme testdb empty.trap
codeql dataset upgrade testdb --additional-packs ql/lib
diff -q testdb/semmlecode.csharp.dbscheme ql/lib/semmlecode.csharp.dbscheme
- name: Check DB downgrade scripts
run: |
echo >empty.trap
rm -rf testdb; codeql dataset import -S ql/lib/semmlecode.csharp.dbscheme testdb empty.trap
codeql resolve upgrades --format=lines --allow-downgrades --additional-packs downgrades \
--dbscheme=ql/lib/semmlecode.csharp.dbscheme --target-dbscheme=downgrades/initial/semmlecode.csharp.dbscheme |
xargs codeql execute upgrades testdb
diff -q testdb/semmlecode.csharp.dbscheme downgrades/initial/semmlecode.csharp.dbscheme
qltest:
if: github.repository_owner == 'github'
runs-on: ubuntu-latest-xl
strategy:
fail-fast: false
matrix:
slice: ["1/2", "2/2"]
steps:
- uses: actions/checkout@v4
- uses: ./csharp/actions/create-extractor-pack
- name: Cache compilation cache
id: query-cache
uses: ./.github/actions/cache-query-compilation
with:
key: csharp-qltest-${{ matrix.slice }}
- name: Run QL tests
run: |
codeql test run --threads=0 --ram 50000 --slice ${{ matrix.slice }} --search-path extractor-pack --check-databases --check-undefined-labels --check-repeated-labels --check-redefined-labels --consistency-queries ql/consistency-queries ql/test --compilation-cache "${{ steps.query-cache.outputs.cache-dir }}"
env:
GITHUB_TOKEN: ${{ github.token }}
unit-tests: unit-tests:
strategy: strategy:
matrix: matrix:
os: [ubuntu-latest, windows-latest] os: [ubuntu-latest, windows-2019]
runs-on: ${{ matrix.os }} runs-on: ${{ matrix.os }}
steps: steps:
- uses: actions/checkout@v4 - uses: actions/checkout@v4
- name: Setup dotnet - name: Setup dotnet
uses: actions/setup-dotnet@v4 uses: actions/setup-dotnet@v4
with: with:
dotnet-version: 9.0.100 dotnet-version: 8.0.101
- name: Extractor unit tests - name: Extractor unit tests
run: | run: |
dotnet tool restore dotnet tool restore
dotnet test -p:RuntimeFrameworkVersion=9.0.0 extractor/Semmle.Util.Tests dotnet test -p:RuntimeFrameworkVersion=8.0.1 extractor/Semmle.Util.Tests
dotnet test -p:RuntimeFrameworkVersion=9.0.0 extractor/Semmle.Extraction.Tests dotnet test -p:RuntimeFrameworkVersion=8.0.1 extractor/Semmle.Extraction.Tests
dotnet test -p:RuntimeFrameworkVersion=9.0.0 autobuilder/Semmle.Autobuild.CSharp.Tests dotnet test -p:RuntimeFrameworkVersion=8.0.1 autobuilder/Semmle.Autobuild.CSharp.Tests
dotnet test -p:RuntimeFrameworkVersion=9.0.0 autobuilder/Semmle.Autobuild.Cpp.Tests dotnet test -p:RuntimeFrameworkVersion=8.0.1 autobuilder/Semmle.Autobuild.Cpp.Tests
shell: bash shell: bash
stubgentest: stubgentest:
runs-on: ubuntu-latest runs-on: ubuntu-latest
@@ -66,6 +101,6 @@ jobs:
# Update existing stubs in the repo with the freshly generated ones # Update existing stubs in the repo with the freshly generated ones
mv "$STUBS_PATH/output/stubs/_frameworks" ql/test/resources/stubs/ mv "$STUBS_PATH/output/stubs/_frameworks" ql/test/resources/stubs/
git status git status
codeql test run --threads=0 --search-path "${{ github.workspace }}" --check-databases --check-diff-informed --check-undefined-labels --check-repeated-labels --check-redefined-labels --consistency-queries ql/consistency-queries -- ql/test/library-tests/dataflow/flowsources/aspremote codeql test run --threads=0 --search-path extractor-pack --check-databases --check-undefined-labels --check-repeated-labels --check-redefined-labels --consistency-queries ql/consistency-queries -- ql/test/library-tests/dataflow/flowsources/aspremote
env: env:
GITHUB_TOKEN: ${{ github.token }} GITHUB_TOKEN: ${{ github.token }}

View File

@@ -37,7 +37,7 @@ jobs:
run: | run: |
DATABASE="${{ runner.temp }}/java-database" DATABASE="${{ runner.temp }}/java-database"
codeql database analyze --format=sarif-latest --output=metrics-java.sarif -- "$DATABASE" ./java/ql/src/Metrics/Summaries/FrameworkCoverage.ql codeql database analyze --format=sarif-latest --output=metrics-java.sarif -- "$DATABASE" ./java/ql/src/Metrics/Summaries/FrameworkCoverage.ql
- uses: actions/upload-artifact@v4 - uses: actions/upload-artifact@v3
with: with:
name: metrics-java.sarif name: metrics-java.sarif
path: metrics-java.sarif path: metrics-java.sarif
@@ -64,7 +64,7 @@ jobs:
run: | run: |
DATABASE="${{ runner.temp }}/csharp-database" DATABASE="${{ runner.temp }}/csharp-database"
codeql database analyze --format=sarif-latest --output=metrics-csharp.sarif -- "$DATABASE" ./csharp/ql/src/Metrics/Summaries/FrameworkCoverage.ql codeql database analyze --format=sarif-latest --output=metrics-csharp.sarif -- "$DATABASE" ./csharp/ql/src/Metrics/Summaries/FrameworkCoverage.ql
- uses: actions/upload-artifact@v4 - uses: actions/upload-artifact@v3
with: with:
name: metrics-csharp.sarif name: metrics-csharp.sarif
path: metrics-csharp.sarif path: metrics-csharp.sarif

View File

@@ -71,21 +71,21 @@ jobs:
run: | run: |
python base/misc/scripts/library-coverage/compare-folders.py out_base out_merge comparison.md python base/misc/scripts/library-coverage/compare-folders.py out_base out_merge comparison.md
- name: Upload CSV package list - name: Upload CSV package list
uses: actions/upload-artifact@v4 uses: actions/upload-artifact@v3
with: with:
name: csv-framework-coverage-merge name: csv-framework-coverage-merge
path: | path: |
out_merge/framework-coverage-*.csv out_merge/framework-coverage-*.csv
out_merge/framework-coverage-*.rst out_merge/framework-coverage-*.rst
- name: Upload CSV package list - name: Upload CSV package list
uses: actions/upload-artifact@v4 uses: actions/upload-artifact@v3
with: with:
name: csv-framework-coverage-base name: csv-framework-coverage-base
path: | path: |
out_base/framework-coverage-*.csv out_base/framework-coverage-*.csv
out_base/framework-coverage-*.rst out_base/framework-coverage-*.rst
- name: Upload comparison results - name: Upload comparison results
uses: actions/upload-artifact@v4 uses: actions/upload-artifact@v3
with: with:
name: comparison name: comparison
path: | path: |
@@ -97,7 +97,7 @@ jobs:
env: env:
PR_NUMBER: ${{ github.event.pull_request.number }} PR_NUMBER: ${{ github.event.pull_request.number }}
- name: Upload PR number - name: Upload PR number
uses: actions/upload-artifact@v4 uses: actions/upload-artifact@v3
with: with:
name: pr name: pr
path: pr/ path: pr/
@@ -117,7 +117,7 @@ jobs:
GITHUB_TOKEN: ${{ github.token }} GITHUB_TOKEN: ${{ github.token }}
PR_NUMBER: ${{ github.event.pull_request.number }} PR_NUMBER: ${{ github.event.pull_request.number }}
- name: Upload comment ID (if it exists) - name: Upload comment ID (if it exists)
uses: actions/upload-artifact@v4 uses: actions/upload-artifact@v3
with: with:
name: comment name: comment
path: comment/ path: comment/

View File

@@ -30,7 +30,7 @@ jobs:
run: | run: |
python script/misc/scripts/library-coverage/generate-timeseries.py codeqlModels python script/misc/scripts/library-coverage/generate-timeseries.py codeqlModels
- name: Upload timeseries CSV - name: Upload timeseries CSV
uses: actions/upload-artifact@v4 uses: actions/upload-artifact@v3
with: with:
name: framework-coverage-timeseries name: framework-coverage-timeseries
path: framework-coverage-timeseries-*.csv path: framework-coverage-timeseries-*.csv

View File

@@ -34,12 +34,12 @@ jobs:
run: | run: |
python script/misc/scripts/library-coverage/generate-report.py ci codeqlModels script python script/misc/scripts/library-coverage/generate-report.py ci codeqlModels script
- name: Upload CSV package list - name: Upload CSV package list
uses: actions/upload-artifact@v4 uses: actions/upload-artifact@v3
with: with:
name: framework-coverage-csv name: framework-coverage-csv
path: framework-coverage-*.csv path: framework-coverage-*.csv
- name: Upload RST package list - name: Upload RST package list
uses: actions/upload-artifact@v4 uses: actions/upload-artifact@v3
with: with:
name: framework-coverage-rst name: framework-coverage-rst
path: framework-coverage-*.rst path: framework-coverage-*.rst

32
.github/workflows/go-tests-other-os.yml vendored Normal file
View File

@@ -0,0 +1,32 @@
name: "Go: Run Tests - Other OS"
on:
pull_request:
paths:
- "go/**"
- "!go/ql/**" # don't run other-os if only ql/ files changed
- .github/workflows/go-tests-other-os.yml
- .github/actions/**
- codeql-workspace.yml
permissions:
contents: read
jobs:
test-mac:
name: Test MacOS
runs-on: macos-latest
steps:
- name: Check out code
uses: actions/checkout@v4
- name: Run tests
uses: ./go/actions/test
test-win:
if: github.repository_owner == 'github'
name: Test Windows
runs-on: windows-latest-xl
steps:
- name: Check out code
uses: actions/checkout@v4
- name: Run tests
uses: ./go/actions/test

View File

@@ -1,16 +1,20 @@
name: "Go: Run Tests" name: "Go: Run Tests"
on: on:
pull_request: push:
paths:
- "go/**"
- .github/workflows/go-tests.yml
- .github/actions/**
- codeql-workspace.yml
branches:
- main
- "rc/*"
pull_request:
paths: paths:
- "go/**" - "go/**"
- "!go/documentation/**"
- "shared/**"
- .github/workflows/go-tests.yml - .github/workflows/go-tests.yml
- .github/actions/** - .github/actions/**
- codeql-workspace.yml - codeql-workspace.yml
- MODULE.bazel
- .bazelrc
- misc/bazel/**
permissions: permissions:
contents: read contents: read

View File

@@ -1,28 +0,0 @@
name: "Kotlin Build"
on:
pull_request:
paths:
- "java/kotlin-extractor/**"
- "misc/bazel/**"
- "misc/codegen/**"
- "*.bazel*"
- .github/workflows/kotlin-build.yml
branches:
- main
- rc/*
- codeql-cli-*
permissions:
contents: read
jobs:
build:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- run: |
bazel query //java/kotlin-extractor/...
# only build the default version as a quick check that we can build from `codeql`
# the full official build will be checked by QLucie
bazel build //java/kotlin-extractor

View File

@@ -38,20 +38,14 @@ jobs:
path: codeql-main path: codeql-main
ref: main ref: main
- uses: ./codeql-main/.github/actions/fetch-codeql - uses: ./codeql-main/.github/actions/fetch-codeql
# compute the shortname of the project that does not contain any special (disk) characters
- run: |
echo "SHORTNAME=${SLUG//[^a-zA-Z0-9_]/}" >> $GITHUB_OUTPUT
env:
SLUG: ${{ matrix.slug }}
id: shortname
- name: Download database - name: Download database
env: env:
SLUG: ${{ matrix.slug }} SLUG: ${{ matrix.slug }}
GH_TOKEN: ${{ github.token }} GH_TOKEN: ${{ github.token }}
SHORTNAME: ${{ steps.shortname.outputs.SHORTNAME }}
run: | run: |
set -x set -x
mkdir lib-dbs mkdir lib-dbs
SHORTNAME=${SLUG//[^a-zA-Z0-9_]/}
gh api -H "Accept: application/zip" "/repos/${SLUG}/code-scanning/codeql/databases/java" > "$SHORTNAME.zip" gh api -H "Accept: application/zip" "/repos/${SLUG}/code-scanning/codeql/databases/java" > "$SHORTNAME.zip"
unzip -q -d "${SHORTNAME}-db" "${SHORTNAME}.zip" unzip -q -d "${SHORTNAME}-db" "${SHORTNAME}.zip"
mkdir "lib-dbs/$SHORTNAME/" mkdir "lib-dbs/$SHORTNAME/"
@@ -68,7 +62,7 @@ jobs:
DATABASE=$2 DATABASE=$2
cd codeql-$QL_VARIANT cd codeql-$QL_VARIANT
SHORTNAME=`basename $DATABASE` SHORTNAME=`basename $DATABASE`
python misc/scripts/models-as-data/generate_mad.py --language java --with-summaries --with-sinks $DATABASE $SHORTNAME/$QL_VARIANT python java/ql/src/utils/modelgenerator/GenerateFlowModel.py --with-summaries --with-sinks $DATABASE $SHORTNAME/$QL_VARIANT
mkdir -p $MODELS/$SHORTNAME mkdir -p $MODELS/$SHORTNAME
mv java/ql/lib/ext/generated/$SHORTNAME/$QL_VARIANT $MODELS/$SHORTNAME mv java/ql/lib/ext/generated/$SHORTNAME/$QL_VARIANT $MODELS/$SHORTNAME
cd .. cd ..
@@ -99,14 +93,14 @@ jobs:
name="diff_${basename/.model.yml/""}" name="diff_${basename/.model.yml/""}"
(diff -w -u $m $t | diff2html -i stdin -F $MODELS/$name.html) || true (diff -w -u $m $t | diff2html -i stdin -F $MODELS/$name.html) || true
done done
- uses: actions/upload-artifact@v4 - uses: actions/upload-artifact@v3
with: with:
name: models-${{ steps.shortname.outputs.SHORTNAME }} name: models
path: tmp-models/**/**/*.model.yml path: tmp-models/**/**/*.model.yml
retention-days: 20 retention-days: 20
- uses: actions/upload-artifact@v4 - uses: actions/upload-artifact@v3
with: with:
name: diffs-${{ steps.shortname.outputs.SHORTNAME }} name: diffs
path: tmp-models/*.html path: tmp-models/*.html
# An html file is only produced if the generated models differ. # An html file is only produced if the generated models differ.
if-no-files-found: ignore if-no-files-found: ignore

