mirror of
https://github.com/github/codeql.git
synced 2026-07-05 03:25:31 +02:00
Compare commits
1 Commits
codeql-cli
...
alexet/fix
| Author | SHA1 | Date | |
|---|---|---|---|
|
|
07956c9ad6 |
4
.bazelrc
4
.bazelrc
@@ -30,9 +30,6 @@ common --registry=https://bcr.bazel.build
|
|||||||
|
|
||||||
common --@rules_dotnet//dotnet/settings:strict_deps=false
|
common --@rules_dotnet//dotnet/settings:strict_deps=false
|
||||||
|
|
||||||
# we only configure a nightly toolchain
|
|
||||||
common --@rules_rust//rust/toolchain/channel=nightly
|
|
||||||
|
|
||||||
# Reduce this eventually to empty, once we've fixed all our usages of java, and https://github.com/bazel-contrib/rules_go/issues/4193 is fixed
|
# Reduce this eventually to empty, once we've fixed all our usages of java, and https://github.com/bazel-contrib/rules_go/issues/4193 is fixed
|
||||||
common --incompatible_autoload_externally="+@rules_java,+@rules_shell"
|
common --incompatible_autoload_externally="+@rules_java,+@rules_shell"
|
||||||
|
|
||||||
@@ -40,6 +37,5 @@ build --java_language_version=17
|
|||||||
build --tool_java_language_version=17
|
build --tool_java_language_version=17
|
||||||
build --tool_java_runtime_version=remotejdk_17
|
build --tool_java_runtime_version=remotejdk_17
|
||||||
build --java_runtime_version=remotejdk_17
|
build --java_runtime_version=remotejdk_17
|
||||||
build --@rules_python//python/config_settings:python_version=3.12
|
|
||||||
|
|
||||||
try-import %workspace%/local.bazelrc
|
try-import %workspace%/local.bazelrc
|
||||||
|
|||||||
@@ -8,5 +8,3 @@ common --registry=https://bcr.bazel.build
|
|||||||
# its implementation packages without providing any code itself.
|
# its implementation packages without providing any code itself.
|
||||||
# We either can depend on internal implementation details, or turn of strict deps.
|
# We either can depend on internal implementation details, or turn of strict deps.
|
||||||
common --@rules_dotnet//dotnet/settings:strict_deps=false
|
common --@rules_dotnet//dotnet/settings:strict_deps=false
|
||||||
|
|
||||||
build --@rules_python//python/config_settings:python_version=3.12
|
|
||||||
|
|||||||
@@ -1 +1 @@
|
|||||||
8.1.1
|
8.0.0
|
||||||
|
|||||||
@@ -1,7 +0,0 @@
|
|||||||
FROM mcr.microsoft.com/devcontainers/base:ubuntu-24.04
|
|
||||||
|
|
||||||
USER root
|
|
||||||
# Install needed packages according to https://codeql.github.com/docs/codeql-overview/system-requirements/
|
|
||||||
# most come from the base image, but we need to install some additional ones
|
|
||||||
RUN DEBIAN_FRONTEND=noninteractive apt update && apt install -y sudo man-db python3.12 npm unminimize
|
|
||||||
RUN yes | unminimize
|
|
||||||
@@ -1,4 +1,5 @@
|
|||||||
{
|
{
|
||||||
|
"image": "mcr.microsoft.com/devcontainers/base:ubuntu-24.04",
|
||||||
"extensions": [
|
"extensions": [
|
||||||
"rust-lang.rust-analyzer",
|
"rust-lang.rust-analyzer",
|
||||||
"bungcip.better-toml",
|
"bungcip.better-toml",
|
||||||
@@ -7,10 +8,6 @@
|
|||||||
"ms-vscode.test-adapter-converter",
|
"ms-vscode.test-adapter-converter",
|
||||||
"slevesque.vscode-zipexplorer"
|
"slevesque.vscode-zipexplorer"
|
||||||
],
|
],
|
||||||
"build": {
|
|
||||||
// Path is relative to the devcontainer.json file.
|
|
||||||
"dockerfile": "Dockerfile.codespaces"
|
|
||||||
},
|
|
||||||
"settings": {
|
"settings": {
|
||||||
"files.watcherExclude": {
|
"files.watcherExclude": {
|
||||||
"**/target/**": true
|
"**/target/**": true
|
||||||
|
|||||||
4
.github/codeql/codeql-config.yml
vendored
4
.github/codeql/codeql-config.yml
vendored
@@ -4,13 +4,9 @@ queries:
|
|||||||
- uses: security-and-quality
|
- uses: security-and-quality
|
||||||
|
|
||||||
paths-ignore:
|
paths-ignore:
|
||||||
- '/actions/ql/test'
|
|
||||||
- '/cpp/'
|
- '/cpp/'
|
||||||
- '/java/'
|
- '/java/'
|
||||||
- '/python/'
|
- '/python/'
|
||||||
- '/javascript/ql/test'
|
- '/javascript/ql/test'
|
||||||
- '/javascript/ql/integration-tests'
|
|
||||||
- '/javascript/extractor/tests'
|
- '/javascript/extractor/tests'
|
||||||
- '/javascript/extractor/parser-tests'
|
|
||||||
- '/javascript/ql/src/'
|
|
||||||
- '/rust/ql'
|
- '/rust/ql'
|
||||||
|
|||||||
@@ -1,4 +0,0 @@
|
|||||||
---
|
|
||||||
applyTo: "**/*.expected"
|
|
||||||
---
|
|
||||||
Ignore these files. These are generated to be correct by running the tests, and should not be edited manually.
|
|
||||||
@@ -1,6 +0,0 @@
|
|||||||
---
|
|
||||||
applyTo: "**/*.ql,**/*.qll"
|
|
||||||
---
|
|
||||||
When reviewing these QL files, do not make any comment on the code itself. You don't understand the QL programming language well enough yet. You can only make comments about the following aspects:
|
|
||||||
* comments (lines starting with `//` or block comments enclosed in `/* ... */`): you can suggest improvements to the clarity of comments, or point out spelling mistakes
|
|
||||||
* typos in identifiers
|
|
||||||
10
.github/workflows/build-ripunzip.yml
vendored
10
.github/workflows/build-ripunzip.yml
vendored
@@ -6,21 +6,21 @@ on:
|
|||||||
ripunzip-version:
|
ripunzip-version:
|
||||||
description: "what reference to checktout from google/runzip"
|
description: "what reference to checktout from google/runzip"
|
||||||
required: false
|
required: false
|
||||||
default: v2.0.2
|
default: v1.2.1
|
||||||
openssl-version:
|
openssl-version:
|
||||||
description: "what reference to checkout from openssl/openssl for Linux"
|
description: "what reference to checkout from openssl/openssl for Linux"
|
||||||
required: false
|
required: false
|
||||||
default: openssl-3.5.0
|
default: openssl-3.3.0
|
||||||
|
|
||||||
jobs:
|
jobs:
|
||||||
build:
|
build:
|
||||||
strategy:
|
strategy:
|
||||||
fail-fast: false
|
fail-fast: false
|
||||||
matrix:
|
matrix:
|
||||||
os: [ubuntu-22.04, macos-13, windows-2022]
|
os: [ubuntu-20.04, macos-13, windows-2019]
|
||||||
runs-on: ${{ matrix.os }}
|
runs-on: ${{ matrix.os }}
|
||||||
steps:
|
steps:
|
||||||
- uses: actions/checkout@v5
|
- uses: actions/checkout@v4
|
||||||
with:
|
with:
|
||||||
repository: google/ripunzip
|
repository: google/ripunzip
|
||||||
ref: ${{ inputs.ripunzip-version }}
|
ref: ${{ inputs.ripunzip-version }}
|
||||||
@@ -28,7 +28,7 @@ jobs:
|
|||||||
# see https://github.com/sfackler/rust-openssl/issues/183
|
# see https://github.com/sfackler/rust-openssl/issues/183
|
||||||
- if: runner.os == 'Linux'
|
- if: runner.os == 'Linux'
|
||||||
name: checkout openssl
|
name: checkout openssl
|
||||||
uses: actions/checkout@v5
|
uses: actions/checkout@v4
|
||||||
with:
|
with:
|
||||||
repository: openssl/openssl
|
repository: openssl/openssl
|
||||||
path: openssl
|
path: openssl
|
||||||
|
|||||||
2
.github/workflows/buildifier.yml
vendored
2
.github/workflows/buildifier.yml
vendored
@@ -17,7 +17,7 @@ jobs:
|
|||||||
runs-on: ubuntu-latest
|
runs-on: ubuntu-latest
|
||||||
steps:
|
steps:
|
||||||
- name: Checkout
|
- name: Checkout
|
||||||
uses: actions/checkout@v5
|
uses: actions/checkout@v4
|
||||||
- name: Check bazel formatting
|
- name: Check bazel formatting
|
||||||
uses: pre-commit/action@646c83fcd040023954eafda54b4db0192ce70507
|
uses: pre-commit/action@646c83fcd040023954eafda54b4db0192ce70507
|
||||||
with:
|
with:
|
||||||
|
|||||||
1
.github/workflows/check-change-note.yml
vendored
1
.github/workflows/check-change-note.yml
vendored
@@ -16,6 +16,7 @@ on:
|
|||||||
- "shared/**/*.qll"
|
- "shared/**/*.qll"
|
||||||
- "!**/experimental/**"
|
- "!**/experimental/**"
|
||||||
- "!ql/**"
|
- "!ql/**"
|
||||||
|
- "!rust/**"
|
||||||
- ".github/workflows/check-change-note.yml"
|
- ".github/workflows/check-change-note.yml"
|
||||||
|
|
||||||
jobs:
|
jobs:
|
||||||
|
|||||||
2
.github/workflows/check-implicit-this.yml
vendored
2
.github/workflows/check-implicit-this.yml
vendored
@@ -16,7 +16,7 @@ jobs:
|
|||||||
check:
|
check:
|
||||||
runs-on: ubuntu-latest
|
runs-on: ubuntu-latest
|
||||||
steps:
|
steps:
|
||||||
- uses: actions/checkout@v5
|
- uses: actions/checkout@v4
|
||||||
- name: Check that implicit this warnings is enabled for all packs
|
- name: Check that implicit this warnings is enabled for all packs
|
||||||
shell: bash
|
shell: bash
|
||||||
run: |
|
run: |
|
||||||
|
|||||||
23
.github/workflows/check-overlay-annotations.yml
vendored
23
.github/workflows/check-overlay-annotations.yml
vendored
@@ -1,23 +0,0 @@
|
|||||||
name: Check overlay annotations
|
|
||||||
|
|
||||||
on:
|
|
||||||
push:
|
|
||||||
branches:
|
|
||||||
- main
|
|
||||||
- 'rc/*'
|
|
||||||
pull_request:
|
|
||||||
branches:
|
|
||||||
- main
|
|
||||||
- 'rc/*'
|
|
||||||
|
|
||||||
permissions:
|
|
||||||
contents: read
|
|
||||||
|
|
||||||
jobs:
|
|
||||||
sync:
|
|
||||||
runs-on: ubuntu-latest
|
|
||||||
steps:
|
|
||||||
- uses: actions/checkout@v5
|
|
||||||
- name: Check overlay annotations
|
|
||||||
run: python config/add-overlay-annotations.py --check java
|
|
||||||
|
|
||||||
2
.github/workflows/check-qldoc.yml
vendored
2
.github/workflows/check-qldoc.yml
vendored
@@ -18,7 +18,7 @@ jobs:
|
|||||||
runs-on: ubuntu-latest
|
runs-on: ubuntu-latest
|
||||||
|
|
||||||
steps:
|
steps:
|
||||||
- uses: actions/checkout@v5
|
- uses: actions/checkout@v4
|
||||||
with:
|
with:
|
||||||
fetch-depth: 2
|
fetch-depth: 2
|
||||||
|
|
||||||
|
|||||||
2
.github/workflows/check-query-ids.yml
vendored
2
.github/workflows/check-query-ids.yml
vendored
@@ -19,6 +19,6 @@ jobs:
|
|||||||
name: Check query IDs
|
name: Check query IDs
|
||||||
runs-on: ubuntu-latest
|
runs-on: ubuntu-latest
|
||||||
steps:
|
steps:
|
||||||
- uses: actions/checkout@v5
|
- uses: actions/checkout@v4
|
||||||
- name: Check for duplicate query IDs
|
- name: Check for duplicate query IDs
|
||||||
run: python3 misc/scripts/check-query-ids.py
|
run: python3 misc/scripts/check-query-ids.py
|
||||||
|
|||||||
11
.github/workflows/codeql-analysis.yml
vendored
11
.github/workflows/codeql-analysis.yml
vendored
@@ -18,10 +18,6 @@ on:
|
|||||||
|
|
||||||
jobs:
|
jobs:
|
||||||
CodeQL-Build:
|
CodeQL-Build:
|
||||||
strategy:
|
|
||||||
fail-fast: false
|
|
||||||
matrix:
|
|
||||||
language: ['actions', 'csharp']
|
|
||||||
|
|
||||||
runs-on: ubuntu-latest
|
runs-on: ubuntu-latest
|
||||||
|
|
||||||
@@ -34,16 +30,17 @@ jobs:
|
|||||||
- name: Setup dotnet
|
- name: Setup dotnet
|
||||||
uses: actions/setup-dotnet@v4
|
uses: actions/setup-dotnet@v4
|
||||||
with:
|
with:
|
||||||
dotnet-version: 9.0.300
|
dotnet-version: 9.0.100
|
||||||
|
|
||||||
- name: Checkout repository
|
- name: Checkout repository
|
||||||
uses: actions/checkout@v5
|
uses: actions/checkout@v4
|
||||||
|
|
||||||
# Initializes the CodeQL tools for scanning.
|
# Initializes the CodeQL tools for scanning.
|
||||||
- name: Initialize CodeQL
|
- name: Initialize CodeQL
|
||||||
uses: github/codeql-action/init@main
|
uses: github/codeql-action/init@main
|
||||||
|
# Override language selection by uncommenting this and choosing your languages
|
||||||
with:
|
with:
|
||||||
languages: ${{ matrix.language }}
|
languages: csharp
|
||||||
config-file: ./.github/codeql/codeql-config.yml
|
config-file: ./.github/codeql/codeql-config.yml
|
||||||
|
|
||||||
# Autobuild attempts to build any compiled languages (C/C++, C#, or Java).
|
# Autobuild attempts to build any compiled languages (C/C++, C#, or Java).
|
||||||
|
|||||||
2
.github/workflows/compile-queries.yml
vendored
2
.github/workflows/compile-queries.yml
vendored
@@ -22,7 +22,7 @@ jobs:
|
|||||||
runs-on: ubuntu-latest-xl
|
runs-on: ubuntu-latest-xl
|
||||||
|
|
||||||
steps:
|
steps:
|
||||||
- uses: actions/checkout@v5
|
- uses: actions/checkout@v4
|
||||||
- name: Setup CodeQL
|
- name: Setup CodeQL
|
||||||
uses: ./.github/actions/fetch-codeql
|
uses: ./.github/actions/fetch-codeql
|
||||||
with:
|
with:
|
||||||
|
|||||||
2
.github/workflows/cpp-swift-analysis.yml
vendored
2
.github/workflows/cpp-swift-analysis.yml
vendored
@@ -28,7 +28,7 @@ jobs:
|
|||||||
|
|
||||||
steps:
|
steps:
