mirror of
https://github.com/github/codeql.git
synced 2026-07-05 11:35:30 +02:00
Compare commits
4 Commits
codeql-cli
...
ginsbach/O
| Author | SHA1 | Date | |
|---|---|---|---|
|
|
9a11e29c01 | ||
|
|
b6ac00f642 | ||
|
|
2a187e5922 | ||
|
|
bebe3f4fe5 |
3
.bazelrc
3
.bazelrc
@@ -30,9 +30,6 @@ common --registry=https://bcr.bazel.build
|
|||||||
|
|
||||||
common --@rules_dotnet//dotnet/settings:strict_deps=false
|
common --@rules_dotnet//dotnet/settings:strict_deps=false
|
||||||
|
|
||||||
# we only configure a nightly toolchain
|
|
||||||
common --@rules_rust//rust/toolchain/channel=nightly
|
|
||||||
|
|
||||||
# Reduce this eventually to empty, once we've fixed all our usages of java, and https://github.com/bazel-contrib/rules_go/issues/4193 is fixed
|
# Reduce this eventually to empty, once we've fixed all our usages of java, and https://github.com/bazel-contrib/rules_go/issues/4193 is fixed
|
||||||
common --incompatible_autoload_externally="+@rules_java,+@rules_shell"
|
common --incompatible_autoload_externally="+@rules_java,+@rules_shell"
|
||||||
|
|
||||||
|
|||||||
@@ -1 +1 @@
|
|||||||
8.4.2
|
8.1.1
|
||||||
|
|||||||
3
.gitattributes
vendored
3
.gitattributes
vendored
@@ -82,6 +82,9 @@
|
|||||||
/csharp/paket.main.bzl linguist-generated=true
|
/csharp/paket.main.bzl linguist-generated=true
|
||||||
/csharp/paket.main_extension.bzl linguist-generated=true
|
/csharp/paket.main_extension.bzl linguist-generated=true
|
||||||
|
|
||||||
|
# ripunzip tool
|
||||||
|
/misc/ripunzip/ripunzip-* filter=lfs diff=lfs merge=lfs -text
|
||||||
|
|
||||||
# swift prebuilt resources
|
# swift prebuilt resources
|
||||||
/swift/third_party/resources/*.zip filter=lfs diff=lfs merge=lfs -text
|
/swift/third_party/resources/*.zip filter=lfs diff=lfs merge=lfs -text
|
||||||
/swift/third_party/resources/*.tar.zst filter=lfs diff=lfs merge=lfs -text
|
/swift/third_party/resources/*.tar.zst filter=lfs diff=lfs merge=lfs -text
|
||||||
|
|||||||
5
.github/dependabot.yml
vendored
5
.github/dependabot.yml
vendored
@@ -40,8 +40,3 @@ updates:
|
|||||||
- dependency-name: "*"
|
- dependency-name: "*"
|
||||||
reviewers:
|
reviewers:
|
||||||
- "github/codeql-go"
|
- "github/codeql-go"
|
||||||
|
|
||||||
- package-ecosystem: bazel
|
|
||||||
directory: "/"
|
|
||||||
schedule:
|
|
||||||
interval: weekly
|
|
||||||
|
|||||||
@@ -1,4 +0,0 @@
|
|||||||
---
|
|
||||||
applyTo: "**/*.expected"
|
|
||||||
---
|
|
||||||
Ignore these files. These are generated to be correct by running the tests, and should not be edited manually.