View File

@@ -59,7 +59,7 @@ jobs:
find java -name "*.model.yml" -print0 | xargs -0 git add find java -name "*.model.yml" -print0 | xargs -0 git add
git status git status
git diff --cached > models.patch git diff --cached > models.patch
- uses: actions/upload-artifact@v4 - uses: actions/upload-artifact@v3
with: with:
name: patch name: patch
path: models.patch path: models.patch

View File

@@ -17,11 +17,8 @@ jobs:
post_comment: post_comment:
runs-on: ubuntu-latest runs-on: ubuntu-latest
steps: steps:
- name: Download artifacts - name: Download artifact
run: | run: gh run download "${WORKFLOW_RUN_ID}" --repo "${GITHUB_REPOSITORY}" --name "comment"
gh run download "${WORKFLOW_RUN_ID}" --repo "${GITHUB_REPOSITORY}" --name "comment-pr-number"
gh run download "${WORKFLOW_RUN_ID}" --repo "${GITHUB_REPOSITORY}" --name "comment-body"
gh run download "${WORKFLOW_RUN_ID}" --repo "${GITHUB_REPOSITORY}" --name "comment-id"
env: env:
GITHUB_TOKEN: ${{ github.token }} GITHUB_TOKEN: ${{ github.token }}
WORKFLOW_RUN_ID: ${{ github.event.workflow_run.id }} WORKFLOW_RUN_ID: ${{ github.event.workflow_run.id }}

View File

@@ -1,35 +0,0 @@
name: Python tooling
on:
pull_request:
paths:
- "misc/bazel/**"
- "misc/codegen/**"
- "misc/scripts/models-as-data/bulk_generate_mad.py"
- "*.bazel*"
- .github/workflows/codegen.yml
- .pre-commit-config.yaml
branches:
- main
- rc/*
- codeql-cli-*
permissions:
contents: read
jobs:
check-python-tooling:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- uses: actions/setup-python@v5
with:
python-version: '3.12'
- uses: pre-commit/action@646c83fcd040023954eafda54b4db0192ce70507
name: Check that python code is properly formatted
with:
extra_args: black --all-files
- name: Run codegen tests
shell: bash
run: |
bazel test //misc/codegen/...

View File

@@ -36,9 +36,9 @@ jobs:
- run: echo "${PR_NUMBER}" > pr_number.txt - run: echo "${PR_NUMBER}" > pr_number.txt
env: env:
PR_NUMBER: ${{ github.event.number }} PR_NUMBER: ${{ github.event.number }}
- uses: actions/upload-artifact@v4 - uses: actions/upload-artifact@v3
with: with:
name: comment-pr-number name: comment
path: pr_number.txt path: pr_number.txt
if-no-files-found: error if-no-files-found: error
retention-days: 1 retention-days: 1
@@ -78,9 +78,9 @@ jobs:
exit "${EXIT_CODE}" exit "${EXIT_CODE}"
- if: ${{ !cancelled() }} - if: ${{ !cancelled() }}
uses: actions/upload-artifact@v4 uses: actions/upload-artifact@v3
with: with:
name: comment-body name: comment
path: comment_body.txt path: comment_body.txt
if-no-files-found: error if-no-files-found: error
retention-days: 1 retention-days: 1
@@ -94,9 +94,9 @@ jobs:
GITHUB_TOKEN: ${{ github.token }} GITHUB_TOKEN: ${{ github.token }}
PR_NUMBER: ${{ github.event.number }} PR_NUMBER: ${{ github.event.number }}
- uses: actions/upload-artifact@v4 - uses: actions/upload-artifact@v3
with: with:
name: comment-id name: comment
path: comment_id.txt path: comment_id.txt
if-no-files-found: error if-no-files-found: error
retention-days: 1 retention-days: 1

View File

@@ -60,7 +60,7 @@ jobs:
- name: Make database and analyze - name: Make database and analyze
run: | run: |
./ql/target/release/buramu | tee deprecated.blame # Add a blame file for the extractor to parse. ./ql/target/release/buramu | tee deprecated.blame # Add a blame file for the extractor to parse.
${CODEQL} database create -l=ql ${DB} --search-path "${{ github.workspace }}" ${CODEQL} database create -l=ql --search-path ql/extractor-pack ${DB}
${CODEQL} database analyze -j0 --format=sarif-latest --output=ql-for-ql.sarif ${DB} ql/ql/src/codeql-suites/ql-code-scanning.qls --compilation-cache "${{ steps.query-cache.outputs.cache-dir }}" ${CODEQL} database analyze -j0 --format=sarif-latest --output=ql-for-ql.sarif ${DB} ql/ql/src/codeql-suites/ql-code-scanning.qls --compilation-cache "${{ steps.query-cache.outputs.cache-dir }}"
env: env:
CODEQL: ${{ steps.find-codeql.outputs.codeql-path }} CODEQL: ${{ steps.find-codeql.outputs.codeql-path }}
@@ -75,7 +75,7 @@ jobs:
sarif_file: ql-for-ql.sarif sarif_file: ql-for-ql.sarif
category: ql-for-ql category: ql-for-ql
- name: Sarif as artifact - name: Sarif as artifact
uses: actions/upload-artifact@v4 uses: actions/upload-artifact@v3
with: with:
name: ql-for-ql.sarif name: ql-for-ql.sarif
path: ql-for-ql.sarif path: ql-for-ql.sarif
@@ -84,7 +84,7 @@ jobs:
mkdir split-sarif mkdir split-sarif
node ./ql/scripts/split-sarif.js ql-for-ql.sarif split-sarif node ./ql/scripts/split-sarif.js ql-for-ql.sarif split-sarif
- name: Upload langs as artifacts - name: Upload langs as artifacts
uses: actions/upload-artifact@v4 uses: actions/upload-artifact@v3
with: with:
name: ql-for-ql-langs name: ql-for-ql-langs
path: split-sarif path: split-sarif

View File

@@ -53,7 +53,7 @@ jobs:
- name: Create database - name: Create database
run: | run: |
"${CODEQL}" database create \ "${CODEQL}" database create \
--search-path "${{ github.workspace }}" \ --search-path "ql/extractor-pack" \
--threads 4 \ --threads 4 \
--language ql --source-root "${{ github.workspace }}/repo" \ --language ql --source-root "${{ github.workspace }}/repo" \
"${{ runner.temp }}/database" "${{ runner.temp }}/database"
@@ -65,7 +65,7 @@ jobs:
"${CODEQL}" dataset measure --threads 4 --output "stats/${{ matrix.repo }}/stats.xml" "${{ runner.temp }}/database/db-ql" "${CODEQL}" dataset measure --threads 4 --output "stats/${{ matrix.repo }}/stats.xml" "${{ runner.temp }}/database/db-ql"
env: env:
CODEQL: ${{ steps.find-codeql.outputs.codeql-path }} CODEQL: ${{ steps.find-codeql.outputs.codeql-path }}
- uses: actions/upload-artifact@v4 - uses: actions/upload-artifact@v3
with: with:
name: measurements name: measurements
path: stats path: stats
@@ -76,14 +76,14 @@ jobs:
needs: measure needs: measure
steps: steps:
- uses: actions/checkout@v4 - uses: actions/checkout@v4
- uses: actions/download-artifact@v4 - uses: actions/download-artifact@v3
with: with:
name: measurements name: measurements
path: stats path: stats
- run: | - run: |
python -m pip install --user lxml python -m pip install --user lxml
find stats -name 'stats.xml' -print0 | sort -z | xargs -0 python ruby/scripts/merge_stats.py --output ql/ql/src/ql.dbscheme.stats --normalise ql_tokeninfo find stats -name 'stats.xml' -print0 | sort -z | xargs -0 python ruby/scripts/merge_stats.py --output ql/ql/src/ql.dbscheme.stats --normalise ql_tokeninfo
- uses: actions/upload-artifact@v4 - uses: actions/upload-artifact@v3
with: with:
name: ql.dbscheme.stats name: ql.dbscheme.stats
path: ql/ql/src/ql.dbscheme.stats path: ql/ql/src/ql.dbscheme.stats

View File

@@ -40,7 +40,7 @@ jobs:
ql/target ql/target
key: ${{ runner.os }}-${{ steps.os_version.outputs.version }}-qltest-cargo-${{ hashFiles('ql/rust-toolchain.toml', 'ql/**/Cargo.lock') }} key: ${{ runner.os }}-${{ steps.os_version.outputs.version }}-qltest-cargo-${{ hashFiles('ql/rust-toolchain.toml', 'ql/**/Cargo.lock') }}
- name: Check formatting - name: Check formatting
run: cd ql; cargo fmt -- --check run: cd ql; cargo fmt --all -- --check
- name: Build extractor - name: Build extractor
run: | run: |
cd ql; cd ql;
@@ -53,7 +53,7 @@ jobs:
key: ql-for-ql-tests key: ql-for-ql-tests
- name: Run QL tests - name: Run QL tests
run: | run: |
"${CODEQL}" test run --check-databases --check-unused-labels --check-repeated-labels --check-redefined-labels --check-use-before-definition --search-path "${{ github.workspace }}" --consistency-queries ql/ql/consistency-queries --compilation-cache "${{ steps.query-cache.outputs.cache-dir }}" ql/ql/test "${CODEQL}" test run --check-databases --check-unused-labels --check-repeated-labels --check-redefined-labels --check-use-before-definition --search-path "${{ github.workspace }}/ql/extractor-pack" --consistency-queries ql/ql/consistency-queries --compilation-cache "${{ steps.query-cache.outputs.cache-dir }}" ql/ql/test
env: env:
CODEQL: ${{ steps.find-codeql.outputs.codeql-path }} CODEQL: ${{ steps.find-codeql.outputs.codeql-path }}
@@ -100,7 +100,7 @@ jobs:
- name: Run a single QL tests - Unix - name: Run a single QL tests - Unix
if: runner.os != 'Windows' if: runner.os != 'Windows'
run: | run: |
"${CODEQL}" test run --check-databases --search-path "${{ github.workspace }}" ql/ql/test/queries/style/DeadCode/DeadCode.qlref "${CODEQL}" test run --check-databases --search-path "${{ github.workspace }}/ql/extractor-pack" ql/ql/test/queries/style/DeadCode/DeadCode.qlref
env: env:
CODEQL: ${{ steps.find-codeql.outputs.codeql-path }} CODEQL: ${{ steps.find-codeql.outputs.codeql-path }}
- name: Run a single QL tests - Windows - name: Run a single QL tests - Windows
@@ -108,4 +108,5 @@ jobs:
shell: pwsh shell: pwsh
run: | run: |
$Env:PATH += ";$(dirname ${{ steps.find-codeql.outputs.codeql-path }})" $Env:PATH += ";$(dirname ${{ steps.find-codeql.outputs.codeql-path }})"
codeql test run --check-databases --search-path "${{ github.workspace }}" ql/ql/test/queries/style/DeadCode/DeadCode.qlref codeql test run --check-databases --search-path "${{ github.workspace }}/ql/extractor-pack" ql/ql/test/queries/style/DeadCode/DeadCode.qlref

View File

@@ -37,7 +37,7 @@ jobs:
run: | run: |
python codeql/misc/scripts/generate-code-scanning-query-list.py > code-scanning-query-list.csv python codeql/misc/scripts/generate-code-scanning-query-list.py > code-scanning-query-list.csv
- name: Upload code scanning query list - name: Upload code scanning query list
uses: actions/upload-artifact@v4 uses: actions/upload-artifact@v3
with: with:
name: code-scanning-query-list name: code-scanning-query-list
path: code-scanning-query-list.csv path: code-scanning-query-list.csv