|
||||||
- name: Checkout repository
|
- name: Checkout repository
|
||||||
uses: actions/checkout@v5
|
uses: actions/checkout@v4
|
||||||
|
|
||||||
# Initializes the CodeQL tools for scanning.
|
# Initializes the CodeQL tools for scanning.
|
||||||
- name: Initialize CodeQL
|
- name: Initialize CodeQL
|
||||||
|
|||||||
18
.github/workflows/csharp-qltest.yml
vendored
18
.github/workflows/csharp-qltest.yml
vendored
@@ -36,26 +36,26 @@ jobs:
|
|||||||
unit-tests:
|
unit-tests:
|
||||||
strategy:
|
strategy:
|
||||||
matrix:
|
matrix:
|
||||||
os: [ubuntu-latest, windows-latest]
|
os: [ubuntu-latest, windows-2019]
|
||||||
runs-on: ${{ matrix.os }}
|
runs-on: ${{ matrix.os }}
|
||||||
steps:
|
steps:
|
||||||
- uses: actions/checkout@v5
|
- uses: actions/checkout@v4
|
||||||
- name: Setup dotnet
|
- name: Setup dotnet
|
||||||
uses: actions/setup-dotnet@v4
|
uses: actions/setup-dotnet@v4
|
||||||
with:
|
with:
|
||||||
dotnet-version: 9.0.300
|
dotnet-version: 9.0.100
|
||||||
- name: Extractor unit tests
|
- name: Extractor unit tests
|
||||||
run: |
|
run: |
|
||||||
dotnet tool restore
|
dotnet tool restore
|
||||||
dotnet test -p:RuntimeFrameworkVersion=9.0.5 extractor/Semmle.Util.Tests
|
dotnet test -p:RuntimeFrameworkVersion=9.0.0 extractor/Semmle.Util.Tests
|
||||||
dotnet test -p:RuntimeFrameworkVersion=9.0.5 extractor/Semmle.Extraction.Tests
|
dotnet test -p:RuntimeFrameworkVersion=9.0.0 extractor/Semmle.Extraction.Tests
|
||||||
dotnet test -p:RuntimeFrameworkVersion=9.0.5 autobuilder/Semmle.Autobuild.CSharp.Tests
|
dotnet test -p:RuntimeFrameworkVersion=9.0.0 autobuilder/Semmle.Autobuild.CSharp.Tests
|
||||||
dotnet test -p:RuntimeFrameworkVersion=9.0.5 autobuilder/Semmle.Autobuild.Cpp.Tests
|
dotnet test -p:RuntimeFrameworkVersion=9.0.0 autobuilder/Semmle.Autobuild.Cpp.Tests
|
||||||
shell: bash
|
shell: bash
|
||||||
stubgentest:
|
stubgentest:
|
||||||
runs-on: ubuntu-latest
|
runs-on: ubuntu-latest
|
||||||
steps:
|
steps:
|
||||||
- uses: actions/checkout@v5
|
- uses: actions/checkout@v4
|
||||||
- uses: ./csharp/actions/create-extractor-pack
|
- uses: ./csharp/actions/create-extractor-pack
|
||||||
- name: Run stub generator tests
|
- name: Run stub generator tests
|
||||||
run: |
|
run: |
|
||||||
@@ -66,6 +66,6 @@ jobs:
|
|||||||
# Update existing stubs in the repo with the freshly generated ones
|
# Update existing stubs in the repo with the freshly generated ones
|
||||||
mv "$STUBS_PATH/output/stubs/_frameworks" ql/test/resources/stubs/
|
mv "$STUBS_PATH/output/stubs/_frameworks" ql/test/resources/stubs/
|
||||||
git status
|
git status
|
||||||
codeql test run --threads=0 --search-path "${{ github.workspace }}" --check-databases --check-diff-informed --check-undefined-labels --check-repeated-labels --check-redefined-labels --consistency-queries ql/consistency-queries -- ql/test/library-tests/dataflow/flowsources/aspremote
|
codeql test run --threads=0 --search-path "${{ github.workspace }}" --check-databases --check-undefined-labels --check-repeated-labels --check-redefined-labels --consistency-queries ql/consistency-queries -- ql/test/library-tests/dataflow/flowsources/aspremote
|
||||||
env:
|
env:
|
||||||
GITHUB_TOKEN: ${{ github.token }}
|
GITHUB_TOKEN: ${{ github.token }}
|
||||||
|
|||||||
4
.github/workflows/csv-coverage-metrics.yml
vendored
4
.github/workflows/csv-coverage-metrics.yml
vendored
@@ -23,7 +23,7 @@ jobs:
|
|||||||
runs-on: ubuntu-latest
|
runs-on: ubuntu-latest
|
||||||
steps:
|
steps:
|
||||||
- name: Checkout repository
|
- name: Checkout repository
|
||||||
uses: actions/checkout@v5
|
uses: actions/checkout@v4
|
||||||
- name: Setup CodeQL
|
- name: Setup CodeQL
|
||||||
uses: ./.github/actions/fetch-codeql
|
uses: ./.github/actions/fetch-codeql
|
||||||
- name: Create empty database
|
- name: Create empty database
|
||||||
@@ -51,7 +51,7 @@ jobs:
|
|||||||
runs-on: ubuntu-latest
|
runs-on: ubuntu-latest
|
||||||
steps:
|
steps:
|
||||||
- name: Checkout repository
|
- name: Checkout repository
|
||||||
uses: actions/checkout@v5
|
uses: actions/checkout@v4
|
||||||
- name: Setup CodeQL
|
- name: Setup CodeQL
|
||||||
uses: ./.github/actions/fetch-codeql
|
uses: ./.github/actions/fetch-codeql
|
||||||
- name: Create empty database
|
- name: Create empty database
|
||||||
|
|||||||
@@ -35,11 +35,11 @@ jobs:
|
|||||||
GITHUB_CONTEXT: ${{ toJSON(github.event) }}
|
GITHUB_CONTEXT: ${{ toJSON(github.event) }}
|
||||||
run: echo "$GITHUB_CONTEXT"
|
run: echo "$GITHUB_CONTEXT"
|
||||||
- name: Clone self (github/codeql) - MERGE
|
- name: Clone self (github/codeql) - MERGE
|
||||||
uses: actions/checkout@v5
|
uses: actions/checkout@v4
|
||||||
with:
|
with:
|
||||||
path: merge
|
path: merge
|
||||||
- name: Clone self (github/codeql) - BASE
|
- name: Clone self (github/codeql) - BASE
|
||||||
uses: actions/checkout@v5
|
uses: actions/checkout@v4
|
||||||
with:
|
with:
|
||||||
fetch-depth: 2
|
fetch-depth: 2
|
||||||
path: base
|
path: base
|
||||||
|
|||||||
@@ -24,7 +24,7 @@ jobs:
|
|||||||
GITHUB_CONTEXT: ${{ toJSON(github.event) }}
|
GITHUB_CONTEXT: ${{ toJSON(github.event) }}
|
||||||
run: echo "$GITHUB_CONTEXT"
|
run: echo "$GITHUB_CONTEXT"
|
||||||
- name: Clone self (github/codeql)
|
- name: Clone self (github/codeql)
|
||||||
uses: actions/checkout@v5
|
uses: actions/checkout@v4
|
||||||
- name: Set up Python 3.8
|
- name: Set up Python 3.8
|
||||||
uses: actions/setup-python@v4
|
uses: actions/setup-python@v4
|
||||||
with:
|
with:
|
||||||
|
|||||||
@@ -12,11 +12,11 @@ jobs:
|
|||||||
|
|
||||||
steps:
|
steps:
|
||||||
- name: Clone self (github/codeql)
|
- name: Clone self (github/codeql)
|
||||||
uses: actions/checkout@v5
|
uses: actions/checkout@v4
|
||||||
with:
|
with:
|
||||||
path: script
|
path: script
|
||||||
- name: Clone self (github/codeql) for analysis
|
- name: Clone self (github/codeql) for analysis
|
||||||
uses: actions/checkout@v5
|
uses: actions/checkout@v4
|
||||||
with:
|
with:
|
||||||
path: codeqlModels
|
path: codeqlModels
|
||||||
fetch-depth: 0
|
fetch-depth: 0
|
||||||
|
|||||||
2
.github/workflows/csv-coverage-update.yml
vendored
2
.github/workflows/csv-coverage-update.yml
vendored
@@ -21,7 +21,7 @@ jobs:
|
|||||||
GITHUB_CONTEXT: ${{ toJSON(github.event) }}
|
GITHUB_CONTEXT: ${{ toJSON(github.event) }}
|
||||||
run: echo "$GITHUB_CONTEXT"
|
run: echo "$GITHUB_CONTEXT"
|
||||||
- name: Clone self (github/codeql)
|
- name: Clone self (github/codeql)
|
||||||
uses: actions/checkout@v5
|
uses: actions/checkout@v4
|
||||||
with:
|
with:
|
||||||
path: ql
|
path: ql
|
||||||
fetch-depth: 0
|
fetch-depth: 0
|
||||||
|
|||||||
4
.github/workflows/csv-coverage.yml
vendored
4
.github/workflows/csv-coverage.yml
vendored
@@ -16,11 +16,11 @@ jobs:
|
|||||||
|
|
||||||
steps:
|
steps:
|
||||||
- name: Clone self (github/codeql)
|
- name: Clone self (github/codeql)
|
||||||
uses: actions/checkout@v5
|
uses: actions/checkout@v4
|
||||||
with:
|
with:
|
||||||
path: script
|
path: script
|
||||||
- name: Clone self (github/codeql) for analysis
|
- name: Clone self (github/codeql) for analysis
|
||||||
uses: actions/checkout@v5
|
uses: actions/checkout@v4
|
||||||
with:
|
with:
|
||||||
path: codeqlModels
|
path: codeqlModels
|
||||||
ref: ${{ github.event.inputs.qlModelShaOverride || github.ref }}
|
ref: ${{ github.event.inputs.qlModelShaOverride || github.ref }}
|
||||||
|
|||||||
2
.github/workflows/fast-forward.yml
vendored
2
.github/workflows/fast-forward.yml
vendored
@@ -26,7 +26,7 @@ jobs:
|
|||||||
exit 1
|
exit 1
|
||||||
|
|
||||||
- name: Checkout
|
- name: Checkout
|
||||||
uses: actions/checkout@v5
|
uses: actions/checkout@v4
|
||||||
|
|
||||||
- name: Git config
|
- name: Git config
|
||||||
shell: bash
|
shell: bash
|
||||||
|
|||||||
36
.github/workflows/go-tests-other-os.yml
vendored
Normal file
36
.github/workflows/go-tests-other-os.yml
vendored
Normal file
@@ -0,0 +1,36 @@
|
|||||||
|
name: "Go: Run Tests - Other OS"
|
||||||
|
on:
|
||||||
|
pull_request:
|
||||||
|
paths:
|
||||||
|
- "go/**"
|
||||||
|
- "!go/documentation/**"
|
||||||
|
- "!go/ql/**" # don't run other-os if only ql/ files changed
|
||||||
|
- .github/workflows/go-tests-other-os.yml
|
||||||
|
- .github/actions/**
|
||||||
|
- codeql-workspace.yml
|
||||||
|
- MODULE.bazel
|
||||||
|
- .bazelrc
|
||||||
|
- misc/bazel/**
|
||||||
|
|
||||||
|
permissions:
|
||||||
|
contents: read
|
||||||
|
|
||||||
|
jobs:
|
||||||
|
test-mac:
|
||||||
|
name: Test MacOS
|
||||||
|
runs-on: macos-latest
|
||||||
|
steps:
|
||||||
|
- name: Check out code
|
||||||
|
uses: actions/checkout@v4
|
||||||
|
- name: Run tests
|
||||||
|
uses: ./go/actions/test
|
||||||
|
|
||||||
|
test-win:
|
||||||
|
if: github.repository_owner == 'github'
|
||||||
|
name: Test Windows
|
||||||
|
runs-on: windows-latest-xl
|
||||||
|
steps:
|
||||||
|
- name: Check out code
|
||||||
|
uses: actions/checkout@v4
|
||||||
|
- name: Run tests
|
||||||
|
uses: ./go/actions/test
|
||||||
13
.github/workflows/go-tests.yml
vendored
13
.github/workflows/go-tests.yml
vendored
@@ -1,5 +1,16 @@
|
|||||||
name: "Go: Run Tests"
|
name: "Go: Run Tests"
|
||||||
on:
|
on:
|
||||||
|
push:
|
||||||
|
paths:
|
||||||
|
- "go/**"
|
||||||
|
- "!go/documentation/**"
|
||||||
|
- "shared/**"
|
||||||
|
- .github/workflows/go-tests.yml
|
||||||
|
- .github/actions/**
|
||||||
|
- codeql-workspace.yml
|
||||||
|
branches:
|
||||||
|
- main
|
||||||
|
- "rc/*"
|
||||||
pull_request:
|
pull_request:
|
||||||
paths:
|
paths:
|
||||||
- "go/**"
|
- "go/**"
|
||||||
@@ -22,7 +33,7 @@ jobs:
|
|||||||
runs-on: ubuntu-latest-xl
|
runs-on: ubuntu-latest-xl
|
||||||
steps:
|
steps:
|
||||||
- name: Check out code
|
- name: Check out code
|
||||||
uses: actions/checkout@v5
|
uses: actions/checkout@v4
|
||||||
- name: Run tests
|
- name: Run tests
|
||||||
uses: ./go/actions/test
|
uses: ./go/actions/test
|
||||||
with:
|
with:
|
||||||
|
|||||||
2
.github/workflows/kotlin-build.yml
vendored
2
.github/workflows/kotlin-build.yml
vendored
@@ -20,7 +20,7 @@ jobs:
|
|||||||
build:
|
build:
|
||||||
runs-on: ubuntu-latest
|
runs-on: ubuntu-latest
|
||||||
steps:
|
steps:
|
||||||
- uses: actions/checkout@v5
|
- uses: actions/checkout@v4
|
||||||
- run: |
|
- run: |
|
||||||
bazel query //java/kotlin-extractor/...
|
bazel query //java/kotlin-extractor/...
|
||||||
# only build the default version as a quick check that we can build from `codeql`
|
# only build the default version as a quick check that we can build from `codeql`
|
||||||
|
|||||||
6
.github/workflows/mad_modelDiff.yml
vendored
6
.github/workflows/mad_modelDiff.yml
vendored
@@ -28,12 +28,12 @@ jobs:
|
|||||||
slug: ${{fromJson(github.event.inputs.projects || '["apache/commons-codec", "apache/commons-io", "apache/commons-beanutils", "apache/commons-logging", "apache/commons-fileupload", "apache/commons-lang", "apache/commons-validator", "apache/commons-csv", "apache/dubbo"]' )}}
|
slug: ${{fromJson(github.event.inputs.projects || '["apache/commons-codec", "apache/commons-io", "apache/commons-beanutils", "apache/commons-logging", "apache/commons-fileupload", "apache/commons-lang", "apache/commons-validator", "apache/commons-csv", "apache/dubbo"]' )}}
|
||||||
steps:
|
steps:
|
||||||
- name: Clone github/codeql from PR
|
- name: Clone github/codeql from PR
|
||||||
uses: actions/checkout@v5
|
uses: actions/checkout@v4
|
||||||
if: github.event.pull_request
|
if: github.event.pull_request
|
||||||
with:
|
with:
|
||||||
path: codeql-pr
|
path: codeql-pr
|
||||||
- name: Clone github/codeql from main
|
- name: Clone github/codeql from main
|
||||||
uses: actions/checkout@v5
|
uses: actions/checkout@v4
|
||||||
with:
|
with:
|
||||||
path: codeql-main
|
path: codeql-main
|
||||||
ref: main
|
ref: main
|
||||||
@@ -68,7 +68,7 @@ jobs:
|
|||||||
DATABASE=$2
|
DATABASE=$2
|
||||||
cd codeql-$QL_VARIANT
|
cd codeql-$QL_VARIANT
|
||||||
SHORTNAME=`basename $DATABASE`
|
SHORTNAME=`basename $DATABASE`
|
||||||
python misc/scripts/models-as-data/generate_mad.py --language java --with-summaries --with-sinks $DATABASE $SHORTNAME/$QL_VARIANT
|
python java/ql/src/utils/modelgenerator/GenerateFlowModel.py --with-summaries --with-sinks $DATABASE $SHORTNAME/$QL_VARIANT
|
||||||
mkdir -p $MODELS/$SHORTNAME
|
mkdir -p $MODELS/$SHORTNAME
|
||||||
mv java/ql/lib/ext/generated/$SHORTNAME/$QL_VARIANT $MODELS/$SHORTNAME
|
mv java/ql/lib/ext/generated/$SHORTNAME/$QL_VARIANT $MODELS/$SHORTNAME
|
||||||
cd ..
|
cd ..
|
||||||
|
|||||||
4
.github/workflows/mad_regenerate-models.yml
vendored
4
.github/workflows/mad_regenerate-models.yml
vendored
@@ -30,11 +30,11 @@ jobs:
|
|||||||
ref: "placeholder"
|
ref: "placeholder"
|
||||||
steps:
|
steps:
|
||||||
- name: Clone self (github/codeql)
|
- name: Clone self (github/codeql)
|
||||||
uses: actions/checkout@v5
|
uses: actions/checkout@v4
|
||||||
- name: Setup CodeQL binaries
|
- name: Setup CodeQL binaries
|
||||||
uses: ./.github/actions/fetch-codeql
|
uses: ./.github/actions/fetch-codeql
|
||||||
- name: Clone repositories
|
- name: Clone repositories
|
||||||
uses: actions/checkout@v5
|
uses: actions/checkout@v4
|
||||||
with:
|
with:
|
||||||
path: repos/${{ matrix.ref }}
|
path: repos/${{ matrix.ref }}
|
||||||
ref: ${{ matrix.ref }}
|
ref: ${{ matrix.ref }}
|
||||||
|
|||||||
35
.github/workflows/python-tooling.yml
vendored
35
.github/workflows/python-tooling.yml
vendored
@@ -1,35 +0,0 @@
|
|||||||
name: Python tooling
|
|
||||||
|
|
||||||
on:
|
|
||||||
pull_request:
|
|
||||||
paths:
|
|
||||||
- "misc/bazel/**"
|
|
||||||
- "misc/codegen/**"
|
|
||||||
- "misc/scripts/models-as-data/bulk_generate_mad.py"
|
|
||||||
- "*.bazel*"
|
|
||||||
- .github/workflows/codegen.yml
|
|
||||||
- .pre-commit-config.yaml
|
|
||||||
branches:
|
|
||||||
- main
|
|
||||||
- rc/*
|
|
||||||
- codeql-cli-*
|
|
||||||
|
|
||||||
permissions:
|
|
||||||
contents: read
|
|
||||||
|
|
||||||
jobs:
|
|
||||||
check-python-tooling:
|
|
||||||
runs-on: ubuntu-latest
|
|
||||||
steps:
|
|
||||||
- uses: actions/checkout@v5
|
|
||||||
- uses: actions/setup-python@v5
|
|
||||||
with:
|
|
||||||
python-version: '3.12'
|
|
||||||
- uses: pre-commit/action@646c83fcd040023954eafda54b4db0192ce70507
|
|
||||||
name: Check that python code is properly formatted
|
|
||||||
with:
|
|
||||||
extra_args: black --all-files
|
|
||||||
- name: Run codegen tests
|
|
||||||
shell: bash
|
|
||||||
run: |
|
|
||||||
bazel test //misc/codegen/...