|
|
||||||
@@ -1,6 +0,0 @@
|
|||||||
---
|
|
||||||
applyTo: "**/*.ql,**/*.qll"
|
|
||||||
---
|
|
||||||
When reviewing these QL files, do not make any comment on the code itself. You don't understand the QL programming language well enough yet. You can only make comments about the following aspects:
|
|
||||||
* comments (lines starting with `//` or block comments enclosed in `/* ... */`): you can suggest improvements to the clarity of comments, or point out spelling mistakes
|
|
||||||
* typos in identifiers
|
|
||||||
74
.github/workflows/build-ripunzip.yml
vendored
Normal file
74
.github/workflows/build-ripunzip.yml
vendored
Normal file
@@ -0,0 +1,74 @@
|
|||||||
|
name: Build runzip
|
||||||
|
|
||||||
|
on:
|
||||||
|
workflow_dispatch:
|
||||||
|
inputs:
|
||||||
|
ripunzip-version:
|
||||||
|
description: "what reference to checktout from google/runzip"
|
||||||
|
required: false
|
||||||
|
default: v1.2.1
|
||||||
|
openssl-version:
|
||||||
|
description: "what reference to checkout from openssl/openssl for Linux"
|
||||||
|
required: false
|
||||||
|
default: openssl-3.3.0
|
||||||
|
|
||||||
|
jobs:
|
||||||
|
build:
|
||||||
|
strategy:
|
||||||
|
fail-fast: false
|
||||||
|
matrix:
|
||||||
|
os: [ubuntu-22.04, macos-13, windows-2019]
|
||||||
|
runs-on: ${{ matrix.os }}
|
||||||
|
steps:
|
||||||
|
- uses: actions/checkout@v4
|
||||||
|
with:
|
||||||
|
repository: google/ripunzip
|
||||||
|
ref: ${{ inputs.ripunzip-version }}
|
||||||
|
# we need to avoid ripunzip dynamically linking into libssl
|
||||||
|
# see https://github.com/sfackler/rust-openssl/issues/183
|
||||||
|
- if: runner.os == 'Linux'
|
||||||
|
name: checkout openssl
|
||||||
|
uses: actions/checkout@v4
|
||||||
|
with:
|
||||||
|
repository: openssl/openssl
|
||||||
|
path: openssl
|
||||||
|
ref: ${{ inputs.openssl-version }}
|
||||||
|
- if: runner.os == 'Linux'
|
||||||
|
name: build and install openssl with fPIC
|
||||||
|
shell: bash
|
||||||
|
working-directory: openssl
|
||||||
|
run: |
|
||||||
|
./config -fPIC --prefix=$HOME/.local --openssldir=$HOME/.local/ssl
|
||||||
|
make -j $(nproc)
|
||||||
|
make install_sw -j $(nproc)
|
||||||
|
- if: runner.os == 'Linux'
|
||||||
|
name: build (linux)
|
||||||
|
shell: bash
|
||||||
|
run: |
|
||||||
|
env OPENSSL_LIB_DIR=$HOME/.local/lib64 OPENSSL_INCLUDE_DIR=$HOME/.local/include OPENSSL_STATIC=yes cargo build --release
|
||||||
|
mv target/release/ripunzip ripunzip-linux
|
||||||
|
- if: runner.os == 'Windows'
|
||||||
|
name: build (windows)
|
||||||
|
shell: bash
|
||||||
|
run: |
|
||||||
|
cargo build --release
|
||||||
|
mv target/release/ripunzip ripunzip-windows
|
||||||
|
- name: build (macOS)
|
||||||
|
if: runner.os == 'macOS'
|
||||||
|
shell: bash
|
||||||
|
run: |
|
||||||
|
rustup target install x86_64-apple-darwin
|
||||||
|
rustup target install aarch64-apple-darwin
|
||||||
|
cargo build --target x86_64-apple-darwin --release
|
||||||
|
cargo build --target aarch64-apple-darwin --release
|
||||||
|
lipo -create -output ripunzip-macos \
|
||||||
|
-arch x86_64 target/x86_64-apple-darwin/release/ripunzip \
|
||||||
|
-arch arm64 target/aarch64-apple-darwin/release/ripunzip
|
||||||
|
- uses: actions/upload-artifact@v4
|
||||||
|
with:
|
||||||
|
name: ripunzip-${{ runner.os }}
|
||||||
|
path: ripunzip-*
|
||||||
|
- name: Check built binary