View File

@@ -7,7 +7,6 @@ on:
- .github/workflows/ruby-build.yml - .github/workflows/ruby-build.yml
- .github/actions/fetch-codeql/action.yml - .github/actions/fetch-codeql/action.yml
- codeql-workspace.yml - codeql-workspace.yml
- "shared/tree-sitter-extractor/**"
branches: branches:
- main - main
- "rc/*" - "rc/*"
@@ -17,7 +16,6 @@ on:
- .github/workflows/ruby-build.yml - .github/workflows/ruby-build.yml
- .github/actions/fetch-codeql/action.yml - .github/actions/fetch-codeql/action.yml
- codeql-workspace.yml - codeql-workspace.yml
- "shared/tree-sitter-extractor/**"
branches: branches:
- main - main
- "rc/*" - "rc/*"
@@ -65,8 +63,8 @@ jobs:
id: cache-extractor id: cache-extractor
with: with:
path: | path: |
target/release/codeql-extractor-ruby ruby/extractor/target/release/codeql-extractor-ruby
target/release/codeql-extractor-ruby.exe ruby/extractor/target/release/codeql-extractor-ruby.exe
ruby/extractor/ql/lib/codeql/ruby/ast/internal/TreeSitter.qll ruby/extractor/ql/lib/codeql/ruby/ast/internal/TreeSitter.qll
key: ${{ runner.os }}-${{ steps.os_version.outputs.version }}-ruby-extractor-${{ hashFiles('ruby/extractor/rust-toolchain.toml', 'ruby/extractor/Cargo.lock') }}-${{ hashFiles('shared/tree-sitter-extractor') }}-${{ hashFiles('ruby/extractor/**/*.rs') }} key: ${{ runner.os }}-${{ steps.os_version.outputs.version }}-ruby-extractor-${{ hashFiles('ruby/extractor/rust-toolchain.toml', 'ruby/extractor/Cargo.lock') }}-${{ hashFiles('shared/tree-sitter-extractor') }}-${{ hashFiles('ruby/extractor/**/*.rs') }}
- uses: actions/cache@v3 - uses: actions/cache@v3
@@ -75,11 +73,11 @@ jobs:
path: | path: |
~/.cargo/registry ~/.cargo/registry
~/.cargo/git ~/.cargo/git
target ruby/target
key: ${{ runner.os }}-${{ steps.os_version.outputs.version }}-ruby-rust-cargo-${{ hashFiles('ruby/extractor/rust-toolchain.toml', 'ruby/extractor/**/Cargo.lock') }} key: ${{ runner.os }}-${{ steps.os_version.outputs.version }}-ruby-rust-cargo-${{ hashFiles('ruby/extractor/rust-toolchain.toml', 'ruby/extractor/**/Cargo.lock') }}
- name: Check formatting - name: Check formatting
if: steps.cache-extractor.outputs.cache-hit != 'true' if: steps.cache-extractor.outputs.cache-hit != 'true'
run: cd extractor && cargo fmt -- --check run: cd extractor && cargo fmt --all -- --check
- name: Build - name: Build
if: steps.cache-extractor.outputs.cache-hit != 'true' if: steps.cache-extractor.outputs.cache-hit != 'true'
run: cd extractor && cargo build --verbose run: cd extractor && cargo build --verbose
@@ -91,23 +89,23 @@ jobs:
run: cd extractor && cargo build --release run: cd extractor && cargo build --release
- name: Generate dbscheme - name: Generate dbscheme
if: ${{ matrix.os == 'ubuntu-latest' && steps.cache-extractor.outputs.cache-hit != 'true'}} if: ${{ matrix.os == 'ubuntu-latest' && steps.cache-extractor.outputs.cache-hit != 'true'}}
run: ../target/release/codeql-extractor-ruby generate --dbscheme ql/lib/ruby.dbscheme --library ql/lib/codeql/ruby/ast/internal/TreeSitter.qll run: extractor/target/release/codeql-extractor-ruby generate --dbscheme ql/lib/ruby.dbscheme --library ql/lib/codeql/ruby/ast/internal/TreeSitter.qll
- uses: actions/upload-artifact@v4 - uses: actions/upload-artifact@v3
if: ${{ matrix.os == 'ubuntu-latest' }} if: ${{ matrix.os == 'ubuntu-latest' }}
with: with:
name: ruby.dbscheme name: ruby.dbscheme
path: ruby/ql/lib/ruby.dbscheme path: ruby/ql/lib/ruby.dbscheme
- uses: actions/upload-artifact@v4 - uses: actions/upload-artifact@v3
if: ${{ matrix.os == 'ubuntu-latest' }} if: ${{ matrix.os == 'ubuntu-latest' }}
with: with:
name: TreeSitter.qll name: TreeSitter.qll
path: ruby/ql/lib/codeql/ruby/ast/internal/TreeSitter.qll path: ruby/ql/lib/codeql/ruby/ast/internal/TreeSitter.qll
- uses: actions/upload-artifact@v4 - uses: actions/upload-artifact@v3
with: with:
name: extractor-${{ matrix.os }} name: extractor-${{ matrix.os }}
path: | path: |
target/release/codeql-extractor-ruby ruby/extractor/target/release/codeql-extractor-ruby
target/release/codeql-extractor-ruby.exe ruby/extractor/target/release/codeql-extractor-ruby.exe
retention-days: 1 retention-days: 1
compile-queries: compile-queries:
if: github.repository_owner == 'github' if: github.repository_owner == 'github'
@@ -134,32 +132,31 @@ jobs:
PACK_FOLDER=$(readlink -f "$PACKS"/codeql/ruby-queries/*) PACK_FOLDER=$(readlink -f "$PACKS"/codeql/ruby-queries/*)
codeql generate query-help --format=sarifv2.1.0 --output="${PACK_FOLDER}/rules.sarif" ql/src codeql generate query-help --format=sarifv2.1.0 --output="${PACK_FOLDER}/rules.sarif" ql/src
(cd ql/src; find queries \( -name '*.qhelp' -o -name '*.rb' -o -name '*.erb' \) -exec bash -c 'mkdir -p "'"${PACK_FOLDER}"'/$(dirname "{}")"' \; -exec cp "{}" "${PACK_FOLDER}/{}" \;) (cd ql/src; find queries \( -name '*.qhelp' -o -name '*.rb' -o -name '*.erb' \) -exec bash -c 'mkdir -p "'"${PACK_FOLDER}"'/$(dirname "{}")"' \; -exec cp "{}" "${PACK_FOLDER}/{}" \;)
- uses: actions/upload-artifact@v4 - uses: actions/upload-artifact@v3
with: with:
name: codeql-ruby-queries name: codeql-ruby-queries
path: | path: |
${{ runner.temp }}/query-packs/* ${{ runner.temp }}/query-packs/*
retention-days: 1 retention-days: 1
include-hidden-files: true
package: package:
runs-on: ubuntu-latest runs-on: ubuntu-latest
needs: [build, compile-queries] needs: [build, compile-queries]
steps: steps:
- uses: actions/checkout@v4 - uses: actions/checkout@v4
- uses: actions/download-artifact@v4 - uses: actions/download-artifact@v3
with: with:
name: ruby.dbscheme name: ruby.dbscheme
path: ruby/ruby path: ruby/ruby
- uses: actions/download-artifact@v4 - uses: actions/download-artifact@v3
with: with:
name: extractor-ubuntu-latest name: extractor-ubuntu-latest
path: ruby/linux64 path: ruby/linux64
- uses: actions/download-artifact@v4 - uses: actions/download-artifact@v3
with: with:
name: extractor-windows-latest name: extractor-windows-latest
path: ruby/win64 path: ruby/win64
- uses: actions/download-artifact@v4 - uses: actions/download-artifact@v3
with: with:
name: extractor-macos-latest name: extractor-macos-latest
path: ruby/osx64 path: ruby/osx64
@@ -172,13 +169,12 @@ jobs:
cp win64/codeql-extractor-ruby.exe ruby/tools/win64/extractor.exe cp win64/codeql-extractor-ruby.exe ruby/tools/win64/extractor.exe
chmod +x ruby/tools/{linux64,osx64}/extractor chmod +x ruby/tools/{linux64,osx64}/extractor
zip -rq codeql-ruby.zip ruby zip -rq codeql-ruby.zip ruby
- uses: actions/upload-artifact@v4 - uses: actions/upload-artifact@v3
with: with:
name: codeql-ruby-pack name: codeql-ruby-pack
path: ruby/codeql-ruby.zip path: ruby/codeql-ruby.zip
retention-days: 1 retention-days: 1
include-hidden-files: true - uses: actions/download-artifact@v3
- uses: actions/download-artifact@v4
with: with:
name: codeql-ruby-queries name: codeql-ruby-queries
path: ruby/qlpacks path: ruby/qlpacks
@@ -190,12 +186,11 @@ jobs:
] ]
}' > .codeqlmanifest.json }' > .codeqlmanifest.json
zip -rq codeql-ruby-bundle.zip .codeqlmanifest.json ruby qlpacks zip -rq codeql-ruby-bundle.zip .codeqlmanifest.json ruby qlpacks
- uses: actions/upload-artifact@v4 - uses: actions/upload-artifact@v3
with: with:
name: codeql-ruby-bundle name: codeql-ruby-bundle
path: ruby/codeql-ruby-bundle.zip path: ruby/codeql-ruby-bundle.zip
retention-days: 1 retention-days: 1
include-hidden-files: true
test: test:
defaults: defaults:
@@ -214,7 +209,7 @@ jobs:
uses: ./.github/actions/fetch-codeql uses: ./.github/actions/fetch-codeql
- name: Download Ruby bundle - name: Download Ruby bundle
uses: actions/download-artifact@v4 uses: actions/download-artifact@v3
with: with:
name: codeql-ruby-bundle name: codeql-ruby-bundle
path: ${{ runner.temp }} path: ${{ runner.temp }}

View File

@@ -44,7 +44,7 @@ jobs:
- name: Create database - name: Create database
run: | run: |
codeql database create \ codeql database create \
--search-path "${{ github.workspace }}" \ --search-path "${{ github.workspace }}/ruby/extractor-pack" \
--threads 4 \ --threads 4 \
--language ruby --source-root "${{ github.workspace }}/repo" \ --language ruby --source-root "${{ github.workspace }}/repo" \
"${{ runner.temp }}/database" "${{ runner.temp }}/database"
@@ -52,9 +52,9 @@ jobs:
run: | run: |
mkdir -p "stats/${{ matrix.repo }}" mkdir -p "stats/${{ matrix.repo }}"
codeql dataset measure --threads 4 --output "stats/${{ matrix.repo }}/stats.xml" "${{ runner.temp }}/database/db-ruby" codeql dataset measure --threads 4 --output "stats/${{ matrix.repo }}/stats.xml" "${{ runner.temp }}/database/db-ruby"
- uses: actions/upload-artifact@v4 - uses: actions/upload-artifact@v3
with: with:
name: measurements-${{ hashFiles('stats/**') }} name: measurements
path: stats path: stats
retention-days: 1 retention-days: 1
@@ -63,13 +63,14 @@ jobs:
needs: measure needs: measure
steps: steps:
- uses: actions/checkout@v4 - uses: actions/checkout@v4
- uses: actions/download-artifact@v4 - uses: actions/download-artifact@v3
with: with:
name: measurements
path: stats path: stats
- run: | - run: |
python -m pip install --user lxml python -m pip install --user lxml
find stats -name 'stats.xml' | sort | xargs python ruby/scripts/merge_stats.py --output ruby/ql/lib/ruby.dbscheme.stats --normalise ruby_tokeninfo find stats -name 'stats.xml' | sort | xargs python ruby/scripts/merge_stats.py --output ruby/ql/lib/ruby.dbscheme.stats --normalise ruby_tokeninfo
- uses: actions/upload-artifact@v4 - uses: actions/upload-artifact@v3
with: with:
name: ruby.dbscheme.stats name: ruby.dbscheme.stats
path: ruby/ql/lib/ruby.dbscheme.stats path: ruby/ql/lib/ruby.dbscheme.stats

View File

@@ -1,40 +0,0 @@
name: "Ruby: Run RTJO Language Tests"
on:
pull_request:
types:
- opened
- synchronize
- reopened
- labeled
env:
CARGO_TERM_COLOR: always
defaults:
run:
working-directory: ruby
permissions:
contents: read
jobs:
qltest-rtjo:
if: "github.repository_owner == 'github' && github.event.label.name == 'Run: RTJO Language Tests'"
runs-on: ubuntu-latest-xl
strategy:
fail-fast: false
steps:
- uses: actions/checkout@v4
- uses: ./.github/actions/fetch-codeql
- uses: ./ruby/actions/create-extractor-pack
- name: Cache compilation cache
id: query-cache
uses: ./.github/actions/cache-query-compilation
with:
key: ruby-qltest
- name: Run QL tests
run: |
codeql test run --dynamic-join-order-mode=all --threads=0 --ram 50000 --search-path "${{ github.workspace }}" --check-databases --check-diff-informed --check-undefined-labels --check-unused-labels --check-repeated-labels --check-redefined-labels --check-use-before-definition --consistency-queries ql/consistency-queries ql/test --compilation-cache "${{ steps.query-cache.outputs.cache-dir }}"
env:
GITHUB_TOKEN: ${{ github.token }}

View File

@@ -68,6 +68,6 @@ jobs:
key: ruby-qltest key: ruby-qltest
- name: Run QL tests - name: Run QL tests
run: | run: |
codeql test run --threads=0 --ram 50000 --search-path "${{ github.workspace }}" --check-databases --check-diff-informed --check-undefined-labels --check-unused-labels --check-repeated-labels --check-redefined-labels --check-use-before-definition --consistency-queries ql/consistency-queries ql/test --compilation-cache "${{ steps.query-cache.outputs.cache-dir }}" codeql test run --threads=0 --ram 50000 --search-path "${{ github.workspace }}/ruby/extractor-pack" --check-databases --check-undefined-labels --check-unused-labels --check-repeated-labels --check-redefined-labels --check-use-before-definition --consistency-queries ql/consistency-queries ql/test --compilation-cache "${{ steps.query-cache.outputs.cache-dir }}"
env: env:
GITHUB_TOKEN: ${{ github.token }} GITHUB_TOKEN: ${{ github.token }}