|
|
||||||
2
.github/workflows/qhelp-pr-preview.yml
vendored
2
.github/workflows/qhelp-pr-preview.yml
vendored
@@ -43,7 +43,7 @@ jobs:
|
|||||||
if-no-files-found: error
|
if-no-files-found: error
|
||||||
retention-days: 1
|
retention-days: 1
|
||||||
|
|
||||||
- uses: actions/checkout@v5
|
- uses: actions/checkout@v4
|
||||||
with:
|
with:
|
||||||
fetch-depth: 2
|
fetch-depth: 2
|
||||||
persist-credentials: false
|
persist-credentials: false
|
||||||
|
|||||||
2
.github/workflows/ql-for-ql-build.yml
vendored
2
.github/workflows/ql-for-ql-build.yml
vendored
@@ -19,7 +19,7 @@ jobs:
|
|||||||
runs-on: ubuntu-latest-xl
|
runs-on: ubuntu-latest-xl
|
||||||
steps:
|
steps:
|
||||||
### Build the queries ###
|
### Build the queries ###
|
||||||
- uses: actions/checkout@v5
|
- uses: actions/checkout@v4
|
||||||
with:
|
with:
|
||||||
fetch-depth: 0
|
fetch-depth: 0
|
||||||
- name: Find codeql
|
- name: Find codeql
|
||||||
|
|||||||
@@ -25,7 +25,7 @@ jobs:
|
|||||||
- github/codeql
|
- github/codeql
|
||||||
runs-on: ubuntu-latest
|
runs-on: ubuntu-latest
|
||||||
steps:
|
steps:
|
||||||
- uses: actions/checkout@v5
|
- uses: actions/checkout@v4
|
||||||
|
|
||||||
- name: Find codeql
|
- name: Find codeql
|
||||||
id: find-codeql
|
id: find-codeql
|
||||||
@@ -46,14 +46,14 @@ jobs:
|
|||||||
env:
|
env:
|
||||||
CODEQL: ${{ steps.find-codeql.outputs.codeql-path }}
|
CODEQL: ${{ steps.find-codeql.outputs.codeql-path }}
|
||||||
- name: Checkout ${{ matrix.repo }}
|
- name: Checkout ${{ matrix.repo }}
|
||||||
uses: actions/checkout@v5
|
uses: actions/checkout@v4
|
||||||
with:
|
with:
|
||||||
repository: ${{ matrix.repo }}
|
repository: ${{ matrix.repo }}
|
||||||
path: ${{ github.workspace }}/repo
|
path: ${{ github.workspace }}/repo
|
||||||
- name: Create database
|
- name: Create database
|
||||||
run: |
|
run: |
|
||||||
"${CODEQL}" database create \
|
"${CODEQL}" database create \
|
||||||
--search-path "${{ github.workspace }}" \
|
--search-path "${{ github.workspace }}"
|
||||||
--threads 4 \
|
--threads 4 \
|
||||||
--language ql --source-root "${{ github.workspace }}/repo" \
|
--language ql --source-root "${{ github.workspace }}/repo" \
|
||||||
"${{ runner.temp }}/database"
|
"${{ runner.temp }}/database"
|
||||||
@@ -75,7 +75,7 @@ jobs:
|
|||||||
runs-on: ubuntu-latest
|
runs-on: ubuntu-latest
|
||||||
needs: measure
|
needs: measure
|
||||||
steps:
|
steps:
|
||||||
- uses: actions/checkout@v5
|
- uses: actions/checkout@v4
|
||||||
- uses: actions/download-artifact@v4
|
- uses: actions/download-artifact@v4
|
||||||
with:
|
with:
|
||||||
name: measurements
|
name: measurements
|
||||||
|
|||||||
4
.github/workflows/ql-for-ql-tests.yml
vendored
4
.github/workflows/ql-for-ql-tests.yml
vendored
@@ -24,7 +24,7 @@ jobs:
|
|||||||
qltest:
|
qltest:
|
||||||
runs-on: ubuntu-latest
|
runs-on: ubuntu-latest
|
||||||
steps:
|
steps:
|
||||||
- uses: actions/checkout@v5
|
- uses: actions/checkout@v4
|
||||||
- name: Find codeql
|
- name: Find codeql
|
||||||
id: find-codeql
|
id: find-codeql
|
||||||
uses: github/codeql-action/init@main
|
uses: github/codeql-action/init@main
|
||||||
@@ -64,7 +64,7 @@ jobs:
|
|||||||
needs: [qltest]
|
needs: [qltest]
|
||||||
runs-on: ${{ matrix.os }}
|
runs-on: ${{ matrix.os }}
|
||||||
steps:
|
steps:
|
||||||
- uses: actions/checkout@v5
|
- uses: actions/checkout@v4
|
||||||
- name: Install GNU tar
|
- name: Install GNU tar
|
||||||
if: runner.os == 'macOS'
|
if: runner.os == 'macOS'
|
||||||
run: |
|
run: |
|
||||||
|
|||||||
4
.github/workflows/query-list.yml
vendored
4
.github/workflows/query-list.yml
vendored
@@ -23,7 +23,7 @@ jobs:
|
|||||||
|
|
||||||
steps:
|
steps:
|
||||||
- name: Clone self (github/codeql)
|
- name: Clone self (github/codeql)
|
||||||
uses: actions/checkout@v5
|
uses: actions/checkout@v4
|
||||||
with:
|
with:
|
||||||
path: codeql
|
path: codeql
|
||||||
- name: Set up Python 3.8
|
- name: Set up Python 3.8
|
||||||
@@ -31,7 +31,7 @@ jobs:
|
|||||||
with:
|
with:
|
||||||
python-version: 3.8
|
python-version: 3.8
|
||||||
- name: Download CodeQL CLI
|
- name: Download CodeQL CLI
|
||||||
# Look under the `codeql` directory, as this is where we checked out the `github/codeql` repo
|
# Look under the `codeql` directory, as this is where we checked out the `github/codeql` repo
|
||||||
uses: ./codeql/.github/actions/fetch-codeql
|
uses: ./codeql/.github/actions/fetch-codeql
|
||||||
- name: Build code scanning query list
|
- name: Build code scanning query list
|
||||||
run: |
|
run: |
|
||||||
|
|||||||
8
.github/workflows/ruby-build.yml
vendored
8
.github/workflows/ruby-build.yml
vendored
@@ -47,7 +47,7 @@ jobs:
|
|||||||
runs-on: ${{ matrix.os }}
|
runs-on: ${{ matrix.os }}
|
||||||
|
|
||||||
steps:
|
steps:
|
||||||
- uses: actions/checkout@v5
|
- uses: actions/checkout@v4
|
||||||
- name: Install GNU tar
|
- name: Install GNU tar
|
||||||
if: runner.os == 'macOS'
|
if: runner.os == 'macOS'
|
||||||
run: |
|
run: |
|
||||||
@@ -113,7 +113,7 @@ jobs:
|
|||||||
if: github.repository_owner == 'github'
|
if: github.repository_owner == 'github'
|
||||||
runs-on: ubuntu-latest-xl
|
runs-on: ubuntu-latest-xl
|
||||||
steps:
|
steps:
|
||||||
- uses: actions/checkout@v5
|
- uses: actions/checkout@v4
|
||||||
- name: Fetch CodeQL
|
- name: Fetch CodeQL
|
||||||
uses: ./.github/actions/fetch-codeql
|
uses: ./.github/actions/fetch-codeql
|
||||||
- name: Cache compilation cache
|
- name: Cache compilation cache
|
||||||
@@ -146,7 +146,7 @@ jobs:
|
|||||||
runs-on: ubuntu-latest
|
runs-on: ubuntu-latest
|
||||||
needs: [build, compile-queries]
|
needs: [build, compile-queries]
|
||||||
steps:
|
steps:
|
||||||
- uses: actions/checkout@v5
|
- uses: actions/checkout@v4
|
||||||
- uses: actions/download-artifact@v4
|
- uses: actions/download-artifact@v4
|
||||||
with:
|
with:
|
||||||
name: ruby.dbscheme
|
name: ruby.dbscheme
|
||||||
@@ -209,7 +209,7 @@ jobs:
|
|||||||
runs-on: ${{ matrix.os }}
|
runs-on: ${{ matrix.os }}
|
||||||
needs: [package]
|
needs: [package]
|
||||||
steps:
|
steps:
|
||||||
- uses: actions/checkout@v5
|
- uses: actions/checkout@v4
|
||||||
- name: Fetch CodeQL
|
- name: Fetch CodeQL
|
||||||
uses: ./.github/actions/fetch-codeql
|
uses: ./.github/actions/fetch-codeql
|
||||||
|
|
||||||
|
|||||||
6
.github/workflows/ruby-dataset-measure.yml
vendored
6
.github/workflows/ruby-dataset-measure.yml
vendored
@@ -30,14 +30,14 @@ jobs:
|
|||||||
repo: [rails/rails, discourse/discourse, spree/spree, ruby/ruby]
|
repo: [rails/rails, discourse/discourse, spree/spree, ruby/ruby]
|
||||||
runs-on: ubuntu-latest
|
runs-on: ubuntu-latest
|
||||||
steps:
|
steps:
|
||||||
- uses: actions/checkout@v5
|
- uses: actions/checkout@v4
|
||||||
|
|
||||||
- uses: ./.github/actions/fetch-codeql
|
- uses: ./.github/actions/fetch-codeql
|
||||||
|
|
||||||
- uses: ./ruby/actions/create-extractor-pack
|
- uses: ./ruby/actions/create-extractor-pack
|
||||||
|
|
||||||
- name: Checkout ${{ matrix.repo }}
|
- name: Checkout ${{ matrix.repo }}
|
||||||
uses: actions/checkout@v5
|
uses: actions/checkout@v4
|
||||||
with:
|
with:
|
||||||
repository: ${{ matrix.repo }}
|
repository: ${{ matrix.repo }}
|
||||||
path: ${{ github.workspace }}/repo
|
path: ${{ github.workspace }}/repo
|
||||||
@@ -62,7 +62,7 @@ jobs:
|
|||||||
runs-on: ubuntu-latest
|
runs-on: ubuntu-latest
|
||||||
needs: measure
|
needs: measure
|
||||||
steps:
|
steps:
|
||||||
- uses: actions/checkout@v5
|
- uses: actions/checkout@v4
|
||||||
- uses: actions/download-artifact@v4
|
- uses: actions/download-artifact@v4
|
||||||
with:
|
with:
|
||||||
path: stats
|
path: stats
|
||||||
|
|||||||
40
.github/workflows/ruby-qltest-rtjo.yml
vendored
40
.github/workflows/ruby-qltest-rtjo.yml
vendored
@@ -1,40 +0,0 @@
|
|||||||
name: "Ruby: Run RTJO Language Tests"
|
|
||||||
|
|
||||||
on:
|
|
||||||
pull_request:
|
|
||||||
types:
|
|
||||||
- opened
|
|
||||||
- synchronize
|
|
||||||
- reopened
|
|
||||||
- labeled
|
|
||||||
|
|
||||||
env:
|
|
||||||
CARGO_TERM_COLOR: always
|
|
||||||
|
|
||||||
defaults:
|
|
||||||
run:
|
|
||||||
working-directory: ruby
|
|
||||||
|
|
||||||
permissions:
|
|
||||||
contents: read
|
|
||||||
|
|
||||||
jobs:
|
|
||||||
qltest-rtjo:
|
|
||||||
if: "github.repository_owner == 'github' && github.event.label.name == 'Run: RTJO Language Tests'"
|
|
||||||
runs-on: ubuntu-latest-xl
|
|
||||||
strategy:
|
|
||||||
fail-fast: false
|
|
||||||
steps:
|
|
||||||
- uses: actions/checkout@v5
|
|
||||||
- uses: ./.github/actions/fetch-codeql
|
|
||||||
- uses: ./ruby/actions/create-extractor-pack
|
|
||||||
- name: Cache compilation cache
|
|
||||||
id: query-cache
|
|
||||||
uses: ./.github/actions/cache-query-compilation
|
|
||||||
with:
|
|
||||||
key: ruby-qltest
|
|
||||||
- name: Run QL tests
|
|
||||||
run: |
|
|
||||||
codeql test run --dynamic-join-order-mode=all --threads=0 --ram 50000 --search-path "${{ github.workspace }}" --check-databases --check-diff-informed --check-undefined-labels --check-unused-labels --check-repeated-labels --check-redefined-labels --check-use-before-definition --consistency-queries ql/consistency-queries ql/test --compilation-cache "${{ steps.query-cache.outputs.cache-dir }}"
|
|
||||||
env:
|
|
||||||
GITHUB_TOKEN: ${{ github.token }}
|
|
||||||
6
.github/workflows/ruby-qltest.yml
vendored
6
.github/workflows/ruby-qltest.yml
vendored
@@ -36,7 +36,7 @@ jobs:
|
|||||||
qlupgrade:
|
qlupgrade:
|
||||||
runs-on: ubuntu-latest
|
runs-on: ubuntu-latest
|
||||||
steps:
|
steps:
|
||||||
- uses: actions/checkout@v5
|
- uses: actions/checkout@v4
|
||||||
- uses: ./.github/actions/fetch-codeql
|
- uses: ./.github/actions/fetch-codeql
|
||||||
- name: Check DB upgrade scripts
|
- name: Check DB upgrade scripts
|
||||||
run: |
|
run: |
|
||||||
@@ -58,7 +58,7 @@ jobs:
|
|||||||
strategy:
|
strategy:
|
||||||
fail-fast: false
|
fail-fast: false
|
||||||
steps:
|
steps:
|
||||||
- uses: actions/checkout@v5
|
- uses: actions/checkout@v4
|
||||||
- uses: ./.github/actions/fetch-codeql
|
- uses: ./.github/actions/fetch-codeql
|
||||||
- uses: ./ruby/actions/create-extractor-pack
|
- uses: ./ruby/actions/create-extractor-pack
|
||||||
- name: Cache compilation cache
|
- name: Cache compilation cache
|
||||||
@@ -68,6 +68,6 @@ jobs:
|
|||||||
key: ruby-qltest
|
key: ruby-qltest
|
||||||
- name: Run QL tests
|
- name: Run QL tests
|
||||||
run: |
|
run: |
|
||||||
codeql test run --threads=0 --ram 50000 --search-path "${{ github.workspace }}" --check-databases --check-diff-informed --check-undefined-labels --check-unused-labels --check-repeated-labels --check-redefined-labels --check-use-before-definition --consistency-queries ql/consistency-queries ql/test --compilation-cache "${{ steps.query-cache.outputs.cache-dir }}"
|
codeql test run --threads=0 --ram 50000 --search-path "${{ github.workspace }}" --check-databases --check-undefined-labels --check-unused-labels --check-repeated-labels --check-redefined-labels --check-use-before-definition --consistency-queries ql/consistency-queries ql/test --compilation-cache "${{ steps.query-cache.outputs.cache-dir }}"
|
||||||
env:
|
env:
|
||||||
GITHUB_TOKEN: ${{ github.token }}
|
GITHUB_TOKEN: ${{ github.token }}
|
||||||
|
|||||||
2
.github/workflows/rust-analysis.yml
vendored
2
.github/workflows/rust-analysis.yml
vendored
@@ -35,7 +35,7 @@ jobs:
|
|||||||
|
|
||||||
steps:
|
steps:
|
||||||
- name: Checkout repository
|
- name: Checkout repository
|
||||||
uses: actions/checkout@v5
|
uses: actions/checkout@v4
|
||||||
|
|
||||||
- name: Query latest nightly CodeQL bundle
|
- name: Query latest nightly CodeQL bundle
|
||||||
shell: bash
|
shell: bash
|
||||||
|
|||||||
6
.github/workflows/rust.yml
vendored
6
.github/workflows/rust.yml
vendored
@@ -30,7 +30,7 @@ jobs:
|
|||||||
working-directory: rust/ast-generator
|
working-directory: rust/ast-generator
|
||||||
steps:
|
steps:
|
||||||
- name: Checkout
|
- name: Checkout
|
||||||
uses: actions/checkout@v5
|
uses: actions/checkout@v4
|
||||||
- name: Inject sources
|
- name: Inject sources
|
||||||
shell: bash
|
shell: bash
|
||||||
run: |
|
run: |
|