View File

@@ -1,64 +0,0 @@
name: "Code scanning - Rust"
on:
push:
branches:
- main
- 'rc/*'
pull_request:
branches:
- main
- 'rc/*'
paths:
- '**/*.rs'
- '**/Cargo.toml'
- '.github/codeql/codeql-config.yml'
- '.github/workflows/rust-analysis.yml'
schedule:
- cron: '0 9 * * 1'
env:
CODEQL_ENABLE_EXPERIMENTAL_FEATURES: "true"
jobs:
analyze:
strategy:
matrix:
language: [ 'rust' ]
runs-on: ubuntu-latest
permissions:
contents: read
security-events: write
pull-requests: read
steps:
- name: Checkout repository
uses: actions/checkout@v4
- name: Query latest nightly CodeQL bundle
shell: bash
id: codeql
env:
GITHUB_TOKEN: ${{ github.token }}
run: |
REPO=dsp-testing/codeql-cli-nightlies
TAG=$(
gh release list -R $REPO -L1 --exclude-drafts --json tagName -q ".[] | .tagName"
)
echo "nightly_bundle=https://github.com/$REPO/releases/download/$TAG/codeql-bundle-linux64.tar.zst" \
| tee -a "$GITHUB_OUTPUT"
- name: Initialize CodeQL
uses: github/codeql-action/init@main
with:
tools: ${{ steps.codeql.outputs.nightly_bundle }}
languages: ${{ matrix.language }}
config-file: ./.github/codeql/codeql-config.yml
- name: Autobuild
uses: github/codeql-action/autobuild@main
- name: Perform CodeQL Analysis
uses: github/codeql-action/analyze@main

View File

@@ -1,80 +0,0 @@
name: "Rust"
on:
pull_request:
paths:
- "rust/**"
- "misc/bazel/**"
- "misc/codegen/**"
- "shared/**"
- "MODULE.bazel"
- .github/workflows/rust.yml
- .github/actions/**
- codeql-workspace.yml
- "!**/*.md"
- "!**/*.qhelp"
branches:
- rust-experiment
- main
- rc/*
- codeql-cli-*
permissions:
contents: read
jobs:
rust-ast-generator:
runs-on: ubuntu-latest
defaults:
run:
working-directory: rust/ast-generator
steps:
- name: Checkout
uses: actions/checkout@v4
- name: Inject sources
shell: bash
run: |
bazel run //rust/ast-generator:inject-sources
- name: Format
shell: bash
run: |
cargo fmt --check
- name: Compilation
shell: bash
run: cargo check
- name: Clippy
shell: bash
run: |
cargo clippy --no-deps -- -D warnings
rust-code:
runs-on: ubuntu-latest
defaults:
run:
working-directory: rust/extractor
steps:
- name: Checkout
uses: actions/checkout@v4
- name: Format
shell: bash
run: |
cargo fmt --check
- name: Compilation
shell: bash
run: cargo check
- name: Clippy
shell: bash
run: |
cargo clippy --no-deps -- -D warnings
rust-codegen:
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/checkout@v4
- name: Install CodeQL
uses: ./.github/actions/fetch-codeql
- name: Code generation
shell: bash
run: |
bazel run //rust/codegen
git add .
git diff --exit-code HEAD

View File

@@ -18,39 +18,73 @@ on:
- main - main
- rc/* - rc/*
- codeql-cli-* - codeql-cli-*
push:
paths:
- "swift/**"
- "misc/bazel/**"
- "misc/codegen/**"
- "shared/**"
- "*.bazel*"
- .github/workflows/swift.yml
- .github/actions/**
- codeql-workspace.yml
- .pre-commit-config.yaml
- "!**/*.md"
- "!**/*.qhelp"
branches:
- main
- rc/*
- codeql-cli-*
permissions: permissions:
contents: read contents: read
defaults:
run:
shell: bash
working-directory: swift
jobs: jobs:
build-and-test: # not using a matrix as you cannot depend on a specific job in a matrix, and we want to start linux checks
# without waiting for the macOS build
build-and-test-macos:
if: github.repository_owner == 'github' if: github.repository_owner == 'github'
strategy: runs-on: macos-12-xl
matrix:
runner: [ubuntu-latest, macos-15-xlarge]
fail-fast: false
runs-on: ${{ matrix.runner }}
steps: steps:
- uses: actions/checkout@v4 - uses: actions/checkout@v4
- name: Setup (Linux) - uses: ./swift/actions/build-and-test
if: runner.os == 'Linux' build-and-test-linux:
run: | if: github.repository_owner == 'github'
sudo apt-get update runs-on: ubuntu-latest-xl
sudo apt-get install -y uuid-dev zlib1g-dev steps:
- name: Build Swift extractor - uses: actions/checkout@v4
shell: bash - uses: ./swift/actions/build-and-test
run: | qltests-linux:
bazel run :install if: github.repository_owner == 'github'
- name: Run Swift tests needs: build-and-test-linux
shell: bash runs-on: ubuntu-latest-xl
run: | steps:
bazel test ... --test_tag_filters=-override --test_output=errors - uses: actions/checkout@v4
- uses: ./swift/actions/run-ql-tests
qltests-macos:
if: ${{ github.repository_owner == 'github' && github.event_name == 'pull_request' }}
needs: build-and-test-macos
runs-on: macos-12-xl
steps:
- uses: actions/checkout@v4
- uses: ./swift/actions/run-ql-tests
integration-tests-linux:
if: github.repository_owner == 'github'
needs: build-and-test-linux
runs-on: ubuntu-latest-xl
steps:
- uses: actions/checkout@v4
- uses: ./swift/actions/run-integration-tests
integration-tests-macos:
if: ${{ github.repository_owner == 'github' && github.event_name == 'pull_request' }}
needs: build-and-test-macos
runs-on: macos-12-xl
timeout-minutes: 60
steps:
- uses: actions/checkout@v4
- uses: ./swift/actions/run-integration-tests
clang-format: clang-format:
if : ${{ github.event_name == 'pull_request' }}
runs-on: ubuntu-latest runs-on: ubuntu-latest
steps: steps:
- uses: actions/checkout@v4 - uses: actions/checkout@v4
@@ -59,9 +93,18 @@ jobs:
with: with:
extra_args: clang-format --all-files extra_args: clang-format --all-files
codegen: codegen:
if : ${{ github.event_name == 'pull_request' }}
runs-on: ubuntu-latest runs-on: ubuntu-latest
steps: steps:
- uses: actions/checkout@v4 - uses: actions/checkout@v4
- uses: bazelbuild/setup-bazelisk@v2
- uses: actions/setup-python@v4
with:
python-version-file: 'swift/.python-version'
- uses: pre-commit/action@646c83fcd040023954eafda54b4db0192ce70507
name: Check that python code is properly formatted
with:
extra_args: autopep8 --all-files
- uses: ./.github/actions/fetch-codeql - uses: ./.github/actions/fetch-codeql
- uses: pre-commit/action@646c83fcd040023954eafda54b4db0192ce70507 - uses: pre-commit/action@646c83fcd040023954eafda54b4db0192ce70507
name: Check that QL generated code was checked in name: Check that QL generated code was checked in
@@ -69,14 +112,15 @@ jobs:
extra_args: swift-codegen --all-files extra_args: swift-codegen --all-files
- name: Generate C++ files - name: Generate C++ files
run: | run: |
bazel run codegen -- --generate=trap,cpp --cpp-output=$PWD/generated-cpp-files bazel run //swift/codegen:codegen -- --generate=trap,cpp --cpp-output=$PWD/generated-cpp-files
- uses: actions/upload-artifact@v4 - uses: actions/upload-artifact@v3
with: with:
name: swift-generated-cpp-files name: swift-generated-cpp-files
path: generated-cpp-files/** path: generated-cpp-files/**
check-no-override: database-upgrade-scripts:
if : ${{ github.event_name == 'pull_request' }}
runs-on: ubuntu-latest runs-on: ubuntu-latest
steps: steps:
- uses: actions/checkout@v4 - uses: actions/checkout@v4
- name: Check that no override is present in load.bzl - uses: ./.github/actions/fetch-codeql
run: bazel test ... --test_tag_filters=override --test_output=errors - uses: ./swift/actions/database-upgrade-scripts

View File

@@ -32,7 +32,7 @@ jobs:
steps: steps:
- uses: actions/checkout@v4 - uses: actions/checkout@v4
- name: Check formatting - name: Check formatting
run: cargo fmt -- --check run: cargo fmt --all -- --check
- name: Run tests - name: Run tests
run: cargo test --verbose run: cargo test --verbose
fmt: fmt:

View File

@@ -31,4 +31,4 @@ jobs:
- name: Fail if there are any errors with existing change notes - name: Fail if there are any errors with existing change notes
run: | run: |
codeql pack release --groups actions,cpp,csharp,go,java,javascript,python,ruby,shared,swift -examples,-test,-experimental codeql pack release --groups cpp,csharp,java,javascript,python,ruby,-examples,-test,-experimental

View File

@@ -1,23 +0,0 @@
name: "Test zipmerge code"
on:
pull_request:
paths:
- "misc/bazel/internal/zipmerge/**"
- "MODULE.bazel"
- ".bazelrc*"
branches:
- main
- "rc/*"
permissions:
contents: read
jobs:
test:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- run: |
bazel test //misc/bazel/internal/zipmerge:test --test_output=all

18
.gitignore vendored
View File

@@ -7,8 +7,8 @@
.cache .cache
# qltest projects and artifacts # qltest projects and artifacts
*.actual */ql/test/**/*.testproj
*/ql/test*/**/*.testproj */ql/test/**/*.actual
*/ql/test/**/go.sum */ql/test/**/go.sum
# Visual studio temporaries, except a file used by QL4VS # Visual studio temporaries, except a file used by QL4VS
@@ -62,17 +62,3 @@ node_modules/
# Temporary folders for working with generated models # Temporary folders for working with generated models
.model-temp .model-temp
/mad-generation-build
# bazel-built in-tree extractor packs
/*/extractor-pack
# Jetbrains IDE files
.idea
# cargo build directory
/target
# some upgrade/downgrade checks create these files
**/upgrades/*/*.dbscheme.stats
**/downgrades/*/*.dbscheme.stats

View File

@@ -2,6 +2,4 @@
# codeql is publicly forked by many users, and we don't want any LFS file polluting their working # codeql is publicly forked by many users, and we don't want any LFS file polluting their working
# copies. We therefore exclude everything by default. # copies. We therefore exclude everything by default.
# For files required by bazel builds, use rules in `misc/bazel/lfs.bzl` to download them on demand. # For files required by bazel builds, use rules in `misc/bazel/lfs.bzl` to download them on demand.
# we go for `fetchinclude` to something not exsiting rather than `fetchexclude = *` because the
# former is easier to override (with `git -c` or a local git config) to fetch something specific
fetchinclude = /nothing fetchinclude = /nothing

View File

@@ -1,26 +1,24 @@
# See https://pre-commit.com for more information # See https://pre-commit.com for more information
# See https://pre-commit.com/hooks.html for more hooks # See https://pre-commit.com/hooks.html for more hooks
default_language_version:
python: python3.12
repos: repos:
- repo: https://github.com/pre-commit/pre-commit-hooks - repo: https://github.com/pre-commit/pre-commit-hooks
rev: v3.2.0 rev: v3.2.0
hooks: hooks:
- id: trailing-whitespace - id: trailing-whitespace
exclude: /test/.*$(?<!\.qlref)|.*\.patch$|.*\.qll?$ exclude: /test/.*$(?<!\.ql)(?<!\.qll)(?<!\.qlref)|.*\.patch
- id: end-of-file-fixer - id: end-of-file-fixer
exclude: Cargo.lock$|/test/.*$(?<!\.qlref)|.*\.patch$|.*\.qll?$ exclude: /test/.*$(?<!\.ql)(?<!\.qll)(?<!\.qlref)|.*\.patch
- repo: https://github.com/pre-commit/mirrors-clang-format - repo: https://github.com/pre-commit/mirrors-clang-format
rev: v17.0.6 rev: v17.0.6
hooks: hooks:
- id: clang-format - id: clang-format
- repo: https://github.com/psf/black - repo: https://github.com/pre-commit/mirrors-autopep8
rev: 25.1.0 rev: v1.6.0
hooks: hooks:
- id: black - id: autopep8
files: ^(misc/codegen/.*|misc/scripts/models-as-data/.*)\.py$ files: ^misc/codegen/.*\.py
- repo: local - repo: local
hooks: hooks:
@@ -28,7 +26,7 @@ repos:
name: Format bazel files name: Format bazel files
files: \.(bazel|bzl) files: \.(bazel|bzl)
language: system language: system
entry: bazel run //misc/bazel/buildifier entry: bazel run //misc/bazel:buildifier
pass_filenames: false pass_filenames: false
# DISABLED: can be enabled by copying this config and installing `pre-commit` with `--config` on the copy # DISABLED: can be enabled by copying this config and installing `pre-commit` with `--config` on the copy
@@ -47,7 +45,7 @@ repos:
- id: sync-files - id: sync-files
name: Fix files required to be identical name: Fix files required to be identical
files: \.(qll?|qhelp|swift|toml)$|^config/identical-files\.json$ files: \.(qll?|qhelp|swift)$|^config/identical-files\.json$
language: system language: system
entry: python3 config/sync-files.py --latest entry: python3 config/sync-files.py --latest
pass_filenames: false pass_filenames: false
@@ -60,7 +58,7 @@ repos:
- id: swift-codegen - id: swift-codegen
name: Run Swift checked in code generation name: Run Swift checked in code generation
files: ^misc/codegen/|^swift/(schema.py$|codegen/|.*/generated/|ql/lib/(swift\.dbscheme$|codeql/swift/elements)|ql/\.generated.list) files: ^swift/(schema.py$|codegen/|.*/generated/|ql/lib/(swift\.dbscheme$|codeql/swift/elements)|ql/\.generated.list)
language: system language: system
entry: bazel run //swift/codegen -- --quiet entry: bazel run //swift/codegen -- --quiet
pass_filenames: false pass_filenames: false
@@ -71,17 +69,3 @@ repos:
language: system language: system
entry: bazel test //misc/codegen/test entry: bazel test //misc/codegen/test
pass_filenames: false pass_filenames: false
- id: rust-codegen
name: Run Rust checked in code generation
files: ^misc/codegen/|^rust/(prefix\.dbscheme|schema/|codegen/|.*/generated/|ql/lib/(rust\.dbscheme$|codeql/rust/elements)|\.generated.list|ast-generator/)
language: system
entry: bazel run //rust/codegen -- --quiet
pass_filenames: false
- id: rust-lint
name: Run fmt and clippy on Rust code
files: ^rust/extractor/(.*rs|Cargo.toml)$
language: system
entry: python3 rust/lint.py
pass_filenames: false

View File

@@ -1,6 +1,5 @@
{ {
"omnisharp.autoStart": false, "omnisharp.autoStart": false,
"cmake.sourceDirectory": "${workspaceFolder}/swift", "cmake.sourceDirectory": "${workspaceFolder}/swift",
"cmake.buildDirectory": "${workspaceFolder}/bazel-cmake-build", "cmake.buildDirectory": "${workspaceFolder}/bazel-cmake-build"
"editor.suggest.matchOnWordStartOnly": false
} }

98
.vscode/tasks.json vendored
View File

@@ -38,104 +38,6 @@
"command": "${config:python.pythonPath}", "command": "${config:python.pythonPath}",
}, },
"problemMatcher": [] "problemMatcher": []
},
{
"label": "Create query change note",
"type": "process",
"command": "python3",
"args": [
"misc/scripts/create-change-note.py",
"${input:language}",
"src",
"${input:name}",
"${input:categoryQuery}"
],
"options": {
"env": {
"EDITOR": "code -r",
}
},
"presentation": {
"reveal": "never",
"close": true
},
"problemMatcher": []
},
{
"label": "Create library change note",
"type": "process",
"command": "python3",
"args": [
"misc/scripts/create-change-note.py",
"${input:language}",
"lib",
"${input:name}",
"${input:categoryLibrary}"
],
"options": {
"env": {
"EDITOR": "code -r"
}
},
"presentation": {
"reveal": "never",
"close": true
},
"problemMatcher": []
}
],
"inputs": [
{
"type": "pickString",
"id": "language",
"description": "Language",
"options":
[
"actions",
"go",
"java",
"javascript",
"cpp",
"csharp",
"python",
"ruby",
"rust",
"swift",
]
},
{
"type": "promptString",
"id": "name",
"description": "Short name (kebab-case)"
},
{
"type": "pickString",
"id": "categoryQuery",
"description": "Category (query change)",
"options":
[
"breaking",
"deprecated",
"newQuery",
"queryMetadata",
"majorAnalysis",
"minorAnalysis",
"fix",
]
},
{
"type": "pickString",
"id": "categoryLibrary",
"description": "Category (library change)",
"options":
[
"breaking",
"deprecated",
"feature",
"majorAnalysis",
"minorAnalysis",
"fix",
]
} }
] ]
} }

View File

@@ -1,5 +1 @@
exports_files([ exports_files(["LICENSE"])
"LICENSE",
"Cargo.lock",
"Cargo.toml",
])

View File

@@ -1,4 +1,3 @@
/actions/ @github/codeql-dynamic
/cpp/ @github/codeql-c-analysis /cpp/ @github/codeql-c-analysis
/csharp/ @github/codeql-csharp /csharp/ @github/codeql-csharp
/csharp/autobuilder/Semmle.Autobuild.Cpp @github/codeql-c-extractor /csharp/autobuilder/Semmle.Autobuild.Cpp @github/codeql-c-extractor
@@ -8,17 +7,12 @@
/javascript/ @github/codeql-javascript /javascript/ @github/codeql-javascript
/python/ @github/codeql-python /python/ @github/codeql-python
/ruby/ @github/codeql-ruby /ruby/ @github/codeql-ruby
/rust/ @github/codeql-rust
/swift/ @github/codeql-swift /swift/ @github/codeql-swift
/misc/codegen/ @github/codeql-swift /misc/codegen/ @github/codeql-swift
/java/kotlin-extractor/ @github/codeql-kotlin /java/kotlin-extractor/ @github/codeql-kotlin
/java/ql/test-kotlin1/ @github/codeql-kotlin /java/ql/test-kotlin1/ @github/codeql-kotlin
/java/ql/test-kotlin2/ @github/codeql-kotlin /java/ql/test-kotlin2/ @github/codeql-kotlin
# Experimental CodeQL cryptography
**/experimental/**/quantum/ @github/ps-codeql
/shared/quantum/ @github/ps-codeql
# CodeQL tools and associated docs # CodeQL tools and associated docs
/docs/codeql/codeql-cli/ @github/codeql-cli-reviewers /docs/codeql/codeql-cli/ @github/codeql-cli-reviewers
/docs/codeql/codeql-for-visual-studio-code/ @github/codeql-vscode-reviewers /docs/codeql/codeql-for-visual-studio-code/ @github/codeql-vscode-reviewers
@@ -29,6 +23,7 @@
/ql/ @github/codeql-ql-for-ql-reviewers /ql/ @github/codeql-ql-for-ql-reviewers
# Bazel (excluding BUILD.bazel files) # Bazel (excluding BUILD.bazel files)
WORKSPACE.bazel @github/codeql-ci-reviewers
MODULE.bazel @github/codeql-ci-reviewers MODULE.bazel @github/codeql-ci-reviewers
.bazelversion @github/codeql-ci-reviewers .bazelversion @github/codeql-ci-reviewers
.bazelrc @github/codeql-ci-reviewers .bazelrc @github/codeql-ci-reviewers
@@ -43,12 +38,8 @@ MODULE.bazel @github/codeql-ci-reviewers
/.github/workflows/go-* @github/codeql-go /.github/workflows/go-* @github/codeql-go
/.github/workflows/ql-for-ql-* @github/codeql-ql-for-ql-reviewers /.github/workflows/ql-for-ql-* @github/codeql-ql-for-ql-reviewers
/.github/workflows/ruby-* @github/codeql-ruby /.github/workflows/ruby-* @github/codeql-ruby
/.github/workflows/rust.yml @github/codeql-rust
/.github/workflows/swift.yml @github/codeql-swift /.github/workflows/swift.yml @github/codeql-swift
# Misc # Misc
/misc/scripts/accept-expected-changes-from-ci.py @RasmusWL /misc/scripts/accept-expected-changes-from-ci.py @RasmusWL
/misc/scripts/generate-code-scanning-query-list.py @RasmusWL /misc/scripts/generate-code-scanning-query-list.py @RasmusWL
# .devcontainer
/.devcontainer/ @github/codeql-ci-reviewers

3447
Cargo.lock generated

File diff suppressed because it is too large Load Diff

View File

@@ -1,13 +0,0 @@
# This is the shared workspace file for extractor using shared/tree-sitter/extractor
[workspace]
resolver = "2"
members = [
"shared/tree-sitter-extractor",
"ruby/extractor",
"rust/extractor",
"rust/extractor/macros",
"rust/ast-generator",
"rust/autobuild",
]
exclude = ["mad-generation-build"]

View File

@@ -1,6 +1,6 @@
MIT License MIT License
Copyright (c) 2006-2025 GitHub, Inc. Copyright (c) 2006-2020 GitHub, Inc.
Permission is hereby granted, free of charge, to any person obtaining a copy Permission is hereby granted, free of charge, to any person obtaining a copy
of this software and associated documentation files (the "Software"), to deal of this software and associated documentation files (the "Software"), to deal