||||||
@@ -53,7 +53,7 @@ jobs:
|
|||||||
working-directory: rust/extractor
|
working-directory: rust/extractor
|
||||||
steps:
|
steps:
|
||||||
- name: Checkout
|
- name: Checkout
|
||||||
uses: actions/checkout@v5
|
uses: actions/checkout@v4
|
||||||
- name: Format
|
- name: Format
|
||||||
shell: bash
|
shell: bash
|
||||||
run: |
|
run: |
|
||||||
@@ -69,7 +69,7 @@ jobs:
|
|||||||
runs-on: ubuntu-latest
|
runs-on: ubuntu-latest
|
||||||
steps:
|
steps:
|
||||||
- name: Checkout
|
- name: Checkout
|
||||||
uses: actions/checkout@v5
|
uses: actions/checkout@v4
|
||||||
- name: Install CodeQL
|
- name: Install CodeQL
|
||||||
uses: ./.github/actions/fetch-codeql
|
uses: ./.github/actions/fetch-codeql
|
||||||
- name: Code generation
|
- name: Code generation
|
||||||
|
|||||||
87
.github/workflows/swift.yml
vendored
87
.github/workflows/swift.yml
vendored
@@ -18,50 +18,65 @@ on:
|
|||||||
- main
|
- main
|
||||||
- rc/*
|
- rc/*
|
||||||
- codeql-cli-*
|
- codeql-cli-*
|
||||||
|
push:
|
||||||
|
paths:
|
||||||
|
- "swift/**"
|
||||||
|
- "misc/bazel/**"
|
||||||
|
- "misc/codegen/**"
|
||||||
|
- "shared/**"
|
||||||
|
- "*.bazel*"
|
||||||
|
- .github/workflows/swift.yml
|
||||||
|
- .github/actions/**
|
||||||
|
- codeql-workspace.yml
|
||||||
|
- .pre-commit-config.yaml
|
||||||
|
- "!**/*.md"
|
||||||
|
- "!**/*.qhelp"
|
||||||
|
branches:
|
||||||
|
- main
|
||||||
|
- rc/*
|
||||||
|
- codeql-cli-*
|
||||||
|
|
||||||
permissions:
|
permissions:
|
||||||
contents: read
|
contents: read
|
||||||
|
|
||||||
defaults:
|
|
||||||
run:
|
|
||||||
shell: bash
|
|
||||||
working-directory: swift
|
|
||||||
|
|
||||||
jobs:
|
jobs:
|
||||||
build-and-test:
|
# not using a matrix as you cannot depend on a specific job in a matrix, and we want to start linux checks
|
||||||
|
# without waiting for the macOS build
|
||||||
|
build-and-test-macos:
|
||||||
if: github.repository_owner == 'github'
|
if: github.repository_owner == 'github'
|
||||||
strategy:
|
runs-on: macos-13-xlarge
|
||||||
matrix:
|
|
||||||
runner: [ubuntu-latest, macos-15-xlarge]
|
|
||||||
fail-fast: false
|
|
||||||
runs-on: ${{ matrix.runner }}
|
|
||||||
steps:
|
steps:
|
||||||
- uses: actions/checkout@v5
|
- uses: actions/checkout@v4
|
||||||
- name: Setup (Linux)
|
- uses: ./swift/actions/build-and-test
|
||||||
if: runner.os == 'Linux'
|
qltests-macos:
|
||||||
run: |
|
if: ${{ github.repository_owner == 'github' && github.event_name == 'pull_request' }}
|
||||||
sudo apt-get update
|
needs: build-and-test-macos
|
||||||
sudo apt-get install -y uuid-dev zlib1g-dev
|
runs-on: macos-13-xlarge
|
||||||
- name: Build Swift extractor
|
steps:
|
||||||
shell: bash
|
- uses: actions/checkout@v4
|
||||||
run: |
|
- uses: ./swift/actions/run-ql-tests
|
||||||
bazel run :install
|
|
||||||
- name: Run Swift tests
|
|
||||||
shell: bash
|
|
||||||
run: |
|
|
||||||
bazel test ... --test_tag_filters=-override --test_output=errors
|
|
||||||
clang-format:
|
clang-format:
|
||||||
|
if : ${{ github.event_name == 'pull_request' }}
|
||||||
runs-on: ubuntu-latest
|
runs-on: ubuntu-latest
|
||||||
steps:
|
steps:
|
||||||
- uses: actions/checkout@v5
|
- uses: actions/checkout@v4
|
||||||
- uses: pre-commit/action@646c83fcd040023954eafda54b4db0192ce70507
|
- uses: pre-commit/action@646c83fcd040023954eafda54b4db0192ce70507
|
||||||
name: Check that python code is properly formatted
|
name: Check that python code is properly formatted
|
||||||
with:
|
with:
|
||||||
extra_args: clang-format --all-files
|
extra_args: clang-format --all-files
|
||||||
codegen:
|
codegen:
|
||||||
|
if : ${{ github.event_name == 'pull_request' }}
|
||||||
runs-on: ubuntu-latest
|
runs-on: ubuntu-latest
|
||||||
steps:
|
steps:
|
||||||
- uses: actions/checkout@v5
|
- uses: actions/checkout@v4
|
||||||
|
- uses: bazelbuild/setup-bazelisk@v2
|
||||||
|
- uses: actions/setup-python@v4
|
||||||
|
with:
|
||||||
|
python-version-file: 'swift/.python-version'
|
||||||
|
- uses: pre-commit/action@646c83fcd040023954eafda54b4db0192ce70507
|
||||||
|
name: Check that python code is properly formatted
|
||||||
|
with:
|
||||||
|
extra_args: autopep8 --all-files
|
||||||
- uses: ./.github/actions/fetch-codeql
|
- uses: ./.github/actions/fetch-codeql
|
||||||
- uses: pre-commit/action@646c83fcd040023954eafda54b4db0192ce70507
|
- uses: pre-commit/action@646c83fcd040023954eafda54b4db0192ce70507
|
||||||
name: Check that QL generated code was checked in
|
name: Check that QL generated code was checked in
|
||||||
@@ -69,14 +84,22 @@ jobs:
|
|||||||
extra_args: swift-codegen --all-files
|
extra_args: swift-codegen --all-files
|
||||||
- name: Generate C++ files
|
- name: Generate C++ files
|
||||||
run: |
|
run: |
|
||||||
bazel run codegen -- --generate=trap,cpp --cpp-output=$PWD/generated-cpp-files
|
bazel run //swift/codegen:codegen -- --generate=trap,cpp --cpp-output=$PWD/generated-cpp-files
|
||||||
- uses: actions/upload-artifact@v4
|
- uses: actions/upload-artifact@v4
|
||||||
with:
|
with:
|
||||||
name: swift-generated-cpp-files
|
name: swift-generated-cpp-files
|
||||||
path: generated-cpp-files/**
|
path: generated-cpp-files/**
|
||||||
check-no-override:
|
database-upgrade-scripts:
|
||||||
|
if : ${{ github.event_name == 'pull_request' }}
|
||||||
runs-on: ubuntu-latest
|
runs-on: ubuntu-latest
|
||||||
steps:
|
steps:
|
||||||
- uses: actions/checkout@v5
|
- uses: actions/checkout@v4
|
||||||
- name: Check that no override is present in load.bzl
|
- uses: ./.github/actions/fetch-codeql
|
||||||
run: bazel test ... --test_tag_filters=override --test_output=errors
|
- uses: ./swift/actions/database-upgrade-scripts
|
||||||
|
check-no-override:
|
||||||
|
if : github.event_name == 'pull_request'
|
||||||
|
runs-on: ubuntu-latest
|
||||||
|
steps:
|
||||||
|
- uses: actions/checkout@v4
|
||||||
|
- shell: bash
|
||||||
|
run: bazel test //swift/... --test_tag_filters=override --test_output=errors
|
||||||
|
|||||||
2
.github/workflows/sync-files.yml
vendored
2
.github/workflows/sync-files.yml
vendored
@@ -17,7 +17,7 @@ jobs:
|
|||||||
sync:
|
sync:
|
||||||
runs-on: ubuntu-latest
|
runs-on: ubuntu-latest
|
||||||
steps:
|
steps:
|
||||||
- uses: actions/checkout@v5
|
- uses: actions/checkout@v4
|
||||||
- name: Check synchronized files
|
- name: Check synchronized files
|
||||||
run: python config/sync-files.py
|
run: python config/sync-files.py
|
||||||
- name: Check dbscheme fragments
|
- name: Check dbscheme fragments
|
||||||
|
|||||||
@@ -30,7 +30,7 @@ jobs:
|
|||||||
test:
|
test:
|
||||||
runs-on: ubuntu-latest
|
runs-on: ubuntu-latest
|
||||||
steps:
|
steps:
|
||||||
- uses: actions/checkout@v5
|
- uses: actions/checkout@v4
|
||||||
- name: Check formatting
|
- name: Check formatting
|
||||||
run: cargo fmt -- --check
|
run: cargo fmt -- --check
|
||||||
- name: Run tests
|
- name: Run tests
|
||||||
@@ -38,12 +38,12 @@ jobs:
|
|||||||
fmt:
|
fmt:
|
||||||
runs-on: ubuntu-latest
|
runs-on: ubuntu-latest
|
||||||
steps:
|
steps:
|
||||||
- uses: actions/checkout@v5
|
- uses: actions/checkout@v4
|
||||||
- name: Check formatting
|
- name: Check formatting
|
||||||
run: cargo fmt --check
|
run: cargo fmt --check
|
||||||
clippy:
|
clippy:
|
||||||
runs-on: ubuntu-latest
|
runs-on: ubuntu-latest
|
||||||
steps:
|
steps:
|
||||||
- uses: actions/checkout@v5
|
- uses: actions/checkout@v4
|
||||||
- name: Run clippy
|
- name: Run clippy
|
||||||
run: cargo clippy -- --no-deps -D warnings -A clippy::new_without_default -A clippy::too_many_arguments
|
run: cargo clippy -- --no-deps -D warnings -A clippy::new_without_default -A clippy::too_many_arguments
|
||||||
|
|||||||
4
.github/workflows/validate-change-notes.yml
vendored
4
.github/workflows/validate-change-notes.yml
vendored
@@ -23,7 +23,7 @@ jobs:
|
|||||||
runs-on: ubuntu-latest
|
runs-on: ubuntu-latest
|
||||||
steps:
|
steps:
|
||||||
- name: Checkout repository
|
- name: Checkout repository
|
||||||
uses: actions/checkout@v5
|
uses: actions/checkout@v4
|
||||||
|
|
||||||
- name: Setup CodeQL
|
- name: Setup CodeQL
|
||||||
uses: ./.github/actions/fetch-codeql
|
uses: ./.github/actions/fetch-codeql
|
||||||
@@ -31,4 +31,4 @@ jobs:
|
|||||||
- name: Fail if there are any errors with existing change notes
|
- name: Fail if there are any errors with existing change notes
|
||||||
|
|
||||||
run: |
|
run: |
|
||||||
codeql pack release --groups actions,cpp,csharp,go,java,javascript,python,ruby,shared,swift -examples,-test,-experimental
|
codeql pack release --groups cpp,csharp,java,javascript,python,ruby,-examples,-test,-experimental
|
||||||
|
|||||||
2
.github/workflows/zipmerge-test.yml
vendored
2
.github/workflows/zipmerge-test.yml
vendored
@@ -18,6 +18,6 @@ jobs:
|
|||||||
runs-on: ubuntu-latest
|
runs-on: ubuntu-latest
|
||||||
|
|
||||||
steps:
|
steps:
|
||||||
- uses: actions/checkout@v5
|
- uses: actions/checkout@v4
|
||||||
- run: |
|
- run: |
|
||||||
bazel test //misc/bazel/internal/zipmerge:test --test_output=all
|
bazel test //misc/bazel/internal/zipmerge:test --test_output=all
|
||||||
|
|||||||
8
.gitignore
vendored
8
.gitignore
vendored
@@ -62,7 +62,6 @@ node_modules/
|
|||||||
|
|
||||||
# Temporary folders for working with generated models
|
# Temporary folders for working with generated models
|
||||||
.model-temp
|
.model-temp
|
||||||
/mad-generation-build
|
|
||||||
|
|
||||||
# bazel-built in-tree extractor packs
|
# bazel-built in-tree extractor packs
|
||||||
/*/extractor-pack
|
/*/extractor-pack
|
||||||
@@ -72,10 +71,3 @@ node_modules/
|
|||||||
|
|
||||||
# cargo build directory
|
# cargo build directory
|
||||||
/target
|
/target
|
||||||
|
|
||||||
# some upgrade/downgrade checks create these files
|
|
||||||
**/upgrades/*/*.dbscheme.stats
|
|
||||||
**/downgrades/*/*.dbscheme.stats
|
|
||||||
|
|
||||||
# Mergetool files
|
|
||||||
*.orig
|
|
||||||
|
|||||||
@@ -1,7 +1,5 @@
|
|||||||
# See https://pre-commit.com for more information
|
# See https://pre-commit.com for more information
|
||||||
# See https://pre-commit.com/hooks.html for more hooks
|
# See https://pre-commit.com/hooks.html for more hooks
|
||||||
default_language_version:
|
|
||||||
python: python3.12
|
|
||||||
repos:
|
repos:
|
||||||
- repo: https://github.com/pre-commit/pre-commit-hooks
|
- repo: https://github.com/pre-commit/pre-commit-hooks
|
||||||
rev: v3.2.0
|
rev: v3.2.0
|
||||||
@@ -9,18 +7,18 @@ repos:
|
|||||||
- id: trailing-whitespace
|
- id: trailing-whitespace
|
||||||
exclude: /test/.*$(?<!\.qlref)|.*\.patch$|.*\.qll?$
|
exclude: /test/.*$(?<!\.qlref)|.*\.patch$|.*\.qll?$
|
||||||
- id: end-of-file-fixer
|
- id: end-of-file-fixer
|
||||||
exclude: Cargo.lock$|/test/.*$(?<!\.qlref)|.*\.patch$|.*\.qll?$
|
exclude: /test/.*$(?<!\.qlref)|.*\.patch$|.*\.qll?$
|
||||||
|
|
||||||
- repo: https://github.com/pre-commit/mirrors-clang-format
|
- repo: https://github.com/pre-commit/mirrors-clang-format
|
||||||
rev: v17.0.6
|
rev: v17.0.6
|
||||||
hooks:
|
hooks:
|
||||||
- id: clang-format
|
- id: clang-format
|
||||||
|
|
||||||
- repo: https://github.com/psf/black
|
- repo: https://github.com/pre-commit/mirrors-autopep8
|
||||||
rev: 25.1.0
|
rev: v2.0.4
|
||||||
hooks:
|
hooks:
|
||||||
- id: black
|
- id: autopep8
|
||||||
files: ^(misc/codegen/.*|misc/scripts/models-as-data/.*)\.py$
|
files: ^misc/codegen/.*\.py
|
||||||
|
|
||||||
- repo: local
|
- repo: local
|
||||||
hooks:
|
hooks:
|
||||||
@@ -74,7 +72,7 @@ repos:
|
|||||||
|
|
||||||
- id: rust-codegen
|
- id: rust-codegen
|
||||||
name: Run Rust checked in code generation
|
name: Run Rust checked in code generation
|
||||||
files: ^misc/codegen/|^rust/(prefix\.dbscheme|schema/|codegen/|.*/generated/|ql/lib/(rust\.dbscheme$|codeql/rust/elements)|\.generated.list|ast-generator/)
|
files: ^misc/codegen/|^rust/(prefix\.dbscheme|schema/|codegen/|.*/generated/|ql/lib/(rust\.dbscheme$|codeql/rust/elements)|\.generated.list)
|
||||||
language: system
|
language: system
|
||||||
entry: bazel run //rust/codegen -- --quiet
|
entry: bazel run //rust/codegen -- --quiet
|
||||||
pass_filenames: false
|
pass_filenames: false
|
||||||
|
|||||||
10
.vscode/tasks.json