View File

@@ -1,7 +1,6 @@
module( module(
name = "ql", name = "codeql",
version = "0.0", version = "0.0",
repo_name = "codeql",
) )
# this points to our internal repository when `codeql` is checked out as a submodule thereof # this points to our internal repository when `codeql` is checked out as a submodule thereof
@@ -14,162 +13,22 @@ local_path_override(
# see https://registry.bazel.build/ for a list of available packages # see https://registry.bazel.build/ for a list of available packages
bazel_dep(name = "platforms", version = "0.0.11") bazel_dep(name = "platforms", version = "0.0.9")
bazel_dep(name = "rules_go", version = "0.50.1") bazel_dep(name = "rules_go", version = "0.47.0")
bazel_dep(name = "rules_pkg", version = "1.0.1") bazel_dep(name = "rules_pkg", version = "0.10.1")
bazel_dep(name = "rules_nodejs", version = "6.2.0-codeql.1") bazel_dep(name = "rules_nodejs", version = "6.0.3")
bazel_dep(name = "rules_python", version = "0.40.0") bazel_dep(name = "rules_python", version = "0.31.0")
bazel_dep(name = "rules_shell", version = "0.3.0") bazel_dep(name = "bazel_skylib", version = "1.5.0")
bazel_dep(name = "bazel_skylib", version = "1.7.1") bazel_dep(name = "abseil-cpp", version = "20240116.0", repo_name = "absl")
bazel_dep(name = "abseil-cpp", version = "20240116.1", repo_name = "absl")
bazel_dep(name = "nlohmann_json", version = "3.11.3", repo_name = "json") bazel_dep(name = "nlohmann_json", version = "3.11.3", repo_name = "json")
bazel_dep(name = "fmt", version = "10.0.0") bazel_dep(name = "fmt", version = "10.0.0")
bazel_dep(name = "rules_kotlin", version = "2.1.3-codeql.1") bazel_dep(name = "gazelle", version = "0.36.0")
bazel_dep(name = "gazelle", version = "0.40.0") bazel_dep(name = "rules_dotnet", version = "0.15.1")
bazel_dep(name = "rules_dotnet", version = "0.17.4")
bazel_dep(name = "googletest", version = "1.14.0.bcr.1")
bazel_dep(name = "rules_rust", version = "0.58.0")
bazel_dep(name = "zstd", version = "1.5.5.bcr.1")
bazel_dep(name = "buildifier_prebuilt", version = "6.4.0", dev_dependency = True) bazel_dep(name = "buildifier_prebuilt", version = "6.4.0", dev_dependency = True)
# Keep edition and version approximately in sync with internal repo.
# the versions there are canonical, the versions here are used for CI in github/codeql, as well as for the vendoring of dependencies.
RUST_EDITION = "2024"
# run buildutils-internal/scripts/fill-rust-sha256s.py when updating (internal repo)
RUST_VERSION = "1.86.0"
rust = use_extension("@rules_rust//rust:extensions.bzl", "rust")
rust.toolchain(
edition = RUST_EDITION,
# We need those extra target triples so that we can build universal binaries on macos
extra_target_triples = [
"x86_64-apple-darwin",
"aarch64-apple-darwin",
],
# generated by buildutils-internal/scripts/fill-rust-sha256s.py (internal repo)
sha256s = {
"rustc-1.86.0-x86_64-unknown-linux-gnu.tar.xz": "4438b809ce4a083af31ed17aeeedcc8fc60ccffc0625bef1926620751b6989d7",
"rustc-1.86.0-x86_64-apple-darwin.tar.xz": "42b76253626febb7912541a30d3379f463dec89581aad4cb72c6c04fb5a71dc5",
"rustc-1.86.0-aarch64-apple-darwin.tar.xz": "23b8f52102249a47ab5bc859d54c9a3cb588a3259ba3f00f557d50edeca4fde9",
"rustc-1.86.0-x86_64-pc-windows-msvc.tar.xz": "fdde839fea274529a31e51eb85c6df1782cc8479c9d1bc24e2914d66a0de41ab",
"clippy-1.86.0-x86_64-unknown-linux-gnu.tar.xz": "02aaff2c1407d2da8dba19aa4970dd873e311902b120a66cbcdbe51eb8836edf",
"clippy-1.86.0-x86_64-apple-darwin.tar.xz": "bb85efda7bbffaf124867f5ca36d50932b1e8f533c62ee923438afb32ff8fe9a",
"clippy-1.86.0-aarch64-apple-darwin.tar.xz": "239fa3a604b124f0312f2af08537874a1227dba63385484b468cca62e7c4f2f2",
"clippy-1.86.0-x86_64-pc-windows-msvc.tar.xz": "d00498f47d49219f032e2c5eeebdfc3d32317c0dc3d3fd7125327445bc482cb4",
"cargo-1.86.0-x86_64-unknown-linux-gnu.tar.xz": "c5c1590f7e9246ad9f4f97cfe26ffa92707b52a769726596a9ef81565ebd908b",
"cargo-1.86.0-x86_64-apple-darwin.tar.xz": "af163eb02d1a178044d1b4f2375960efd47130f795f6e33d09e345454bb26f4e",
"cargo-1.86.0-aarch64-apple-darwin.tar.xz": "3cb13873d48c3e1e4cc684d42c245226a11fba52af6b047c3346ed654e7a05c0",
"cargo-1.86.0-x86_64-pc-windows-msvc.tar.xz": "e57a9d89619b5604899bac443e68927bdd371e40f2e03e18950b6ceb3eb67966",
"llvm-tools-1.86.0-x86_64-unknown-linux-gnu.tar.xz": "282145ab7a63c98b625856f44b905b4dc726b497246b824632a5790debe95a78",
"llvm-tools-1.86.0-x86_64-apple-darwin.tar.xz": "b55706e92f7da989207c50c13c7add483a9fedd233bc431b106eca2a8f151ec9",
"llvm-tools-1.86.0-aarch64-apple-darwin.tar.xz": "04d3618c686845853585f036e3211eb9e18f2d290f4610a7a78bdc1fcce1ebd9",
"llvm-tools-1.86.0-x86_64-pc-windows-msvc.tar.xz": "721a17cc8dc219177e4277a3592253934ef08daa1e1b12eda669a67d15fad8dd",
"rust-std-1.86.0-x86_64-unknown-linux-gnu.tar.xz": "67be7184ea388d8ce0feaf7fdea46f1775cfc2970930264343b3089898501d37",
"rust-std-1.86.0-x86_64-apple-darwin.tar.xz": "3b1140d54870a080080e84700143f4a342fbd02a410a319b05d9c02e7dcf44cc",
"rust-std-1.86.0-aarch64-apple-darwin.tar.xz": "0fb121fb3b8fa9027d79ff598500a7e5cd086ddbc3557482ed3fdda00832c61b",
"rust-std-1.86.0-x86_64-pc-windows-msvc.tar.xz": "3d5354b7b9cb950b58bff3fce18a652aa374bb30c8f70caebd3bd0b43cb41a33",
},
versions = [RUST_VERSION],
)
use_repo(rust, "rust_toolchains")
register_toolchains("@rust_toolchains//:all")
# deps for python extractor
# keep in sync by running `misc/bazel/3rdparty/update_cargo_deps.sh`
py_deps = use_extension("//misc/bazel/3rdparty:py_deps_extension.bzl", "p")
use_repo(
py_deps,
"vendor_py__anyhow-1.0.95",
"vendor_py__cc-1.2.14",
"vendor_py__clap-4.5.30",
"vendor_py__regex-1.11.1",
"vendor_py__tree-sitter-0.20.4",
"vendor_py__tree-sitter-graph-0.7.0",
)
# deps for ruby+rust
# keep in sync by running `misc/bazel/3rdparty/update_cargo_deps.sh`
tree_sitter_extractors_deps = use_extension("//misc/bazel/3rdparty:tree_sitter_extractors_extension.bzl", "r")
use_repo(
tree_sitter_extractors_deps,
"vendor_ts__anyhow-1.0.98",
"vendor_ts__argfile-0.2.1",
"vendor_ts__chalk-ir-0.103.0",
"vendor_ts__chrono-0.4.41",
"vendor_ts__clap-4.5.40",
"vendor_ts__dunce-1.0.5",
"vendor_ts__either-1.15.0",
"vendor_ts__encoding-0.2.33",
"vendor_ts__figment-0.10.19",
"vendor_ts__flate2-1.1.0",
"vendor_ts__glob-0.3.2",
"vendor_ts__globset-0.4.15",
"vendor_ts__itertools-0.14.0",
"vendor_ts__lazy_static-1.5.0",
"vendor_ts__mustache-0.9.0",
"vendor_ts__num-traits-0.2.19",
"vendor_ts__num_cpus-1.17.0",
"vendor_ts__proc-macro2-1.0.95",
"vendor_ts__quote-1.0.40",
"vendor_ts__ra_ap_base_db-0.0.288",
"vendor_ts__ra_ap_cfg-0.0.288",
"vendor_ts__ra_ap_hir-0.0.288",
"vendor_ts__ra_ap_hir_def-0.0.288",
"vendor_ts__ra_ap_hir_expand-0.0.288",
"vendor_ts__ra_ap_hir_ty-0.0.288",
"vendor_ts__ra_ap_ide_db-0.0.288",
"vendor_ts__ra_ap_intern-0.0.288",
"vendor_ts__ra_ap_load-cargo-0.0.288",
"vendor_ts__ra_ap_parser-0.0.288",
"vendor_ts__ra_ap_paths-0.0.288",
"vendor_ts__ra_ap_project_model-0.0.288",
"vendor_ts__ra_ap_span-0.0.288",
"vendor_ts__ra_ap_stdx-0.0.288",
"vendor_ts__ra_ap_syntax-0.0.288",
"vendor_ts__ra_ap_vfs-0.0.288",
"vendor_ts__rand-0.9.1",
"vendor_ts__rayon-1.10.0",
"vendor_ts__regex-1.11.1",
"vendor_ts__serde-1.0.219",
"vendor_ts__serde_json-1.0.140",
"vendor_ts__serde_with-3.13.0",
"vendor_ts__syn-2.0.103",
"vendor_ts__toml-0.8.23",
"vendor_ts__tracing-0.1.41",
"vendor_ts__tracing-flame-0.2.0",
"vendor_ts__tracing-subscriber-0.3.19",
"vendor_ts__tree-sitter-0.24.6",
"vendor_ts__tree-sitter-embedded-template-0.23.2",
"vendor_ts__tree-sitter-json-0.24.8",
"vendor_ts__tree-sitter-ql-0.23.1",
"vendor_ts__tree-sitter-ruby-0.23.1",
"vendor_ts__triomphe-0.1.14",
"vendor_ts__ungrammar-1.16.1",
"vendor_ts__zstd-0.13.3",
)
http_archive = use_repo_rule("@bazel_tools//tools/build_defs/repo:http.bzl", "http_archive")
# rust-analyzer sources needed by the rust ast-generator (see `rust/ast-generator/README.md`)
RUST_ANALYZER_SRC_TAG = "2025-01-07"
http_archive(
name = "rust-analyzer-src",
build_file = "//rust/ast-generator:BUILD.rust-analyzer-src.bazel",
integrity = "sha256-eo8mIaUafZL8LOM65bDIIIXw1rNQ/P/x5RK/XUtgo5g=",
patch_args = ["-p1"],
patches = [
"//rust/ast-generator:patches/rust-analyzer.patch",
],
strip_prefix = "rust-analyzer-%s" % RUST_ANALYZER_SRC_TAG,
url = "https://github.com/rust-lang/rust-analyzer/archive/refs/tags/%s.tar.gz" % RUST_ANALYZER_SRC_TAG,
)
dotnet = use_extension("@rules_dotnet//dotnet:extensions.bzl", "dotnet") dotnet = use_extension("@rules_dotnet//dotnet:extensions.bzl", "dotnet")
dotnet.toolchain(dotnet_version = "9.0.100") dotnet.toolchain(dotnet_version = "8.0.101")
use_repo(dotnet, "dotnet_toolchains") use_repo(dotnet, "dotnet_toolchains")
register_toolchains("@dotnet_toolchains//:all") register_toolchains("@dotnet_toolchains//:all")
@@ -180,7 +39,7 @@ use_repo(csharp_main_extension, "paket.main")
pip = use_extension("@rules_python//python/extensions:pip.bzl", "pip") pip = use_extension("@rules_python//python/extensions:pip.bzl", "pip")
pip.parse( pip.parse(
hub_name = "codegen_deps", hub_name = "codegen_deps",
python_version = "3.12", python_version = "3.11",
requirements_lock = "//misc/codegen:requirements_lock.txt", requirements_lock = "//misc/codegen:requirements_lock.txt",
) )
use_repo(pip, "codegen_deps") use_repo(pip, "codegen_deps")
@@ -192,96 +51,21 @@ use_repo(
swift_deps, swift_deps,
"binlog", "binlog",
"picosha2", "picosha2",
"swift-prebuilt-linux", "swift_prebuilt_darwin_x86_64",
"swift-prebuilt-linux-download-only", "swift_prebuilt_linux",
"swift-prebuilt-macos", "swift_toolchain_linux",
"swift-prebuilt-macos-download-only", "swift_toolchain_macos",
"swift-resource-dir-linux",
"swift-resource-dir-macos",
) )
node = use_extension("@rules_nodejs//nodejs:extensions.bzl", "node") node = use_extension("@rules_nodejs//nodejs:extensions.bzl", "node")
node.toolchain( node.toolchain(
name = "nodejs", name = "nodejs",
node_urls = [
"https://nodejs.org/dist/v{version}/{filename}",
"https://mirrors.dotsrc.org/nodejs/release/v{version}/{filename}",
],
node_version = "18.15.0", node_version = "18.15.0",
) )
use_repo(node, "nodejs", "nodejs_toolchains") use_repo(node, "nodejs", "nodejs_toolchains")
kotlin_extractor_deps = use_extension("//java/kotlin-extractor:deps.bzl", "kotlin_extractor_deps")
# following list can be kept in sync by running `bazel mod tidy` in `codeql`
use_repo(
kotlin_extractor_deps,
"codeql_kotlin_defaults",
"codeql_kotlin_embeddable",
"kotlin-compiler-1.6.0",
"kotlin-compiler-1.6.20",
"kotlin-compiler-1.7.0",
"kotlin-compiler-1.7.20",
"kotlin-compiler-1.8.0",
"kotlin-compiler-1.9.0-Beta",
"kotlin-compiler-1.9.20-Beta",
"kotlin-compiler-2.0.0-RC1",
"kotlin-compiler-2.0.20-Beta2",
"kotlin-compiler-2.1.0-Beta1",
"kotlin-compiler-2.1.20-Beta1",
"kotlin-compiler-2.2.0-Beta1",
"kotlin-compiler-embeddable-1.6.0",
"kotlin-compiler-embeddable-1.6.20",
"kotlin-compiler-embeddable-1.7.0",
"kotlin-compiler-embeddable-1.7.20",
"kotlin-compiler-embeddable-1.8.0",
"kotlin-compiler-embeddable-1.9.0-Beta",
"kotlin-compiler-embeddable-1.9.20-Beta",
"kotlin-compiler-embeddable-2.0.0-RC1",
"kotlin-compiler-embeddable-2.0.20-Beta2",
"kotlin-compiler-embeddable-2.1.0-Beta1",
"kotlin-compiler-embeddable-2.1.20-Beta1",
"kotlin-compiler-embeddable-2.2.0-Beta1",
"kotlin-stdlib-1.6.0",
"kotlin-stdlib-1.6.20",
"kotlin-stdlib-1.7.0",
"kotlin-stdlib-1.7.20",
"kotlin-stdlib-1.8.0",
"kotlin-stdlib-1.9.0-Beta",
"kotlin-stdlib-1.9.20-Beta",
"kotlin-stdlib-2.0.0-RC1",
"kotlin-stdlib-2.0.20-Beta2",
"kotlin-stdlib-2.1.0-Beta1",
"kotlin-stdlib-2.1.20-Beta1",
"kotlin-stdlib-2.2.0-Beta1",
)
go_sdk = use_extension("@rules_go//go:extensions.bzl", "go_sdk") go_sdk = use_extension("@rules_go//go:extensions.bzl", "go_sdk")
go_sdk.download(version = "1.24.0") go_sdk.download(version = "1.22.2")
go_deps = use_extension("@gazelle//:extensions.bzl", "go_deps")
go_deps.from_file(go_mod = "//go/extractor:go.mod")
use_repo(go_deps, "org_golang_x_mod", "org_golang_x_tools")
lfs_archive = use_repo_rule("//misc/bazel:lfs.bzl", "lfs_archive")
lfs_archive(
name = "ripunzip-linux",
src = "//misc/ripunzip:ripunzip-Linux.zip",
build_file = "//misc/ripunzip:BUILD.ripunzip.bazel",
)
lfs_archive(
name = "ripunzip-windows",
src = "//misc/ripunzip:ripunzip-Windows.zip",
build_file = "//misc/ripunzip:BUILD.ripunzip.bazel",
)
lfs_archive(
name = "ripunzip-macos",
src = "//misc/ripunzip:ripunzip-macOS.zip",
build_file = "//misc/ripunzip:BUILD.ripunzip.bazel",
)
register_toolchains( register_toolchains(
"@nodejs_toolchains//:all", "@nodejs_toolchains//:all",

2
WORKSPACE.bazel Normal file
View File

@@ -0,0 +1,2 @@
# please use MODULE.bazel to add dependencies
# this empty file is required by internal repositories, don't remove it

View File

@@ -1,9 +0,0 @@
load("//misc/bazel:pkg.bzl", "codeql_pack")
package(default_visibility = ["//visibility:public"])
codeql_pack(
name = "actions",
srcs = ["//actions/extractor"],
experimental = True,
)

View File

@@ -1,12 +0,0 @@
load("//misc/bazel:pkg.bzl", "codeql_pkg_files", "strip_prefix")
codeql_pkg_files(
name = "extractor",
srcs = [
"codeql-extractor.yml",
"//:LICENSE",
],
exes = glob(["tools/**"]),
strip_prefix = strip_prefix.from_pkg(),
visibility = ["//actions:__pkg__"],
)