vendored
10
.vscode/tasks.json
vendored
@@ -50,11 +50,6 @@
|
|||||||
"${input:name}",
|
"${input:name}",
|
||||||
"${input:categoryQuery}"
|
"${input:categoryQuery}"
|
||||||
],
|
],
|
||||||
"options": {
|
|
||||||
"env": {
|
|
||||||
"EDITOR": "code -r",
|
|
||||||
}
|
|
||||||
},
|
|
||||||
"presentation": {
|
"presentation": {
|
||||||
"reveal": "never",
|
"reveal": "never",
|
||||||
"close": true
|
"close": true
|
||||||
@@ -72,11 +67,6 @@
|
|||||||
"${input:name}",
|
"${input:name}",
|
||||||
"${input:categoryLibrary}"
|
"${input:categoryLibrary}"
|
||||||
],
|
],
|
||||||
"options": {
|
|
||||||
"env": {
|
|
||||||
"EDITOR": "code -r"
|
|
||||||
}
|
|
||||||
},
|
|
||||||
"presentation": {
|
"presentation": {
|
||||||
"reveal": "never",
|
"reveal": "never",
|
||||||
"close": true
|
"close": true
|
||||||
|
|||||||
15
CODEOWNERS
15
CODEOWNERS
@@ -1,7 +1,3 @@
|
|||||||
# Catch-all for anything which isn't matched by a line lower down
|
|
||||||
* @github/code-scanning-alert-coverage
|
|
||||||
|
|
||||||
# CodeQL language libraries
|
|
||||||
/actions/ @github/codeql-dynamic
|
/actions/ @github/codeql-dynamic
|
||||||
/cpp/ @github/codeql-c-analysis
|
/cpp/ @github/codeql-c-analysis
|
||||||
/csharp/ @github/codeql-csharp
|
/csharp/ @github/codeql-csharp
|
||||||
@@ -11,26 +7,22 @@
|
|||||||
/java/ @github/codeql-java
|
/java/ @github/codeql-java
|
||||||
/javascript/ @github/codeql-javascript
|
/javascript/ @github/codeql-javascript
|
||||||
/python/ @github/codeql-python
|
/python/ @github/codeql-python
|
||||||
/ql/ @github/codeql-ql-for-ql-reviewers
|
|
||||||
/ruby/ @github/codeql-ruby
|
/ruby/ @github/codeql-ruby
|
||||||
/rust/ @github/codeql-rust
|
|
||||||
/shared/ @github/codeql-shared-libraries-reviewers
|
|
||||||
/swift/ @github/codeql-swift
|
/swift/ @github/codeql-swift
|
||||||
/misc/codegen/ @github/codeql-swift
|
/misc/codegen/ @github/codeql-swift
|
||||||
/java/kotlin-extractor/ @github/codeql-kotlin
|
/java/kotlin-extractor/ @github/codeql-kotlin
|
||||||
/java/ql/test-kotlin1/ @github/codeql-kotlin
|
/java/ql/test-kotlin1/ @github/codeql-kotlin
|
||||||
/java/ql/test-kotlin2/ @github/codeql-kotlin
|
/java/ql/test-kotlin2/ @github/codeql-kotlin
|
||||||
|
|
||||||
# Experimental CodeQL cryptography
|
|
||||||
**/experimental/**/quantum/ @github/ps-codeql
|
|
||||||
/shared/quantum/ @github/ps-codeql
|
|
||||||
|
|
||||||
# CodeQL tools and associated docs
|
# CodeQL tools and associated docs
|
||||||
/docs/codeql/codeql-cli/ @github/codeql-cli-reviewers
|
/docs/codeql/codeql-cli/ @github/codeql-cli-reviewers
|
||||||
/docs/codeql/codeql-for-visual-studio-code/ @github/codeql-vscode-reviewers
|
/docs/codeql/codeql-for-visual-studio-code/ @github/codeql-vscode-reviewers
|
||||||
/docs/codeql/ql-language-reference/ @github/codeql-frontend-reviewers
|
/docs/codeql/ql-language-reference/ @github/codeql-frontend-reviewers
|
||||||
/docs/query-*-style-guide.md @github/codeql-analysis-reviewers
|
/docs/query-*-style-guide.md @github/codeql-analysis-reviewers
|
||||||
|
|
||||||
|
# QL for QL reviewers
|
||||||
|
/ql/ @github/codeql-ql-for-ql-reviewers
|
||||||
|
|
||||||
# Bazel (excluding BUILD.bazel files)
|
# Bazel (excluding BUILD.bazel files)
|
||||||
MODULE.bazel @github/codeql-ci-reviewers
|
MODULE.bazel @github/codeql-ci-reviewers
|
||||||
.bazelversion @github/codeql-ci-reviewers
|
.bazelversion @github/codeql-ci-reviewers
|
||||||
@@ -46,7 +38,6 @@ MODULE.bazel @github/codeql-ci-reviewers
|
|||||||
/.github/workflows/go-* @github/codeql-go
|
/.github/workflows/go-* @github/codeql-go
|
||||||
/.github/workflows/ql-for-ql-* @github/codeql-ql-for-ql-reviewers
|
/.github/workflows/ql-for-ql-* @github/codeql-ql-for-ql-reviewers
|
||||||
/.github/workflows/ruby-* @github/codeql-ruby
|
/.github/workflows/ruby-* @github/codeql-ruby
|
||||||
/.github/workflows/rust.yml @github/codeql-rust
|
|
||||||
/.github/workflows/swift.yml @github/codeql-swift
|
/.github/workflows/swift.yml @github/codeql-swift
|
||||||
|
|
||||||
# Misc
|
# Misc
|
||||||
|
|||||||
1850
Cargo.lock
generated
1850
Cargo.lock
generated
File diff suppressed because it is too large
Load Diff
@@ -10,3 +10,8 @@ members = [
|
|||||||
"rust/ast-generator",
|
"rust/ast-generator",
|
||||||
"rust/autobuild",
|
"rust/autobuild",
|
||||||
]
|
]
|
||||||
|
|
||||||
|
[patch.crates-io]
|
||||||
|
# patch for build script bug preventing bazel build
|
||||||
|
# see https://github.com/rust-lang/rustc_apfloat/pull/17
|
||||||
|
rustc_apfloat = { git = "https://github.com/redsun82/rustc_apfloat.git", rev = "096d585100636bc2e9f09d7eefec38c5b334d47b" }
|
||||||
|
|||||||
198
MODULE.bazel
198
MODULE.bazel
@@ -14,34 +14,30 @@ local_path_override(
|
|||||||
|
|
||||||
# see https://registry.bazel.build/ for a list of available packages
|
# see https://registry.bazel.build/ for a list of available packages
|
||||||
|
|
||||||
bazel_dep(name = "platforms", version = "1.0.0")
|
bazel_dep(name = "platforms", version = "0.0.11")
|
||||||
bazel_dep(name = "rules_go", version = "0.56.1")
|
bazel_dep(name = "rules_go", version = "0.50.1")
|
||||||
bazel_dep(name = "rules_pkg", version = "1.0.1")
|
bazel_dep(name = "rules_pkg", version = "1.0.1")
|
||||||
bazel_dep(name = "rules_nodejs", version = "6.2.0-codeql.1")
|
bazel_dep(name = "rules_nodejs", version = "6.2.0-codeql.1")
|
||||||
bazel_dep(name = "rules_python", version = "0.40.0")
|
bazel_dep(name = "rules_python", version = "0.40.0")
|
||||||
bazel_dep(name = "rules_shell", version = "0.5.0")
|
bazel_dep(name = "rules_shell", version = "0.3.0")
|
||||||
bazel_dep(name = "bazel_skylib", version = "1.8.1")
|
bazel_dep(name = "bazel_skylib", version = "1.7.1")
|
||||||
bazel_dep(name = "abseil-cpp", version = "20240116.1", repo_name = "absl")
|
bazel_dep(name = "abseil-cpp", version = "20240116.1", repo_name = "absl")
|
||||||
bazel_dep(name = "nlohmann_json", version = "3.11.3", repo_name = "json")
|
bazel_dep(name = "nlohmann_json", version = "3.11.3", repo_name = "json")
|
||||||
bazel_dep(name = "fmt", version = "10.0.0")
|
bazel_dep(name = "fmt", version = "10.0.0")
|
||||||
bazel_dep(name = "rules_kotlin", version = "2.1.3-codeql.1")
|
bazel_dep(name = "rules_kotlin", version = "2.0.0-codeql.1")
|
||||||
bazel_dep(name = "gazelle", version = "0.40.0")
|
bazel_dep(name = "gazelle", version = "0.40.0")
|
||||||
bazel_dep(name = "rules_dotnet", version = "0.19.2-codeql.1")
|
bazel_dep(name = "rules_dotnet", version = "0.17.4")
|
||||||
bazel_dep(name = "googletest", version = "1.14.0.bcr.1")
|
bazel_dep(name = "googletest", version = "1.14.0.bcr.1")
|
||||||
bazel_dep(name = "rules_rust", version = "0.66.0")
|
bazel_dep(name = "rules_rust", version = "0.57.1")
|
||||||
bazel_dep(name = "zstd", version = "1.5.5.bcr.1")
|
bazel_dep(name = "zstd", version = "1.5.5.bcr.1")
|
||||||
|
|
||||||
bazel_dep(name = "buildifier_prebuilt", version = "6.4.0", dev_dependency = True)
|
bazel_dep(name = "buildifier_prebuilt", version = "6.4.0", dev_dependency = True)
|
||||||
|
|
||||||
# Keep edition and version approximately in sync with internal repo.
|
# Keep edition and version approximately in sync with internal repo.
|
||||||
# the versions there are canonical, the versions here are used for CI in github/codeql, as well as for the vendoring of dependencies.
|
# the versions there are canonical, the versions here are used for CI in github/codeql, as well as for the vendoring of dependencies.
|
||||||
RUST_EDITION = "2024"
|
RUST_EDITION = "2021"
|
||||||
|
|
||||||
# run buildutils-internal/scripts/fill-rust-sha256s.py when updating (internal repo)
|
RUST_VERSION = "1.82.0"
|
||||||
# a nightly toolchain is required to enable experimental_use_cc_common_link, which we require internally
|
|
||||||
# we prefer to run the same version as internally, even if experimental_use_cc_common_link is not really
|
|
||||||
# required in this repo
|
|
||||||
RUST_VERSION = "nightly/2025-08-01"
|
|
||||||
|
|
||||||
rust = use_extension("@rules_rust//rust:extensions.bzl", "rust")
|
rust = use_extension("@rules_rust//rust:extensions.bzl", "rust")
|
||||||
rust.toolchain(
|
rust.toolchain(
|
||||||
@@ -51,29 +47,6 @@ rust.toolchain(
|
|||||||
"x86_64-apple-darwin",
|
"x86_64-apple-darwin",
|
||||||
"aarch64-apple-darwin",
|
"aarch64-apple-darwin",
|
||||||
],
|
],
|
||||||
# generated by buildutils-internal/scripts/fill-rust-sha256s.py (internal repo)
|
|
||||||
sha256s = {
|
|
||||||
"2025-08-01/rustc-nightly-x86_64-unknown-linux-gnu.tar.xz": "9bbeaf5d3fc7247d31463a9083aa251c995cc50662c8219e7a2254d76a72a9a4",
|
|
||||||
"2025-08-01/rustc-nightly-x86_64-apple-darwin.tar.xz": "c9ea539a8eff0d5d162701f99f9e1aabe14dd0dfb420d62362817a5d09219de7",
|
|
||||||
"2025-08-01/rustc-nightly-aarch64-apple-darwin.tar.xz": "ae83feebbc39cfd982e4ecc8297731fe79c185173aee138467b334c5404b3773",
|
|
||||||
"2025-08-01/rustc-nightly-x86_64-pc-windows-msvc.tar.xz": "9f170c30d802a349be60cf52ec46260802093cb1013ad667fc0d528b7b10152f",
|
|
||||||
"2025-08-01/clippy-nightly-x86_64-unknown-linux-gnu.tar.xz": "9ae5f3cd8f557c4f6df522597c69d14398cf604cfaed2b83e767c4b77a7eaaf6",
|
|
||||||
"2025-08-01/clippy-nightly-x86_64-apple-darwin.tar.xz": "983cb9ee0b6b968188e04ab2d33743d54764b2681ce565e1b3f2b9135c696a3e",
|
|
||||||
"2025-08-01/clippy-nightly-aarch64-apple-darwin.tar.xz": "ed2219dbc49d088225e1b7c5c4390fa295066e071fddaa2714018f6bb39ddbf0",
|
|
||||||
"2025-08-01/clippy-nightly-x86_64-pc-windows-msvc.tar.xz": "911f40ab5cbdd686f40e00965271fe47c4805513a308ed01f30eafb25b448a50",
|
|
||||||
"2025-08-01/cargo-nightly-x86_64-unknown-linux-gnu.tar.xz": "106463c284e48e4904c717471eeec2be5cc83a9d2cae8d6e948b52438cad2e69",
|
|
||||||
"2025-08-01/cargo-nightly-x86_64-apple-darwin.tar.xz": "6ad35c40efc41a8c531ea43235058347b6902d98a9693bf0aed7fc16d5590cef",
|
|
||||||
"2025-08-01/cargo-nightly-aarch64-apple-darwin.tar.xz": "dd28c365e9d298abc3154c797720ad36a0058f131265c9978b4c8e4e37012c8a",
|
|
||||||
"2025-08-01/cargo-nightly-x86_64-pc-windows-msvc.tar.xz": "7b431286e12d6b3834b038f078389a00cac73f351e8c3152b2504a3c06420b3b",
|
|
||||||
"2025-08-01/llvm-tools-nightly-x86_64-unknown-linux-gnu.tar.xz": "e342e305d7927cc288d386983b2bc253cfad3776b113386e903d0b302648ef47",
|
|
||||||
"2025-08-01/llvm-tools-nightly-x86_64-apple-darwin.tar.xz": "e44dd3506524d85c37b3a54bcc91d01378fd2c590b2db5c5974d12f05c1b84d1",
|
|
||||||
"2025-08-01/llvm-tools-nightly-aarch64-apple-darwin.tar.xz": "0c1b5f46dd81be4a9227b10283a0fcaa39c14fea7e81aea6fd6d9887ff6cdc41",
|
|
||||||
"2025-08-01/llvm-tools-nightly-x86_64-pc-windows-msvc.tar.xz": "423e5fd11406adccbc31b8456ceb7375ce055cdf45e90d2c3babeb2d7f58383f",
|
|
||||||
"2025-08-01/rust-std-nightly-x86_64-unknown-linux-gnu.tar.xz": "3c0ceb46a252647a1d4c7116d9ccae684fa5e42aaf3296419febd2c962c3b41d",
|
|
||||||
"2025-08-01/rust-std-nightly-x86_64-apple-darwin.tar.xz": "3be416003cab10f767390a753d1d16ae4d26c7421c03c98992cf1943e5b0efe8",
|
|
||||||
"2025-08-01/rust-std-nightly-aarch64-apple-darwin.tar.xz": "4046ac0ef951cb056b5028a399124f60999fa37792eab69d008d8d7965f389b4",
|
|
||||||
"2025-08-01/rust-std-nightly-x86_64-pc-windows-msvc.tar.xz": "191ed9d8603c3a4fe5a7bbbc2feb72049078dae2df3d3b7d5dedf3abbf823e6e",
|
|
||||||
},
|
|
||||||
versions = [RUST_VERSION],
|
versions = [RUST_VERSION],
|
||||||
)
|
)
|
||||||
use_repo(rust, "rust_toolchains")
|
use_repo(rust, "rust_toolchains")
|
||||||
@@ -89,8 +62,8 @@ use_repo(
|
|||||||
"vendor_py__cc-1.2.14",
|
"vendor_py__cc-1.2.14",
|
||||||
"vendor_py__clap-4.5.30",
|
"vendor_py__clap-4.5.30",
|
||||||
"vendor_py__regex-1.11.1",
|
"vendor_py__regex-1.11.1",
|
||||||
"vendor_py__tree-sitter-0.24.7",
|
"vendor_py__tree-sitter-0.20.4",
|
||||||
"vendor_py__tree-sitter-graph-0.12.0",
|
"vendor_py__tree-sitter-graph-0.7.0",
|
||||||
)
|
)
|
||||||
|
|
||||||
# deps for ruby+rust
|
# deps for ruby+rust
|
||||||
@@ -98,60 +71,57 @@ use_repo(
|
|||||||
tree_sitter_extractors_deps = use_extension("//misc/bazel/3rdparty:tree_sitter_extractors_extension.bzl", "r")
|
tree_sitter_extractors_deps = use_extension("//misc/bazel/3rdparty:tree_sitter_extractors_extension.bzl", "r")
|
||||||
use_repo(
|