View File

@@ -1,44 +0,0 @@
name: "actions"
aliases: []
display_name: "GitHub Actions"
version: 0.0.1
column_kind: "utf16"
unicode_newlines: true
build_modes:
- none
file_coverage_languages: []
github_api_languages: []
scc_languages: []
file_types:
- name: workflow
display_name: GitHub Actions workflow files
extensions:
- .yml
- .yaml
forwarded_extractor_name: javascript
options:
trap:
title: TRAP options
description: Options about how the extractor handles TRAP files
type: object
visibility: 3
properties:
cache:
title: TRAP cache options
description: Options about how the extractor handles its TRAP cache
type: object
properties:
dir:
title: TRAP cache directory
description: The directory of the TRAP cache to use
type: string
bound:
title: TRAP cache bound
description: A soft limit (in MB) on the size of the TRAP cache
type: string
pattern: "[0-9]+"
write:
title: TRAP cache writeable
description: Whether to write to the TRAP cache as well as reading it
type: string
pattern: "(true|TRUE|false|FALSE)"

View File

@@ -1,53 +0,0 @@
# Note: We're adding the `reusable_workflows` subdirectories to proactively
# record workflows that were called cross-repo, check them out locally,
# and enable an interprocedural analysis across the workflow files.
# These workflows follow the convention `.github/reusable_workflows/<nwo>/*.ya?ml`
$DefaultPathFilters = @(
'exclude:**/*',
'include:.github/workflows/*.yml',
'include:.github/workflows/*.yaml',
'include:.github/reusable_workflows/**/*.yml',
'include:.github/reusable_workflows/**/*.yaml',
'include:**/action.yml',
'include:**/action.yaml'
)
if ($null -ne $env:LGTM_INDEX_FILTERS) {
Write-Output 'LGTM_INDEX_FILTERS set. Using the default filters together with the user-provided filters, and passing through to the JavaScript extractor.'
# Begin with the default path inclusions only,
# followed by the user-provided filters.
# If the user provided `paths`, those patterns override the default inclusions
# (because `LGTM_INDEX_FILTERS` will begin with `exclude:**/*`).
# If the user provided `paths-ignore`, those patterns are excluded.
$PathFilters = ($DefaultPathFilters -join "`n") + "`n" + $env:LGTM_INDEX_FILTERS
$env:LGTM_INDEX_FILTERS = $PathFilters
} else {
Write-Output 'LGTM_INDEX_FILTERS not set. Using the default filters, and passing through to the JavaScript extractor.'
$env:LGTM_INDEX_FILTERS = $DefaultPathFilters -join "`n"
}
# Find the JavaScript extractor directory via `codeql resolve extractor`.
$CodeQL = Join-Path $env:CODEQL_DIST 'codeql.exe'
$env:CODEQL_EXTRACTOR_JAVASCRIPT_ROOT = &"$CodeQL" resolve extractor --language javascript
if ($LASTEXITCODE -ne 0) {
throw 'Failed to resolve JavaScript extractor.'
}
Write-Output "Found JavaScript extractor at '${env:CODEQL_EXTRACTOR_JAVASCRIPT_ROOT}'."
# Run the JavaScript autobuilder.
$JavaScriptAutoBuild = Join-Path $env:CODEQL_EXTRACTOR_JAVASCRIPT_ROOT 'tools\autobuild.cmd'
Write-Output "Running JavaScript autobuilder at '${JavaScriptAutoBuild}'."
# Copy the values of the Actions extractor environment variables to the JavaScript extractor environment variables.
$env:CODEQL_EXTRACTOR_JAVASCRIPT_DIAGNOSTIC_DIR = $env:CODEQL_EXTRACTOR_ACTIONS_DIAGNOSTIC_DIR
$env:CODEQL_EXTRACTOR_JAVASCRIPT_LOG_DIR = $env:CODEQL_EXTRACTOR_ACTIONS_LOG_DIR
$env:CODEQL_EXTRACTOR_JAVASCRIPT_SCRATCH_DIR = $env:CODEQL_EXTRACTOR_ACTIONS_SCRATCH_DIR
$env:CODEQL_EXTRACTOR_JAVASCRIPT_SOURCE_ARCHIVE_DIR = $env:CODEQL_EXTRACTOR_ACTIONS_SOURCE_ARCHIVE_DIR
$env:CODEQL_EXTRACTOR_JAVASCRIPT_TRAP_DIR = $env:CODEQL_EXTRACTOR_ACTIONS_TRAP_DIR
$env:CODEQL_EXTRACTOR_JAVASCRIPT_WIP_DATABASE = $env:CODEQL_EXTRACTOR_ACTIONS_WIP_DATABASE
&"$JavaScriptAutoBuild"
if ($LASTEXITCODE -ne 0) {
throw "JavaScript autobuilder failed."
}

View File

@@ -1,4 +0,0 @@
@echo off
rem All of the work is done in the PowerShell script
echo "Running PowerShell script at '%~dp0autobuild-impl.ps1'"
powershell.exe -File "%~dp0autobuild-impl.ps1"

View File

@@ -1,57 +0,0 @@
#!/bin/sh
set -eu
# Note: We're adding the `reusable_workflows` subdirectories to proactively
# record workflows that were called cross-repo, check them out locally,
# and enable an interprocedural analysis across the workflow files.
# These workflows follow the convention `.github/reusable_workflows/<nwo>/*.ya?ml`
DEFAULT_PATH_FILTERS=$(cat << END
exclude:**/*
include:.github/workflows/*.yml
include:.github/workflows/*.yaml
include:.github/reusable_workflows/**/*.yml
include:.github/reusable_workflows/**/*.yaml
include:**/action.yml
include:**/action.yaml
END
)
if [ -n "${LGTM_INDEX_FILTERS:-}" ]; then
echo "LGTM_INDEX_FILTERS set. Using the default filters together with the user-provided filters, and passing through to the JavaScript extractor."
# Begin with the default path inclusions only,
# followed by the user-provided filters.
# If the user provided `paths`, those patterns override the default inclusions
# (because `LGTM_INDEX_FILTERS` will begin with `exclude:**/*`).
# If the user provided `paths-ignore`, those patterns are excluded.
PATH_FILTERS="$(cat << END
${DEFAULT_PATH_FILTERS}
${LGTM_INDEX_FILTERS}
END
)"
LGTM_INDEX_FILTERS="${PATH_FILTERS}"
export LGTM_INDEX_FILTERS
else
echo "LGTM_INDEX_FILTERS not set. Using the default filters, and passing through to the JavaScript extractor."
LGTM_INDEX_FILTERS="${DEFAULT_PATH_FILTERS}"
export LGTM_INDEX_FILTERS
fi
# Find the JavaScript extractor directory via `codeql resolve extractor`.
CODEQL_EXTRACTOR_JAVASCRIPT_ROOT="$("${CODEQL_DIST}/codeql" resolve extractor --language javascript)"
export CODEQL_EXTRACTOR_JAVASCRIPT_ROOT
echo "Found JavaScript extractor at '${CODEQL_EXTRACTOR_JAVASCRIPT_ROOT}'."
# Run the JavaScript autobuilder
JAVASCRIPT_AUTO_BUILD="${CODEQL_EXTRACTOR_JAVASCRIPT_ROOT}/tools/autobuild.sh"
echo "Running JavaScript autobuilder at '${JAVASCRIPT_AUTO_BUILD}'."
# Copy the values of the Actions extractor environment variables to the JavaScript extractor environment variables.
env CODEQL_EXTRACTOR_JAVASCRIPT_DIAGNOSTIC_DIR="${CODEQL_EXTRACTOR_ACTIONS_DIAGNOSTIC_DIR}" \
CODEQL_EXTRACTOR_JAVASCRIPT_LOG_DIR="${CODEQL_EXTRACTOR_ACTIONS_LOG_DIR}" \
CODEQL_EXTRACTOR_JAVASCRIPT_SCRATCH_DIR="${CODEQL_EXTRACTOR_ACTIONS_SCRATCH_DIR}" \
CODEQL_EXTRACTOR_JAVASCRIPT_SOURCE_ARCHIVE_DIR="${CODEQL_EXTRACTOR_ACTIONS_SOURCE_ARCHIVE_DIR}" \
CODEQL_EXTRACTOR_JAVASCRIPT_TRAP_DIR="${CODEQL_EXTRACTOR_ACTIONS_TRAP_DIR}" \
CODEQL_EXTRACTOR_JAVASCRIPT_WIP_DATABASE="${CODEQL_EXTRACTOR_ACTIONS_WIP_DATABASE}" \
"${JAVASCRIPT_AUTO_BUILD}"

View File

@@ -1,28 +0,0 @@
extensions:
- addsTo:
pack: codeql/actions-all
extensible: immutableActionsDataModel
data:
- ["actions/checkout"]
- ["actions/cache"]
- ["actions/setup-node"]
- ["actions/upload-artifact"]
- ["actions/setup-python"]
- ["actions/download-artifact"]
- ["actions/github-script"]
- ["actions/setup-java"]
- ["actions/setup-go"]
- ["actions/upload-pages-artifact"]
- ["actions/deploy-pages"]
- ["actions/setup-dotnet"]
- ["actions/stale"]
- ["actions/labeler"]
- ["actions/create-github-app-token"]
- ["actions/configure-pages"]
- ["github/codeql-action/analyze"]
- ["github/codeql-action/autobuild"]
- ["github/codeql-action/init"]
- ["github/codeql-action/resolve-environment"]
- ["github/codeql-action/start-proxy"]
- ["github/codeql-action/upload-sarif"]
- ["octokit/request-action"]

View File

@@ -1,14 +0,0 @@
# Model pack containing the list of known immutable actions. The Immutable Actions feature is not
# yet released, so this pack will only be used within GitHub. Once the feature is available to
# customers, we will move the contents of this pack back into the standard library pack.
name: codeql/immutable-actions-list
version: 0.0.1-dev
library: true
warnOnImplicitThis: true
extensionTargets:
# We expect to need this model pack even after GA of Actions analysis, so make it compatible with
# all future prereleases plus 1.x.x. We should be able to remove this back before we need to
# bump the major version to 2.
codeql/actions-all: ">=0.4.3 <2.0.0"
dataExtensions:
- ext/**/*.yml

View File

@@ -1,5 +0,0 @@
import actions
from AstNode n
where n instanceof Workflow or n instanceof CompositeAction
select n

View File

@@ -1,6 +0,0 @@
| src/.github/action.yaml:1:1:11:32 | name: ' ... action' |
| src/.github/actions/action-name/action.yml:1:1:11:32 | name: ' ... action' |
| src/.github/workflows/workflow.yml:1:1:12:33 | name: A workflow |
| src/action.yml:1:1:11:32 | name: ' ... action' |
| src/excluded/action.yml:1:1:11:32 | name: ' ... action' |
| src/included/action.yml:1:1:11:32 | name: ' ... action' |

View File

@@ -1,2 +0,0 @@
| src/included/action.yml:1:1:11:32 | name: ' ... action' |
| src/included/unreachable-workflow.yml:1:1:12:33 | name: A ... orkflow |

View File

@@ -1,5 +0,0 @@
| src/.github/action.yaml:1:1:11:32 | name: ' ... action' |
| src/.github/actions/action-name/action.yml:1:1:11:32 | name: ' ... action' |
| src/.github/workflows/workflow.yml:1:1:12:33 | name: A workflow |
| src/action.yml:1:1:11:32 | name: ' ... action' |
| src/included/action.yml:1:1:11:32 | name: ' ... action' |

View File

@@ -1,2 +0,0 @@
| src/included/action.yml:1:1:11:32 | name: ' ... action' |
| src/included/unreachable-workflow.yml:1:1:12:33 | name: A ... orkflow |

View File

@@ -1,5 +0,0 @@
import actions
from AstNode n
where n instanceof Workflow or n instanceof CompositeAction
select n

View File

@@ -1,4 +0,0 @@
paths:
- 'included'
paths-ignore:
- 'excluded'

View File

@@ -1,2 +0,0 @@
paths-ignore:
- 'excluded'

View File

@@ -1,2 +0,0 @@
paths:
- 'included'

View File

@@ -1,6 +0,0 @@
src/.github/action.yaml
src/.github/actions/action-name/action.yml
src/.github/workflows/workflow.yml
src/action.yml
src/excluded/action.yml
src/included/action.yml

View File

@@ -1,3 +0,0 @@
src/included/action.yml
src/included/not-an-action.yml
src/included/unreachable-workflow.yml

View File

@@ -1,5 +0,0 @@
src/.github/action.yaml
src/.github/actions/action-name/action.yml
src/.github/workflows/workflow.yml
src/action.yml
src/included/action.yml

View File

@@ -1,3 +0,0 @@
src/included/action.yml
src/included/not-an-action.yml
src/included/unreachable-workflow.yml

View File

@@ -1,11 +0,0 @@
name: 'A composite action'
description: 'Do something'
runs:
using: "composite"
steps:
- name: Print
run: echo "Hello world"
shell: bash
- name: Checkout
uses: actions/checkout@v4

View File

@@ -1,11 +0,0 @@
name: 'A composite action'
description: 'Do something'
runs:
using: "composite"
steps:
- name: Print
run: echo "Hello world"
shell: bash
- name: Checkout
uses: actions/checkout@v4

View File

@@ -1,12 +0,0 @@
name: An unreachable workflow
on:
push:
branches:
- main
jobs:
job:
runs-on: ubuntu-latest
steps:
- name: Checkout code
uses: actions/checkout@v4

View File

@@ -1,12 +0,0 @@
name: A workflow
on:
push:
branches:
- main
jobs:
job:
runs-on: ubuntu-latest
steps:
- name: Checkout code
uses: actions/checkout@v4

View File

@@ -1,11 +0,0 @@
name: 'A composite action'
description: 'Do something'
runs:
using: "composite"
steps:
- name: Print
run: echo "Hello world"
shell: bash
- name: Checkout
uses: actions/checkout@v4

View File

@@ -1,11 +0,0 @@
name: 'A composite action'
description: 'Do something'
runs:
using: "composite"
steps:
- name: Print
run: echo "Hello world"
shell: bash
- name: Checkout
uses: actions/checkout@v4

View File

@@ -1,12 +0,0 @@
name: An unreachable workflow
on:
push:
branches:
- main
jobs:
job:
runs-on: ubuntu-latest
steps:
- name: Checkout code
uses: actions/checkout@v4

View File

@@ -1,11 +0,0 @@
name: 'A composite action'
description: 'Do something'
runs:
using: "composite"
steps:
- name: Print
run: echo "Hello world"
shell: bash
- name: Checkout
uses: actions/checkout@v4

View File

@@ -1 +0,0 @@
name: 'Not an action, just a YAML file'

View File

@@ -1,12 +0,0 @@
name: An unreachable workflow
on:
push:
branches:
- main
jobs:
job:
runs-on: ubuntu-latest
steps:
- name: Checkout code
uses: actions/checkout@v4

View File

@@ -1,12 +0,0 @@
name: An unreachable workflow
on:
push:
branches:
- main
jobs:
job:
runs-on: ubuntu-latest
steps:
- name: Checkout code
uses: actions/checkout@v4

View File

@@ -1,18 +0,0 @@
import pytest
@pytest.mark.ql_test(expected=".default-filters.expected")
def test_default_filters(codeql, actions, check_source_archive):
check_source_archive.expected_suffix = ".default-filters.expected"
codeql.database.create(source_root="src")
@pytest.mark.ql_test(expected=".paths-only.expected")
def test_config_paths_only(codeql, actions):
codeql.database.create(source_root="src", codescanning_config="codeql-config.paths-only.yml")
@pytest.mark.ql_test(expected=".paths-ignore-only.expected")
def test_config_paths_ignore_only(codeql, actions):
codeql.database.create(source_root="src", codescanning_config="codeql-config.paths-ignore-only.yml")
@pytest.mark.ql_test(expected=".paths-and-paths-ignore.expected")
def test_config_paths_and_paths_ignore(codeql, actions):
codeql.database.create(source_root="src", codescanning_config="codeql-config.paths-and-paths-ignore.yml")

View File

@@ -1,17 +0,0 @@
ql/actions/ql/src/Security/CWE-077/EnvPathInjectionCritical.ql
ql/actions/ql/src/Security/CWE-077/EnvVarInjectionCritical.ql
ql/actions/ql/src/Security/CWE-094/CodeInjectionCritical.ql
ql/actions/ql/src/Security/CWE-1395/UseOfKnownVulnerableAction.ql
ql/actions/ql/src/Security/CWE-275/MissingActionsPermissions.ql
ql/actions/ql/src/Security/CWE-285/ImproperAccessControl.ql
ql/actions/ql/src/Security/CWE-312/ExcessiveSecretsExposure.ql
ql/actions/ql/src/Security/CWE-312/SecretsInArtifacts.ql
ql/actions/ql/src/Security/CWE-312/UnmaskedSecretExposure.ql
ql/actions/ql/src/Security/CWE-349/CachePoisoningViaCodeInjection.ql
ql/actions/ql/src/Security/CWE-349/CachePoisoningViaDirectCache.ql
ql/actions/ql/src/Security/CWE-349/CachePoisoningViaPoisonableStep.ql
ql/actions/ql/src/Security/CWE-367/UntrustedCheckoutTOCTOUCritical.ql
ql/actions/ql/src/Security/CWE-367/UntrustedCheckoutTOCTOUHigh.ql
ql/actions/ql/src/Security/CWE-829/ArtifactPoisoningCritical.ql
ql/actions/ql/src/Security/CWE-829/UntrustedCheckoutCritical.ql
ql/actions/ql/src/Security/CWE-829/UntrustedCheckoutHigh.ql

View File

@@ -1,27 +0,0 @@
ql/actions/ql/src/Debug/SyntaxError.ql
ql/actions/ql/src/Security/CWE-077/EnvPathInjectionCritical.ql
ql/actions/ql/src/Security/CWE-077/EnvPathInjectionMedium.ql
ql/actions/ql/src/Security/CWE-077/EnvVarInjectionCritical.ql
ql/actions/ql/src/Security/CWE-077/EnvVarInjectionMedium.ql
ql/actions/ql/src/Security/CWE-094/CodeInjectionCritical.ql
ql/actions/ql/src/Security/CWE-094/CodeInjectionMedium.ql
ql/actions/ql/src/Security/CWE-1395/UseOfKnownVulnerableAction.ql
ql/actions/ql/src/Security/CWE-275/MissingActionsPermissions.ql
ql/actions/ql/src/Security/CWE-285/ImproperAccessControl.ql
ql/actions/ql/src/Security/CWE-312/ExcessiveSecretsExposure.ql
ql/actions/ql/src/Security/CWE-312/SecretsInArtifacts.ql
ql/actions/ql/src/Security/CWE-312/UnmaskedSecretExposure.ql
ql/actions/ql/src/Security/CWE-349/CachePoisoningViaCodeInjection.ql
ql/actions/ql/src/Security/CWE-349/CachePoisoningViaDirectCache.ql
ql/actions/ql/src/Security/CWE-349/CachePoisoningViaPoisonableStep.ql
ql/actions/ql/src/Security/CWE-367/UntrustedCheckoutTOCTOUCritical.ql
ql/actions/ql/src/Security/CWE-367/UntrustedCheckoutTOCTOUHigh.ql
ql/actions/ql/src/Security/CWE-571/ExpressionIsAlwaysTrueCritical.ql
ql/actions/ql/src/Security/CWE-571/ExpressionIsAlwaysTrueHigh.ql
ql/actions/ql/src/Security/CWE-829/ArtifactPoisoningCritical.ql
ql/actions/ql/src/Security/CWE-829/ArtifactPoisoningMedium.ql
ql/actions/ql/src/Security/CWE-829/UnpinnedActionsTag.ql
ql/actions/ql/src/Security/CWE-829/UntrustedCheckoutCritical.ql
ql/actions/ql/src/Security/CWE-829/UntrustedCheckoutHigh.ql
ql/actions/ql/src/Security/CWE-829/UntrustedCheckoutMedium.ql
ql/actions/ql/src/Violations Of Best Practice/CodeQL/UnnecessaryUseOfAdvancedConfig.ql

View File

@@ -1,23 +0,0 @@
ql/actions/ql/src/Security/CWE-077/EnvPathInjectionCritical.ql
ql/actions/ql/src/Security/CWE-077/EnvPathInjectionMedium.ql
ql/actions/ql/src/Security/CWE-077/EnvVarInjectionCritical.ql
ql/actions/ql/src/Security/CWE-077/EnvVarInjectionMedium.ql
ql/actions/ql/src/Security/CWE-094/CodeInjectionCritical.ql
ql/actions/ql/src/Security/CWE-094/CodeInjectionMedium.ql
ql/actions/ql/src/Security/CWE-1395/UseOfKnownVulnerableAction.ql
ql/actions/ql/src/Security/CWE-275/MissingActionsPermissions.ql
ql/actions/ql/src/Security/CWE-285/ImproperAccessControl.ql
ql/actions/ql/src/Security/CWE-312/ExcessiveSecretsExposure.ql
ql/actions/ql/src/Security/CWE-312/SecretsInArtifacts.ql
ql/actions/ql/src/Security/CWE-312/UnmaskedSecretExposure.ql
ql/actions/ql/src/Security/CWE-349/CachePoisoningViaCodeInjection.ql
ql/actions/ql/src/Security/CWE-349/CachePoisoningViaDirectCache.ql
ql/actions/ql/src/Security/CWE-349/CachePoisoningViaPoisonableStep.ql
ql/actions/ql/src/Security/CWE-367/UntrustedCheckoutTOCTOUCritical.ql
ql/actions/ql/src/Security/CWE-367/UntrustedCheckoutTOCTOUHigh.ql
ql/actions/ql/src/Security/CWE-829/ArtifactPoisoningCritical.ql
ql/actions/ql/src/Security/CWE-829/ArtifactPoisoningMedium.ql
ql/actions/ql/src/Security/CWE-829/UnpinnedActionsTag.ql
ql/actions/ql/src/Security/CWE-829/UntrustedCheckoutCritical.ql
ql/actions/ql/src/Security/CWE-829/UntrustedCheckoutHigh.ql
ql/actions/ql/src/Security/CWE-829/UntrustedCheckoutMedium.ql

View File

@@ -1,17 +0,0 @@
ql/actions/ql/src/Debug/partial.ql
ql/actions/ql/src/Models/CompositeActionsSinks.ql
ql/actions/ql/src/Models/CompositeActionsSources.ql
ql/actions/ql/src/Models/CompositeActionsSummaries.ql
ql/actions/ql/src/Models/ReusableWorkflowsSinks.ql
ql/actions/ql/src/Models/ReusableWorkflowsSources.ql
ql/actions/ql/src/Models/ReusableWorkflowsSummaries.ql
ql/actions/ql/src/experimental/Security/CWE-074/OutputClobberingHigh.ql
ql/actions/ql/src/experimental/Security/CWE-078/CommandInjectionCritical.ql
ql/actions/ql/src/experimental/Security/CWE-078/CommandInjectionMedium.ql
ql/actions/ql/src/experimental/Security/CWE-088/ArgumentInjectionCritical.ql
ql/actions/ql/src/experimental/Security/CWE-088/ArgumentInjectionMedium.ql
ql/actions/ql/src/experimental/Security/CWE-200/SecretExfiltration.ql
ql/actions/ql/src/experimental/Security/CWE-284/CodeExecutionOnSelfHostedRunner.ql
ql/actions/ql/src/experimental/Security/CWE-829/ArtifactPoisoningPathTraversal.ql
ql/actions/ql/src/experimental/Security/CWE-829/UnversionedImmutableAction.ql
ql/actions/ql/src/experimental/Security/CWE-918/RequestForgery.ql

View File

@@ -1,14 +0,0 @@
import runs_on
import pytest
from query_suites import *
well_known_query_suites = ['actions-code-quality.qls', 'actions-code-quality-extended.qls', 'actions-security-and-quality.qls', 'actions-security-extended.qls', 'actions-code-scanning.qls']
@runs_on.posix
@pytest.mark.parametrize("query_suite", well_known_query_suites)
def test(codeql, actions, check_query_suite, query_suite):
check_query_suite(query_suite)
@runs_on.posix
def test_not_included_queries(codeql, actions, check_queries_not_included):
check_queries_not_included('actions', well_known_query_suites)

View File

@@ -1,73 +0,0 @@
## 0.4.13
### Bug Fixes
* The `actions/artifact-poisoning/critical` and `actions/artifact-poisoning/medium` queries now exclude artifacts downloaded to `$[{ runner.temp }}` in addition to `/tmp`.
## 0.4.12
### Minor Analysis Improvements
* Fixed performance issues in the parsing of Bash scripts in workflow files,
which led to out-of-disk errors when analysing certain workflow files with
complex interpolations of shell commands or quoted strings.
## 0.4.11
No user-facing changes.
## 0.4.10
No user-facing changes.
## 0.4.9
No user-facing changes.
## 0.4.8
No user-facing changes.
## 0.4.7
### New Features
* CodeQL and Copilot Autofix support for GitHub Actions is now Generally Available.
## 0.4.6
### Bug Fixes
* The query `actions/code-injection/medium` now produces alerts for injection
vulnerabilities on `pull_request` events.
## 0.4.5
No user-facing changes.
## 0.4.4
No user-facing changes.
## 0.4.3
### New Features
* The "Unpinned tag for a non-immutable Action in workflow" query (`actions/unpinned-tag`) now supports expanding the trusted action owner list using data extensions (`extensible: trustedActionsOwnerDataModel`). If you trust an Action publisher, you can include the owner name/organization in a model pack to add it to the allow list for this query. This addition will prevent security alerts when using unpinned tags for Actions published by that owner. For more information on creating a model pack, see [Creating a CodeQL Model Pack](https://docs.github.com/en/code-security/codeql-cli/using-the-advanced-functionality-of-the-codeql-cli/creating-and-working-with-codeql-packs#creating-a-codeql-model-pack).
## 0.4.2
### Bug Fixes
* Fixed data for vulnerable versions of `actions/download-artifact` and `rlespinasse/github-slug-action` (following GHSA-cxww-7g56-2vh6 and GHSA-6q4m-7476-932w).
* Improved `untrustedGhCommandDataModel` regex for `gh pr view` and Bash taint analysis in GitHub Actions.
## 0.4.1
No user-facing changes.
## 0.4.0
### New Features
* Initial public preview release

Some files were not shown because too many files have changed in this diff Show More