use_repo(
|
||||||
tree_sitter_extractors_deps,
|
tree_sitter_extractors_deps,
|
||||||
"vendor_ts__anyhow-1.0.100",
|
"vendor__anyhow-1.0.95",
|
||||||
"vendor_ts__argfile-0.2.1",
|
"vendor__argfile-0.2.1",
|
||||||
"vendor_ts__chalk-ir-0.104.0",
|
"vendor__chrono-0.4.39",
|
||||||
"vendor_ts__chrono-0.4.42",
|
"vendor__clap-4.5.26",
|
||||||
"vendor_ts__clap-4.5.48",
|
"vendor__dunce-1.0.5",
|
||||||
"vendor_ts__dunce-1.0.5",
|
"vendor__either-1.13.0",
|
||||||
"vendor_ts__either-1.15.0",
|
"vendor__encoding-0.2.33",
|
||||||
"vendor_ts__encoding-0.2.33",
|
"vendor__figment-0.10.19",
|
||||||
"vendor_ts__figment-0.10.19",
|
"vendor__flate2-1.0.35",
|
||||||
"vendor_ts__flate2-1.1.2",
|
"vendor__glob-0.3.2",
|
||||||
"vendor_ts__glob-0.3.3",
|
"vendor__globset-0.4.15",
|
||||||
"vendor_ts__globset-0.4.16",
|
"vendor__itertools-0.14.0",
|
||||||
"vendor_ts__itertools-0.14.0",
|
"vendor__lazy_static-1.5.0",
|
||||||
"vendor_ts__lazy_static-1.5.0",
|
"vendor__mustache-0.9.0",
|
||||||
"vendor_ts__mustache-0.9.0",
|
"vendor__num-traits-0.2.19",
|
||||||
"vendor_ts__num-traits-0.2.19",
|
"vendor__num_cpus-1.16.0",
|
||||||
"vendor_ts__num_cpus-1.17.0",
|
"vendor__proc-macro2-1.0.93",
|
||||||
"vendor_ts__proc-macro2-1.0.101",
|
"vendor__quote-1.0.38",
|
||||||
"vendor_ts__quote-1.0.41",
|
"vendor__ra_ap_base_db-0.0.258",
|
||||||
"vendor_ts__ra_ap_base_db-0.0.301",
|
"vendor__ra_ap_cfg-0.0.258",
|
||||||
"vendor_ts__ra_ap_cfg-0.0.301",
|
"vendor__ra_ap_hir-0.0.258",
|
||||||
"vendor_ts__ra_ap_hir-0.0.301",
|
"vendor__ra_ap_hir_def-0.0.258",
|
||||||
"vendor_ts__ra_ap_hir_def-0.0.301",
|
"vendor__ra_ap_hir_expand-0.0.258",
|
||||||
"vendor_ts__ra_ap_hir_expand-0.0.301",
|
"vendor__ra_ap_ide_db-0.0.258",
|
||||||
"vendor_ts__ra_ap_hir_ty-0.0.301",
|
"vendor__ra_ap_intern-0.0.258",
|
||||||
"vendor_ts__ra_ap_ide_db-0.0.301",
|
"vendor__ra_ap_load-cargo-0.0.258",
|
||||||
"vendor_ts__ra_ap_intern-0.0.301",
|
"vendor__ra_ap_parser-0.0.258",
|
||||||
"vendor_ts__ra_ap_load-cargo-0.0.301",
|
"vendor__ra_ap_paths-0.0.258",
|
||||||
"vendor_ts__ra_ap_parser-0.0.301",
|
"vendor__ra_ap_project_model-0.0.258",
|
||||||
"vendor_ts__ra_ap_paths-0.0.301",
|
"vendor__ra_ap_span-0.0.258",
|
||||||
"vendor_ts__ra_ap_project_model-0.0.301",
|
"vendor__ra_ap_stdx-0.0.258",
|
||||||
"vendor_ts__ra_ap_span-0.0.301",
|
"vendor__ra_ap_syntax-0.0.258",
|
||||||
"vendor_ts__ra_ap_stdx-0.0.301",
|
"vendor__ra_ap_vfs-0.0.258",
|
||||||
"vendor_ts__ra_ap_syntax-0.0.301",
|
"vendor__rand-0.8.5",
|
||||||
"vendor_ts__ra_ap_vfs-0.0.301",
|
"vendor__rayon-1.10.0",
|
||||||
"vendor_ts__rand-0.9.2",
|
"vendor__regex-1.11.1",
|
||||||
"vendor_ts__rayon-1.11.0",
|
"vendor__serde-1.0.217",
|
||||||
"vendor_ts__regex-1.11.3",
|
"vendor__serde_json-1.0.135",
|
||||||
"vendor_ts__serde-1.0.228",
|
"vendor__serde_with-3.12.0",
|
||||||
"vendor_ts__serde_json-1.0.145",
|
"vendor__syn-2.0.96",
|
||||||
"vendor_ts__serde_with-3.14.1",
|
"vendor__toml-0.8.19",
|
||||||
"vendor_ts__syn-2.0.106",
|
"vendor__tracing-0.1.41",
|
||||||
"vendor_ts__toml-0.9.7",
|
"vendor__tracing-flame-0.2.0",
|
||||||
"vendor_ts__tracing-0.1.41",
|
"vendor__tracing-subscriber-0.3.19",
|
||||||
"vendor_ts__tracing-flame-0.2.0",
|
"vendor__tree-sitter-0.24.6",
|
||||||
"vendor_ts__tracing-subscriber-0.3.20",
|
"vendor__tree-sitter-embedded-template-0.23.2",
|
||||||
"vendor_ts__tree-sitter-0.25.9",
|
"vendor__tree-sitter-json-0.24.8",
|
||||||
"vendor_ts__tree-sitter-embedded-template-0.25.0",
|
"vendor__tree-sitter-ql-0.23.1",
|
||||||
"vendor_ts__tree-sitter-json-0.24.8",
|
"vendor__tree-sitter-ruby-0.23.1",
|
||||||
"vendor_ts__tree-sitter-ql-0.23.1",
|
"vendor__triomphe-0.1.14",
|
||||||
"vendor_ts__tree-sitter-ruby-0.23.1",
|
"vendor__ungrammar-1.16.1",
|
||||||
"vendor_ts__triomphe-0.1.14",
|
|
||||||
"vendor_ts__ungrammar-1.16.1",
|
|
||||||
"vendor_ts__zstd-0.13.3",
|
|
||||||
)
|
)
|
||||||
|
|
||||||
http_archive = use_repo_rule("@bazel_tools//tools/build_defs/repo:http.bzl", "http_archive")
|
http_archive = use_repo_rule("@bazel_tools//tools/build_defs/repo:http.bzl", "http_archive")
|
||||||
@@ -172,7 +142,7 @@ http_archive(
|
|||||||
)
|
)
|
||||||
|
|
||||||
dotnet = use_extension("@rules_dotnet//dotnet:extensions.bzl", "dotnet")
|
dotnet = use_extension("@rules_dotnet//dotnet:extensions.bzl", "dotnet")
|
||||||
dotnet.toolchain(dotnet_version = "9.0.300")
|
dotnet.toolchain(dotnet_version = "9.0.100")
|
||||||
use_repo(dotnet, "dotnet_toolchains")
|
use_repo(dotnet, "dotnet_toolchains")
|
||||||
|
|
||||||
register_toolchains("@dotnet_toolchains//:all")
|
register_toolchains("@dotnet_toolchains//:all")
|
||||||
@@ -183,7 +153,7 @@ use_repo(csharp_main_extension, "paket.main")
|
|||||||
pip = use_extension("@rules_python//python/extensions:pip.bzl", "pip")
|
pip = use_extension("@rules_python//python/extensions:pip.bzl", "pip")
|
||||||
pip.parse(
|
pip.parse(
|
||||||
hub_name = "codegen_deps",
|
hub_name = "codegen_deps",
|
||||||
python_version = "3.12",
|
python_version = "3.11",
|
||||||
requirements_lock = "//misc/codegen:requirements_lock.txt",
|
requirements_lock = "//misc/codegen:requirements_lock.txt",
|
||||||
)
|
)
|
||||||
use_repo(pip, "codegen_deps")
|
use_repo(pip, "codegen_deps")
|
||||||
@@ -221,6 +191,10 @@ use_repo(
|
|||||||
kotlin_extractor_deps,
|
kotlin_extractor_deps,
|
||||||
"codeql_kotlin_defaults",
|
"codeql_kotlin_defaults",
|
||||||
"codeql_kotlin_embeddable",
|
"codeql_kotlin_embeddable",
|
||||||
|
"kotlin-compiler-1.5.0",
|
||||||
|
"kotlin-compiler-1.5.10",
|
||||||
|
"kotlin-compiler-1.5.20",
|
||||||
|
"kotlin-compiler-1.5.30",
|
||||||
"kotlin-compiler-1.6.0",
|
"kotlin-compiler-1.6.0",
|
||||||
"kotlin-compiler-1.6.20",
|
"kotlin-compiler-1.6.20",
|
||||||
"kotlin-compiler-1.7.0",
|
"kotlin-compiler-1.7.0",
|
||||||
@@ -232,8 +206,10 @@ use_repo(
|
|||||||
"kotlin-compiler-2.0.20-Beta2",
|
"kotlin-compiler-2.0.20-Beta2",
|
||||||
"kotlin-compiler-2.1.0-Beta1",
|
"kotlin-compiler-2.1.0-Beta1",
|
||||||
"kotlin-compiler-2.1.20-Beta1",
|
"kotlin-compiler-2.1.20-Beta1",
|
||||||
"kotlin-compiler-2.2.0-Beta1",
|
"kotlin-compiler-embeddable-1.5.0",
|
||||||
"kotlin-compiler-2.2.20-Beta2",
|
"kotlin-compiler-embeddable-1.5.10",
|
||||||
|
"kotlin-compiler-embeddable-1.5.20",
|
||||||
|
"kotlin-compiler-embeddable-1.5.30",
|
||||||
"kotlin-compiler-embeddable-1.6.0",
|
"kotlin-compiler-embeddable-1.6.0",
|
||||||
"kotlin-compiler-embeddable-1.6.20",
|
"kotlin-compiler-embeddable-1.6.20",
|
||||||
"kotlin-compiler-embeddable-1.7.0",
|
"kotlin-compiler-embeddable-1.7.0",
|
||||||
@@ -245,8 +221,10 @@ use_repo(
|
|||||||
"kotlin-compiler-embeddable-2.0.20-Beta2",
|
"kotlin-compiler-embeddable-2.0.20-Beta2",
|
||||||
"kotlin-compiler-embeddable-2.1.0-Beta1",
|
"kotlin-compiler-embeddable-2.1.0-Beta1",
|
||||||
"kotlin-compiler-embeddable-2.1.20-Beta1",
|
"kotlin-compiler-embeddable-2.1.20-Beta1",
|
||||||
"kotlin-compiler-embeddable-2.2.0-Beta1",
|
"kotlin-stdlib-1.5.0",
|
||||||
"kotlin-compiler-embeddable-2.2.20-Beta2",
|
"kotlin-stdlib-1.5.10",
|
||||||
|
"kotlin-stdlib-1.5.20",
|
||||||
|
"kotlin-stdlib-1.5.30",
|
||||||
"kotlin-stdlib-1.6.0",
|
"kotlin-stdlib-1.6.0",
|
||||||
"kotlin-stdlib-1.6.20",
|
"kotlin-stdlib-1.6.20",
|
||||||
"kotlin-stdlib-1.7.0",
|
"kotlin-stdlib-1.7.0",
|
||||||
@@ -258,35 +236,33 @@ use_repo(
|
|||||||
"kotlin-stdlib-2.0.20-Beta2",
|
"kotlin-stdlib-2.0.20-Beta2",
|
||||||
"kotlin-stdlib-2.1.0-Beta1",
|
"kotlin-stdlib-2.1.0-Beta1",
|
||||||
"kotlin-stdlib-2.1.20-Beta1",
|
"kotlin-stdlib-2.1.20-Beta1",
|
||||||
"kotlin-stdlib-2.2.0-Beta1",
|
|
||||||
"kotlin-stdlib-2.2.20-Beta2",
|
|
||||||
)
|
)
|
||||||
|
|
||||||
go_sdk = use_extension("@rules_go//go:extensions.bzl", "go_sdk")
|
go_sdk = use_extension("@rules_go//go:extensions.bzl", "go_sdk")
|
||||||
go_sdk.download(version = "1.25.0")
|
go_sdk.download(version = "1.24.0")
|
||||||
|
|
||||||
go_deps = use_extension("@gazelle//:extensions.bzl", "go_deps")
|
go_deps = use_extension("@gazelle//:extensions.bzl", "go_deps")
|
||||||
go_deps.from_file(go_mod = "//go/extractor:go.mod")
|
go_deps.from_file(go_mod = "//go/extractor:go.mod")
|
||||||
use_repo(go_deps, "org_golang_x_mod", "org_golang_x_tools")
|
use_repo(go_deps, "org_golang_x_mod", "org_golang_x_tools")
|
||||||
|
|
||||||
lfs_archive = use_repo_rule("//misc/bazel:lfs.bzl", "lfs_archive")
|
lfs_files = use_repo_rule("//misc/bazel:lfs.bzl", "lfs_files")
|
||||||
|
|
||||||
lfs_archive(
|
lfs_files(
|
||||||
name = "ripunzip-linux",
|
name = "ripunzip-linux",
|
||||||
src = "//misc/ripunzip:ripunzip-Linux.zip",
|
srcs = ["//misc/ripunzip:ripunzip-linux"],
|
||||||
build_file = "//misc/ripunzip:BUILD.ripunzip.bazel",
|
executable = True,
|
||||||
)
|
)
|
||||||
|
|
||||||
lfs_archive(
|
lfs_files(
|
||||||
name = "ripunzip-windows",
|
name = "ripunzip-windows",
|
||||||
src = "//misc/ripunzip:ripunzip-Windows.zip",
|
srcs = ["//misc/ripunzip:ripunzip-windows.exe"],
|
||||||
build_file = "//misc/ripunzip:BUILD.ripunzip.bazel",
|
executable = True,
|
||||||
)
|
)
|
||||||
|
|
||||||
lfs_archive(
|
lfs_files(
|
||||||
name = "ripunzip-macos",
|
name = "ripunzip-macos",
|
||||||
src = "//misc/ripunzip:ripunzip-macOS.zip",
|
srcs = ["//misc/ripunzip:ripunzip-macos"],
|
||||||
build_file = "//misc/ripunzip:BUILD.ripunzip.bazel",
|
executable = True,
|
||||||
)
|
)
|
||||||
|
|
||||||
register_toolchains(
|
register_toolchains(
|
||||||
|
|||||||
@@ -1,17 +1,14 @@
|
|||||||
name: "actions"
|
name: "actions"
|
||||||
|
aliases: []
|
||||||
display_name: "GitHub Actions"
|
display_name: "GitHub Actions"
|
||||||
version: 0.0.1
|
version: 0.0.1
|
||||||
column_kind: "utf16"
|
column_kind: "utf16"
|
||||||
unicode_newlines: true
|
unicode_newlines: true
|
||||||
build_modes:
|
build_modes:
|
||||||
- none
|
- none
|
||||||
default_queries:
|
file_coverage_languages: []
|
||||||
- codeql/actions-queries
|
|
||||||
# Actions workflows are not reported separately by the GitHub API, so we can't
|
|
||||||
# associate them with a specific language.
|
|
||||||
github_api_languages: []
|
github_api_languages: []
|
||||||
scc_languages:
|
scc_languages: []
|
||||||
- YAML
|
|
||||||
file_types:
|
file_types:
|
||||||
- name: workflow
|
- name: workflow
|
||||||
display_name: GitHub Actions workflow files
|
display_name: GitHub Actions workflow files
|
||||||
|
|||||||
@@ -1,8 +1,12 @@
|
|||||||
# Note: We're adding the `reusable_workflows` subdirectories to proactively
|
if (($null -ne $env:LGTM_INDEX_INCLUDE) -or ($null -ne $env:LGTM_INDEX_EXCLUDE) -or ($null -ne $env:LGTM_INDEX_FILTERS)) {
|
||||||
# record workflows that were called cross-repo, check them out locally,
|
Write-Output 'Path filters set. Passing them through to the JavaScript extractor.'
|
||||||
# and enable an interprocedural analysis across the workflow files.
|
} else {
|
||||||
# These workflows follow the convention `.github/reusable_workflows/<nwo>/*.ya?ml`
|
Write-Output 'No path filters set. Using the default filters.'
|
||||||
$DefaultPathFilters = @(
|
# Note: We're adding the `reusable_workflows` subdirectories to proactively
|
||||||
|
# record workflows that were called cross-repo, check them out locally,
|
||||||
|
# and enable an interprocedural analysis across the workflow files.
|
||||||
|
# These workflows follow the convention `.github/reusable_workflows/<nwo>/*.ya?ml`
|
||||||
|
$DefaultPathFilters = @(
|
||||||
'exclude:**/*',
|
'exclude:**/*',
|
||||||
'include:.github/workflows/*.yml',
|
'include:.github/workflows/*.yml',
|
||||||
'include:.github/workflows/*.yaml',
|
'include:.github/workflows/*.yaml',
|
||||||
@@ -10,25 +14,14 @@ $DefaultPathFilters = @(
|
|||||||
'include:.github/reusable_workflows/**/*.yaml',
|
'include:.github/reusable_workflows/**/*.yaml',
|
||||||
'include:**/action.yml',
|
'include:**/action.yml',
|
||||||
'include:**/action.yaml'
|
'include:**/action.yaml'
|
||||||
)
|
)
|
||||||
|
|
||||||
if ($null -ne $env:LGTM_INDEX_FILTERS) {
|
|
||||||
Write-Output 'LGTM_INDEX_FILTERS set. Using the default filters together with the user-provided filters, and passing through to the JavaScript extractor.'
|
|
||||||
# Begin with the default path inclusions only,
|
|
||||||
# followed by the user-provided filters.
|
|
||||||
# If the user provided `paths`, those patterns override the default inclusions
|
|
||||||
# (because `LGTM_INDEX_FILTERS` will begin with `exclude:**/*`).
|
|
||||||
# If the user provided `paths-ignore`, those patterns are excluded.
|
|
||||||
$PathFilters = ($DefaultPathFilters -join "`n") + "`n" + $env:LGTM_INDEX_FILTERS
|
|
||||||
$env:LGTM_INDEX_FILTERS = $PathFilters
|
|
||||||
} else {
|
|
||||||
Write-Output 'LGTM_INDEX_FILTERS not set. Using the default filters, and passing through to the JavaScript extractor.'
|
|
||||||
$env:LGTM_INDEX_FILTERS = $DefaultPathFilters -join "`n"
|
$env:LGTM_INDEX_FILTERS = $DefaultPathFilters -join "`n"
|
||||||
}
|
}
|
||||||
|
|
||||||
# Find the JavaScript extractor directory via `codeql resolve extractor`.
|
# Find the JavaScript extractor directory via `codeql resolve extractor`.
|
||||||
$CodeQL = Join-Path $env:CODEQL_DIST 'codeql.exe'
|
$CodeQL = Join-Path $env:CODEQL_DIST 'codeql.exe'
|
||||||
$env:CODEQL_EXTRACTOR_JAVASCRIPT_ROOT = &"$CodeQL" resolve extractor --language javascript
|
$env:CODEQL_EXTRACTOR_JAVASCRIPT_ROOT = &$CodeQL resolve extractor --language javascript
|
||||||
if ($LASTEXITCODE -ne 0) {
|
if ($LASTEXITCODE -ne 0) {
|
||||||
throw 'Failed to resolve JavaScript extractor.'
|
throw 'Failed to resolve JavaScript extractor.'
|
||||||
}
|
}
|
||||||
@@ -47,7 +40,7 @@ $env:CODEQL_EXTRACTOR_JAVASCRIPT_SOURCE_ARCHIVE_DIR = $env:CODEQL_EXTRACTOR_ACTI
|
|||||||
$env:CODEQL_EXTRACTOR_JAVASCRIPT_TRAP_DIR = $env:CODEQL_EXTRACTOR_ACTIONS_TRAP_DIR
|
$env:CODEQL_EXTRACTOR_JAVASCRIPT_TRAP_DIR = $env:CODEQL_EXTRACTOR_ACTIONS_TRAP_DIR
|
||||||
$env:CODEQL_EXTRACTOR_JAVASCRIPT_WIP_DATABASE = $env:CODEQL_EXTRACTOR_ACTIONS_WIP_DATABASE
|
$env:CODEQL_EXTRACTOR_JAVASCRIPT_WIP_DATABASE = $env:CODEQL_EXTRACTOR_ACTIONS_WIP_DATABASE
|
||||||
|
|
||||||
&"$JavaScriptAutoBuild"
|
&$JavaScriptAutoBuild
|
||||||
if ($LASTEXITCODE -ne 0) {
|
if ($LASTEXITCODE -ne 0) {
|
||||||
throw "JavaScript autobuilder failed."
|
throw "JavaScript autobuilder failed."
|
||||||
}
|
}
|
||||||
|
|||||||
@@ -1,4 +1,3 @@
|
|||||||
@echo off
|
@echo off
|
||||||
rem All of the work is done in the PowerShell script
|
rem All of the work is done in the PowerShell script
|
||||||
echo "Running PowerShell script at '%~dp0autobuild-impl.ps1'"
|
powershell.exe %~dp0autobuild-impl.ps1
|
||||||
powershell.exe -File "%~dp0autobuild-impl.ps1"
|
|
||||||
|
|||||||
@@ -17,28 +17,16 @@ include:**/action.yaml
|
|||||||
END
|
END
|
||||||
)
|
)
|
||||||
|
|
||||||
if [ -n "${LGTM_INDEX_FILTERS:-}" ]; then
|
if [ -n "${LGTM_INDEX_INCLUDE:-}" ] || [ -n "${LGTM_INDEX_EXCLUDE:-}" ] || [ -n "${LGTM_INDEX_FILTERS:-}" ] ; then
|
||||||
echo "LGTM_INDEX_FILTERS set. Using the default filters together with the user-provided filters, and passing through to the JavaScript extractor."
|
echo "Path filters set. Passing them through to the JavaScript extractor."
|
||||||
# Begin with the default path inclusions only,
|
|
||||||
# followed by the user-provided filters.
|
|
||||||
# If the user provided `paths`, those patterns override the default inclusions
|
|
||||||
# (because `LGTM_INDEX_FILTERS` will begin with `exclude:**/*`).
|
|
||||||
# If the user provided `paths-ignore`, those patterns are excluded.
|
|
||||||
PATH_FILTERS="$(cat << END
|
|
||||||
${DEFAULT_PATH_FILTERS}
|
|
||||||
${LGTM_INDEX_FILTERS}
|
|
||||||
END
|
|
||||||
)"
|
|
||||||
LGTM_INDEX_FILTERS="${PATH_FILTERS}"
|
|
||||||
export LGTM_INDEX_FILTERS
|
|
||||||
else
|
else
|
||||||
echo "LGTM_INDEX_FILTERS not set. Using the default filters, and passing through to the JavaScript extractor."
|
echo "No path filters set. Using the default filters."
|
||||||
LGTM_INDEX_FILTERS="${DEFAULT_PATH_FILTERS}"
|
LGTM_INDEX_FILTERS="${DEFAULT_PATH_FILTERS}"
|
||||||
export LGTM_INDEX_FILTERS
|
export LGTM_INDEX_FILTERS
|
||||||
fi
|
fi
|
||||||
|
|
||||||
# Find the JavaScript extractor directory via `codeql resolve extractor`.
|
# Find the JavaScript extractor directory via `codeql resolve extractor`.
|
||||||
CODEQL_EXTRACTOR_JAVASCRIPT_ROOT="$("${CODEQL_DIST}/codeql" resolve extractor --language javascript)"
|
CODEQL_EXTRACTOR_JAVASCRIPT_ROOT="$($CODEQL_DIST/codeql resolve extractor --language javascript)"
|
||||||
export CODEQL_EXTRACTOR_JAVASCRIPT_ROOT
|
export CODEQL_EXTRACTOR_JAVASCRIPT_ROOT
|
||||||
|
|
||||||
echo "Found JavaScript extractor at '${CODEQL_EXTRACTOR_JAVASCRIPT_ROOT}'."
|
echo "Found JavaScript extractor at '${CODEQL_EXTRACTOR_JAVASCRIPT_ROOT}'."
|
||||||
@@ -54,4 +42,4 @@ env CODEQL_EXTRACTOR_JAVASCRIPT_DIAGNOSTIC_DIR="${CODEQL_EXTRACTOR_ACTIONS_DIAGN
|
|||||||
CODEQL_EXTRACTOR_JAVASCRIPT_SOURCE_ARCHIVE_DIR="${CODEQL_EXTRACTOR_ACTIONS_SOURCE_ARCHIVE_DIR}" \
|
CODEQL_EXTRACTOR_JAVASCRIPT_SOURCE_ARCHIVE_DIR="${CODEQL_EXTRACTOR_ACTIONS_SOURCE_ARCHIVE_DIR}" \
|
||||||
CODEQL_EXTRACTOR_JAVASCRIPT_TRAP_DIR="${CODEQL_EXTRACTOR_ACTIONS_TRAP_DIR}" \
|
CODEQL_EXTRACTOR_JAVASCRIPT_TRAP_DIR="${CODEQL_EXTRACTOR_ACTIONS_TRAP_DIR}" \
|
||||||
CODEQL_EXTRACTOR_JAVASCRIPT_WIP_DATABASE="${CODEQL_EXTRACTOR_ACTIONS_WIP_DATABASE}" \
|
CODEQL_EXTRACTOR_JAVASCRIPT_WIP_DATABASE="${CODEQL_EXTRACTOR_ACTIONS_WIP_DATABASE}" \
|
||||||
"${JAVASCRIPT_AUTO_BUILD}"
|
${JAVASCRIPT_AUTO_BUILD}
|
||||||
|
|||||||
@@ -1,10 +0,0 @@
|
|||||||
{
|
|
||||||
"paths": [
|
|
||||||
".github/workflows/*.yml",
|
|
||||||
".github/workflows/*.yaml",
|
|
||||||
".github/reusable_workflows/**/*.yml",
|
|
||||||
".github/reusable_workflows/**/*.yaml",
|
|
||||||
"**/action.yml",
|
|
||||||
"**/action.yaml"
|
|
||||||
]
|
|
||||||
}
|
|
||||||
@@ -1,2 +0,0 @@
|
|||||||
@echo off
|
|
||||||
type "%CODEQL_EXTRACTOR_ACTIONS_ROOT%\tools\baseline-config.json"
|
|
||||||
@@ -1,3 +0,0 @@
|
|||||||
#!/bin/sh
|
|
||||||
|
|
||||||
cat "$CODEQL_EXTRACTOR_ACTIONS_ROOT/tools/baseline-config.json"
|
|
||||||
@@ -1,5 +0,0 @@
|
|||||||
import actions
|
|
||||||
|
|
||||||
from AstNode n
|
|
||||||
where n instanceof Workflow or n instanceof CompositeAction
|
|
||||||
select n
|
|
||||||
@@ -1,6 +0,0 @@
|
|||||||
| src/.github/action.yaml:1:1:11:32 | name: ' ... action' |
|
|
||||||
| src/.github/actions/action-name/action.yml:1:1:11:32 | name: ' ... action' |
|
|
||||||
| src/.github/workflows/workflow.yml:1:1:12:33 | name: A workflow |
|
|
||||||
| src/action.yml:1:1:11:32 | name: ' ... action' |
|
|
||||||
| src/excluded/action.yml:1:1:11:32 | name: ' ... action' |
|
|
||||||
| src/included/action.yml:1:1:11:32 | name: ' ... action' |
|
|
||||||
@@ -1,2 +0,0 @@
|
|||||||
| src/included/action.yml:1:1:11:32 | name: ' ... action' |
|
|
||||||
| src/included/unreachable-workflow.yml:1:1:12:33 | name: A ... orkflow |
|
|
||||||
@@ -1,5 +0,0 @@
|
|||||||
| src/.github/action.yaml:1:1:11:32 | name: ' ... action' |
|
|
||||||
| src/.github/actions/action-name/action.yml:1:1:11:32 | name: ' ... action' |
|
|
||||||
| src/.github/workflows/workflow.yml:1:1:12:33 | name: A workflow |
|
|
||||||
| src/action.yml:1:1:11:32 | name: ' ... action' |
|
|
||||||
| src/included/action.yml:1:1:11:32 | name: ' ... action' |
|
|
||||||
@@ -1,2 +0,0 @@
|
|||||||
| src/included/action.yml:1:1:11:32 | name: ' ... action' |
|
|
||||||
| src/included/unreachable-workflow.yml:1:1:12:33 | name: A ... orkflow |
|
|
||||||
@@ -1,5 +0,0 @@
|
|||||||
import actions
|
|
||||||
|
|
||||||
from AstNode n
|
|
||||||
where n instanceof Workflow or n instanceof CompositeAction
|
|
||||||
select n
|
|
||||||
@@ -1,4 +0,0 @@
|
|||||||
paths:
|
|
||||||
- 'included'
|
|
||||||
paths-ignore:
|
|
||||||
- 'excluded'
|
|
||||||
@@ -1,2 +0,0 @@
|
|||||||
paths-ignore:
|
|
||||||
- 'excluded'
|
|
||||||
@@ -1,2 +0,0 @@
|
|||||||
paths:
|
|
||||||
- 'included'
|
|
||||||
@@ -1,6 +0,0 @@
|
|||||||
src/.github/action.yaml
|
|
||||||
src/.github/actions/action-name/action.yml
|
|
||||||
src/.github/workflows/workflow.yml
|
|
||||||
src/action.yml
|
|
||||||
src/excluded/action.yml
|
|
||||||
src/included/action.yml
|
|
||||||
@@ -1,3 +0,0 @@
|
|||||||
src/included/action.yml
|
|
||||||
src/included/not-an-action.yml
|
|
||||||
src/included/unreachable-workflow.yml
|
|
||||||
@@ -1,5 +0,0 @@
|
|||||||
src/.github/action.yaml
|
|
||||||
src/.github/actions/action-name/action.yml
|
|
||||||
src/.github/workflows/workflow.yml
|
|
||||||
src/action.yml
|
|
||||||
src/included/action.yml
|
|
||||||
@@ -1,3 +0,0 @@
|
|||||||
src/included/action.yml
|
|
||||||
src/included/not-an-action.yml
|
|
||||||
src/included/unreachable-workflow.yml
|
|
||||||
@@ -1,11 +0,0 @@
|
|||||||
name: 'A composite action'
|
|
||||||
description: 'Do something'
|
|
||||||
runs:
|
|
||||||
using: "composite"
|
|
||||||
steps:
|
|
||||||
- name: Print
|
|
||||||
run: echo "Hello world"
|
|
||||||
shell: bash
|
|
||||||
|
|
||||||
- name: Checkout
|
|
||||||
uses: actions/checkout@v4
|
|
||||||
@@ -1,11 +0,0 @@
|
|||||||
name: 'A composite action'
|
|
||||||
description: 'Do something'
|
|
||||||
runs:
|
|
||||||
using: "composite"
|
|
||||||
steps:
|
|
||||||
- name: Print
|
|
||||||
run: echo "Hello world"
|
|
||||||
shell: bash
|
|
||||||
|
|
||||||
- name: Checkout
|
|
||||||
uses: actions/checkout@v4
|
|
||||||
@@ -1,12 +0,0 @@
|
|||||||
name: An unreachable workflow
|
|
||||||
on:
|
|
||||||
push:
|
|
||||||
branches:
|
|
||||||
- main
|
|
||||||
|
|
||||||
jobs:
|
|
||||||
job:
|
|
||||||
runs-on: ubuntu-latest
|
|
||||||
steps:
|
|
||||||
- name: Checkout code
|
|
||||||
uses: actions/checkout@v4
|
|
||||||
@@ -1,12 +0,0 @@
|
|||||||
name: A workflow
|
|
||||||
on:
|
|
||||||
push:
|
|
||||||
branches:
|
|
||||||
- main
|
|
||||||
|
|
||||||
jobs:
|
|
||||||
job:
|
|
||||||
runs-on: ubuntu-latest
|
|
||||||
steps:
|
|
||||||
- name: Checkout code
|
|
||||||
uses: actions/checkout@v4
|
|
||||||
@@ -1,11 +0,0 @@
|
|||||||
name: 'A composite action'
|
|
||||||
description: 'Do something'
|
|
||||||
runs:
|
|
||||||
using: "composite"
|
|
||||||
steps:
|
|
||||||
- name: Print
|
|
||||||
run: echo "Hello world"
|
|
||||||
shell: bash
|
|
||||||
|
|
||||||
- name: Checkout
|
|
||||||
uses: actions/checkout@v4
|
|
||||||
@@ -1,11 +0,0 @@
|
|||||||
name: 'A composite action'
|
|
||||||
description: 'Do something'
|
|
||||||
runs:
|
|
||||||
using: "composite"
|
|
||||||
steps:
|
|
||||||
- name: Print
|
|
||||||
run: echo "Hello world"
|
|
||||||
shell: bash
|
|
||||||
|
|
||||||
- name: Checkout
|
|
||||||
uses: actions/checkout@v4
|
|
||||||
@@ -1,12 +0,0 @@
|
|||||||
name: An unreachable workflow
|
|
||||||
on:
|
|
||||||
push:
|
|
||||||
branches:
|
|
||||||
- main
|
|
||||||
|
|
||||||
jobs:
|
|
||||||
job:
|
|
||||||
runs-on: ubuntu-latest
|
|
||||||
steps:
|
|
||||||
- name: Checkout code
|
|
||||||
uses: actions/checkout@v4
|
|
||||||
@@ -1,11 +0,0 @@
|
|||||||
name: 'A composite action'
|
|
||||||
description: 'Do something'
|
|
||||||
runs:
|
|
||||||
using: "composite"
|
|
||||||
steps:
|
|
||||||
- name: Print
|
|
||||||
run: echo "Hello world"
|
|
||||||
shell: bash
|
|
||||||
|
|
||||||
- name: Checkout
|
|
||||||
uses: actions/checkout@v4
|
|
||||||
@@ -1 +0,0 @@
|
|||||||
name: 'Not an action, just a YAML file'
|
|
||||||
@@ -1,12 +0,0 @@
|
|||||||
name: An unreachable workflow
|
|
||||||
on:
|
|
||||||
push:
|
|
||||||
branches:
|
|
||||||
- main
|
|
||||||
|
|
||||||
jobs:
|
|
||||||
job:
|
|
||||||
runs-on: ubuntu-latest
|
|
||||||
steps:
|
|
||||||
- name: Checkout code
|
|
||||||
uses: actions/checkout@v4
|
|
||||||
@@ -1,12 +0,0 @@
|
|||||||
name: An unreachable workflow
|
|
||||||
on:
|
|
||||||
push:
|
|
||||||
branches:
|
|
||||||
- main
|
|
||||||
|
|
||||||
jobs:
|
|
||||||
job:
|
|
||||||
runs-on: ubuntu-latest
|
|
||||||
steps:
|
|
||||||
- name: Checkout code
|
|
||||||
uses: actions/checkout@v4
|
|
||||||
@@ -1,18 +0,0 @@
|
|||||||
import pytest
|
|
||||||
|
|
||||||
@pytest.mark.ql_test(expected=".default-filters.expected")
|
|
||||||
def test_default_filters(codeql, actions, check_source_archive):
|
|
||||||
check_source_archive.expected_suffix = ".default-filters.expected"
|
|
||||||
codeql.database.create(source_root="src")
|
|
||||||
|
|
||||||
@pytest.mark.ql_test(expected=".paths-only.expected")
|
|
||||||
def test_config_paths_only(codeql, actions):
|
|
||||||
codeql.database.create(source_root="src", codescanning_config="codeql-config.paths-only.yml")
|
|
||||||
|
|
||||||
@pytest.mark.ql_test(expected=".paths-ignore-only.expected")
|
|
||||||
def test_config_paths_ignore_only(codeql, actions):
|
|
||||||
codeql.database.create(source_root="src", codescanning_config="codeql-config.paths-ignore-only.yml")
|
|
||||||
|
|
||||||
@pytest.mark.ql_test(expected=".paths-and-paths-ignore.expected")
|
|
||||||
def test_config_paths_and_paths_ignore(codeql, actions):
|
|
||||||
codeql.database.create(source_root="src", codescanning_config="codeql-config.paths-and-paths-ignore.yml")
|
|
||||||
@@ -1 +0,0 @@
|
|||||||
|
|
||||||
@@ -1 +0,0 @@
|
|||||||
|
|
||||||
@@ -1,18 +0,0 @@
|
|||||||
ql/actions/ql/src/Diagnostics/SuccessfullyExtractedFiles.ql
|
|
||||||
ql/actions/ql/src/Security/CWE-077/EnvPathInjectionCritical.ql
|
|
||||||
ql/actions/ql/src/Security/CWE-077/EnvVarInjectionCritical.ql
|
|
||||||
ql/actions/ql/src/Security/CWE-094/CodeInjectionCritical.ql
|
|
||||||
ql/actions/ql/src/Security/CWE-1395/UseOfKnownVulnerableAction.ql
|
|
||||||
ql/actions/ql/src/Security/CWE-275/MissingActionsPermissions.ql
|
|
||||||
ql/actions/ql/src/Security/CWE-285/ImproperAccessControl.ql
|
|
||||||
ql/actions/ql/src/Security/CWE-312/ExcessiveSecretsExposure.ql
|
|
||||||
ql/actions/ql/src/Security/CWE-312/SecretsInArtifacts.ql
|
|
||||||
ql/actions/ql/src/Security/CWE-312/UnmaskedSecretExposure.ql
|
|
||||||
ql/actions/ql/src/Security/CWE-349/CachePoisoningViaCodeInjection.ql
|
|
||||||
ql/actions/ql/src/Security/CWE-349/CachePoisoningViaDirectCache.ql
|
|
||||||
ql/actions/ql/src/Security/CWE-349/CachePoisoningViaPoisonableStep.ql
|
|
||||||
ql/actions/ql/src/Security/CWE-367/UntrustedCheckoutTOCTOUCritical.ql
|
|
||||||
ql/actions/ql/src/Security/CWE-367/UntrustedCheckoutTOCTOUHigh.ql
|
|
||||||
ql/actions/ql/src/Security/CWE-829/ArtifactPoisoningCritical.ql
|
|
||||||
ql/actions/ql/src/Security/CWE-829/UntrustedCheckoutCritical.ql
|
|
||||||
ql/actions/ql/src/Security/CWE-829/UntrustedCheckoutHigh.ql
|
|
||||||
@@ -1,28 +0,0 @@
|
|||||||
ql/actions/ql/src/Debug/SyntaxError.ql
|
|
||||||
ql/actions/ql/src/Diagnostics/SuccessfullyExtractedFiles.ql
|
|
||||||
ql/actions/ql/src/Security/CWE-077/EnvPathInjectionCritical.ql
|
|
||||||
ql/actions/ql/src/Security/CWE-077/EnvPathInjectionMedium.ql
|
|
||||||
ql/actions/ql/src/Security/CWE-077/EnvVarInjectionCritical.ql
|
|
||||||
ql/actions/ql/src/Security/CWE-077/EnvVarInjectionMedium.ql
|
|
||||||
ql/actions/ql/src/Security/CWE-094/CodeInjectionCritical.ql
|
|
||||||
ql/actions/ql/src/Security/CWE-094/CodeInjectionMedium.ql
|
|
||||||
ql/actions/ql/src/Security/CWE-1395/UseOfKnownVulnerableAction.ql
|
|
||||||
ql/actions/ql/src/Security/CWE-275/MissingActionsPermissions.ql
|
|
||||||
ql/actions/ql/src/Security/CWE-285/ImproperAccessControl.ql
|
|
||||||
ql/actions/ql/src/Security/CWE-312/ExcessiveSecretsExposure.ql
|
|
||||||
ql/actions/ql/src/Security/CWE-312/SecretsInArtifacts.ql
|
|
||||||
ql/actions/ql/src/Security/CWE-312/UnmaskedSecretExposure.ql
|
|
||||||
ql/actions/ql/src/Security/CWE-349/CachePoisoningViaCodeInjection.ql
|
|
||||||
ql/actions/ql/src/Security/CWE-349/CachePoisoningViaDirectCache.ql
|
|
||||||
ql/actions/ql/src/Security/CWE-349/CachePoisoningViaPoisonableStep.ql
|
|
||||||
ql/actions/ql/src/Security/CWE-367/UntrustedCheckoutTOCTOUCritical.ql
|
|
||||||
ql/actions/ql/src/Security/CWE-367/UntrustedCheckoutTOCTOUHigh.ql
|
|
||||||
ql/actions/ql/src/Security/CWE-571/ExpressionIsAlwaysTrueCritical.ql
|
|
||||||
ql/actions/ql/src/Security/CWE-571/ExpressionIsAlwaysTrueHigh.ql
|
|
||||||
ql/actions/ql/src/Security/CWE-829/ArtifactPoisoningCritical.ql
|
|
||||||
ql/actions/ql/src/Security/CWE-829/ArtifactPoisoningMedium.ql
|
|
||||||
ql/actions/ql/src/Security/CWE-829/UnpinnedActionsTag.ql
|
|
||||||
ql/actions/ql/src/Security/CWE-829/UntrustedCheckoutCritical.ql
|
|
||||||
ql/actions/ql/src/Security/CWE-829/UntrustedCheckoutHigh.ql
|
|
||||||
ql/actions/ql/src/Security/CWE-829/UntrustedCheckoutMedium.ql
|
|
||||||
ql/actions/ql/src/Violations Of Best Practice/CodeQL/UnnecessaryUseOfAdvancedConfig.ql
|
|
||||||
@@ -1,24 +0,0 @@
|
|||||||
ql/actions/ql/src/Diagnostics/SuccessfullyExtractedFiles.ql
|
|
||||||
ql/actions/ql/src/Security/CWE-077/EnvPathInjectionCritical.ql
|
|
||||||
ql/actions/ql/src/Security/CWE-077/EnvPathInjectionMedium.ql
|
|
||||||
ql/actions/ql/src/Security/CWE-077/EnvVarInjectionCritical.ql
|
|
||||||
ql/actions/ql/src/Security/CWE-077/EnvVarInjectionMedium.ql
|
|
||||||
ql/actions/ql/src/Security/CWE-094/CodeInjectionCritical.ql
|
|
||||||
ql/actions/ql/src/Security/CWE-094/CodeInjectionMedium.ql
|
|
||||||
ql/actions/ql/src/Security/CWE-1395/UseOfKnownVulnerableAction.ql
|
|
||||||
ql/actions/ql/src/Security/CWE-275/MissingActionsPermissions.ql
|
|
||||||
ql/actions/ql/src/Security/CWE-285/ImproperAccessControl.ql
|
|
||||||
ql/actions/ql/src/Security/CWE-312/ExcessiveSecretsExposure.ql
|
|
||||||
ql/actions/ql/src/Security/CWE-312/SecretsInArtifacts.ql
|
|
||||||
ql/actions/ql/src/Security/CWE-312/UnmaskedSecretExposure.ql
|
|
||||||
ql/actions/ql/src/Security/CWE-349/CachePoisoningViaCodeInjection.ql
|
|
||||||
ql/actions/ql/src/Security/CWE-349/CachePoisoningViaDirectCache.ql
|
|
||||||
ql/actions/ql/src/Security/CWE-349/CachePoisoningViaPoisonableStep.ql
|
|
||||||
ql/actions/ql/src/Security/CWE-367/UntrustedCheckoutTOCTOUCritical.ql
|
|
||||||
ql/actions/ql/src/Security/CWE-367/UntrustedCheckoutTOCTOUHigh.ql
|
|
||||||
ql/actions/ql/src/Security/CWE-829/ArtifactPoisoningCritical.ql
|
|
||||||
ql/actions/ql/src/Security/CWE-829/ArtifactPoisoningMedium.ql
|
|
||||||
ql/actions/ql/src/Security/CWE-829/UnpinnedActionsTag.ql
|
|
||||||
ql/actions/ql/src/Security/CWE-829/UntrustedCheckoutCritical.ql
|
|
||||||
ql/actions/ql/src/Security/CWE-829/UntrustedCheckoutHigh.ql
|
|
||||||
ql/actions/ql/src/Security/CWE-829/UntrustedCheckoutMedium.ql
|
|
||||||
@@ -1,17 +0,0 @@
|
|||||||
ql/actions/ql/src/Debug/partial.ql
|
|
||||||
ql/actions/ql/src/Models/CompositeActionsSinks.ql
|
|
||||||
ql/actions/ql/src/Models/CompositeActionsSources.ql
|
|
||||||
ql/actions/ql/src/Models/CompositeActionsSummaries.ql
|
|
||||||
ql/actions/ql/src/Models/ReusableWorkflowsSinks.ql
|
|
||||||
ql/actions/ql/src/Models/ReusableWorkflowsSources.ql
|
|
||||||
ql/actions/ql/src/Models/ReusableWorkflowsSummaries.ql
|
|
||||||
ql/actions/ql/src/experimental/Security/CWE-074/OutputClobberingHigh.ql
|
|
||||||
ql/actions/ql/src/experimental/Security/CWE-078/CommandInjectionCritical.ql
|
|
||||||
ql/actions/ql/src/experimental/Security/CWE-078/CommandInjectionMedium.ql
|
|
||||||
ql/actions/ql/src/experimental/Security/CWE-088/ArgumentInjectionCritical.ql
|
|
||||||
ql/actions/ql/src/experimental/Security/CWE-088/ArgumentInjectionMedium.ql
|
|
||||||
ql/actions/ql/src/experimental/Security/CWE-200/SecretExfiltration.ql
|
|
||||||
ql/actions/ql/src/experimental/Security/CWE-284/CodeExecutionOnSelfHostedRunner.ql
|
|
||||||
ql/actions/ql/src/experimental/Security/CWE-829/ArtifactPoisoningPathTraversal.ql
|
|
||||||
ql/actions/ql/src/experimental/Security/CWE-829/UnversionedImmutableAction.ql
|
|
||||||
ql/actions/ql/src/experimental/Security/CWE-918/RequestForgery.ql
|
|
||||||
@@ -1,14 +0,0 @@
|
|||||||
import runs_on
|
|
||||||
import pytest
|
|
||||||
from query_suites import *
|
|
||||||
|
|
||||||
well_known_query_suites = ['actions-code-quality.qls', 'actions-code-quality-extended.qls', 'actions-security-and-quality.qls', 'actions-security-extended.qls', 'actions-code-scanning.qls']
|
|
||||||
|
|
||||||
@runs_on.posix
|
|
||||||
@pytest.mark.parametrize("query_suite", well_known_query_suites)
|
|
||||||
def test(codeql, actions, check_query_suite, query_suite):
|
|
||||||
check_query_suite(query_suite)
|
|
||||||
|
|
||||||
@runs_on.posix
|
|
||||||
def test_not_included_queries(codeql, actions, check_queries_not_included):
|
|
||||||
check_queries_not_included('actions', well_known_query_suites)
|
|
||||||
@@ -1,82 +1,3 @@
|
|||||||
## 0.4.20
|
|
||||||
|
|
||||||
No user-facing changes.
|
|
||||||
|
|
||||||
## 0.4.19
|
|
||||||
|
|
||||||
No user-facing changes.
|
|
||||||
|
|
||||||
## 0.4.18
|
|
||||||
|
|
||||||
No user-facing changes.
|
|
||||||
|
|
||||||
## 0.4.17
|
|
||||||
|
|
||||||
No user-facing changes.
|
|
||||||
|
|
||||||
## 0.4.16
|
|
||||||
|
|
||||||
No user-facing changes.
|
|
||||||
|
|
||||||
## 0.4.15
|
|
||||||
|
|
||||||
No user-facing changes.
|
|
||||||
|
|
||||||
## 0.4.14
|
|
||||||
|
|
||||||
No user-facing changes.
|
|
||||||
|
|
||||||
## 0.4.13
|
|
||||||
|
|
||||||
### Bug Fixes
|
|
||||||
|
|
||||||
* The `actions/artifact-poisoning/critical` and `actions/artifact-poisoning/medium` queries now exclude artifacts downloaded to `$[{ runner.temp }}` in addition to `/tmp`.
|
|
||||||
|
|
||||||
## 0.4.12
|
|
||||||
|
|
||||||
### Minor Analysis Improvements
|
|
||||||
|
|
||||||
* Fixed performance issues in the parsing of Bash scripts in workflow files,
|
|
||||||
which led to out-of-disk errors when analysing certain workflow files with
|
|
||||||
complex interpolations of shell commands or quoted strings.
|
|
||||||
|
|
||||||
## 0.4.11
|
|
||||||
|
|
||||||
No user-facing changes.
|
|
||||||
|
|
||||||
## 0.4.10
|
|
||||||
|
|
||||||
No user-facing changes.
|
|
||||||
|
|
||||||
## 0.4.9
|
|
||||||
|
|
||||||
No user-facing changes.
|
|
||||||
|
|
||||||
## 0.4.8
|
|
||||||
|
|
||||||
No user-facing changes.
|
|
||||||
|
|
||||||
## 0.4.7
|
|
||||||
|
|
||||||
### New Features
|
|
||||||
|
|
||||||
* CodeQL and Copilot Autofix support for GitHub Actions is now Generally Available.
|
|
||||||
|
|
||||||
## 0.4.6
|
|
||||||
|
|
||||||
### Bug Fixes
|
|
||||||
|
|
||||||
* The query `actions/code-injection/medium` now produces alerts for injection
|
|
||||||
vulnerabilities on `pull_request` events.
|
|
||||||
|
|
||||||
## 0.4.5
|
|
||||||
|
|
||||||
No user-facing changes.
|
|
||||||
|
|
||||||
## 0.4.4
|
|
||||||
|
|
||||||
No user-facing changes.
|
|
||||||
|
|
||||||
## 0.4.3
|
## 0.4.3
|
||||||
|
|
||||||
### New Features
|
### New Features
|
||||||
|
|||||||
@@ -1,3 +0,0 @@
|
|||||||
## 0.4.10
|
|
||||||
|
|
||||||
No user-facing changes.
|
|
||||||
@@ -1,3 +0,0 @@
|
|||||||
## 0.4.11
|
|
||||||
|
|
||||||
No user-facing changes.
|
|
||||||
@@ -1,7 +0,0 @@
|
|||||||
## 0.4.12
|
|
||||||
|
|
||||||
### Minor Analysis Improvements
|
|
||||||
|
|
||||||
* Fixed performance issues in the parsing of Bash scripts in workflow files,
|
|
||||||
which led to out-of-disk errors when analysing certain workflow files with
|
|
||||||
complex interpolations of shell commands or quoted strings.
|
|
||||||
@@ -1,5 +0,0 @@
|
|||||||
## 0.4.13
|
|
||||||
|
|
||||||
### Bug Fixes
|
|
||||||
|
|
||||||
* The `actions/artifact-poisoning/critical` and `actions/artifact-poisoning/medium` queries now exclude artifacts downloaded to `$[{ runner.temp }}` in addition to `/tmp`.
|
|
||||||
@@ -1,3 +0,0 @@
|
|||||||
## 0.4.14
|
|
||||||
|
|
||||||
No user-facing changes.
|
|
||||||
Some files were not shown because too many files have changed in this diff Show More
Reference in New Issue
Block a user