|
||||||
|
shell: bash
|
||||||
|
run: |
|
||||||
|
./ripunzip-* --version
|
||||||
2
.github/workflows/buildifier.yml
vendored
2
.github/workflows/buildifier.yml
vendored
@@ -17,7 +17,7 @@ jobs:
|
|||||||
runs-on: ubuntu-latest
|
runs-on: ubuntu-latest
|
||||||
steps:
|
steps:
|
||||||
- name: Checkout
|
- name: Checkout
|
||||||
uses: actions/checkout@v5
|
uses: actions/checkout@v4
|
||||||
- name: Check bazel formatting
|
- name: Check bazel formatting
|
||||||
uses: pre-commit/action@646c83fcd040023954eafda54b4db0192ce70507
|
uses: pre-commit/action@646c83fcd040023954eafda54b4db0192ce70507
|
||||||
with:
|
with:
|
||||||
|
|||||||
1
.github/workflows/check-change-note.yml
vendored
1
.github/workflows/check-change-note.yml
vendored
@@ -16,6 +16,7 @@ on:
|
|||||||
- "shared/**/*.qll"
|
- "shared/**/*.qll"
|
||||||
- "!**/experimental/**"
|
- "!**/experimental/**"
|
||||||
- "!ql/**"
|
- "!ql/**"
|
||||||
|
- "!rust/**"
|
||||||
- ".github/workflows/check-change-note.yml"
|
- ".github/workflows/check-change-note.yml"
|
||||||
|
|
||||||
jobs:
|
jobs:
|
||||||
|
|||||||
2
.github/workflows/check-implicit-this.yml
vendored
2
.github/workflows/check-implicit-this.yml
vendored
@@ -16,7 +16,7 @@ jobs:
|
|||||||
check:
|
check:
|
||||||
runs-on: ubuntu-latest
|
runs-on: ubuntu-latest
|
||||||
steps:
|
steps:
|
||||||
- uses: actions/checkout@v5
|
- uses: actions/checkout@v4
|
||||||
- name: Check that implicit this warnings is enabled for all packs
|
- name: Check that implicit this warnings is enabled for all packs
|
||||||
shell: bash
|
shell: bash
|
||||||
run: |
|
run: |
|
||||||
|
|||||||
23
.github/workflows/check-overlay-annotations.yml
vendored
23
.github/workflows/check-overlay-annotations.yml
vendored
@@ -1,23 +0,0 @@
|
|||||||
name: Check overlay annotations
|
|
||||||
|
|
||||||
on:
|
|
||||||
push:
|
|
||||||
branches:
|
|
||||||
- main
|
|
||||||
- 'rc/*'
|
|
||||||
pull_request:
|
|
||||||
branches:
|
|
||||||
- main
|
|
||||||
- 'rc/*'
|
|
||||||
|
|
||||||
permissions:
|
|
||||||
contents: read
|
|
||||||
|
|
||||||
jobs:
|
|
||||||
sync:
|
|
||||||
runs-on: ubuntu-latest
|
|
||||||
steps:
|
|
||||||
- uses: actions/checkout@v5
|
|
||||||
- name: Check overlay annotations
|
|
||||||
run: python config/add-overlay-annotations.py --check java
|
|
||||||
|
|
||||||
2
.github/workflows/check-qldoc.yml
vendored
2
.github/workflows/check-qldoc.yml
vendored
@@ -18,7 +18,7 @@ jobs:
|
|||||||
runs-on: ubuntu-latest
|
runs-on: ubuntu-latest
|
||||||
|
|
||||||
steps:
|
steps:
|
||||||
- uses: actions/checkout@v5
|
- uses: actions/checkout@v4
|
||||||
with:
|
with:
|
||||||
fetch-depth: 2
|
fetch-depth: 2
|
||||||
|
|
||||||
|
|||||||
2
.github/workflows/check-query-ids.yml
vendored
2
.github/workflows/check-query-ids.yml
vendored
@@ -19,6 +19,6 @@ jobs:
|
|||||||
name: Check query IDs
|
name: Check query IDs
|
||||||
runs-on: ubuntu-latest
|
runs-on: ubuntu-latest
|
||||||
steps:
|
steps:
|
||||||
- uses: actions/checkout@v5
|
- uses: actions/checkout@v4
|
||||||
- name: Check for duplicate query IDs
|
- name: Check for duplicate query IDs
|
||||||
run: python3 misc/scripts/check-query-ids.py
|
run: python3 misc/scripts/check-query-ids.py
|
||||||
|
|||||||
34
.github/workflows/codegen.yml
vendored
Normal file
34
.github/workflows/codegen.yml
vendored
Normal file
@@ -0,0 +1,34 @@
|
|||||||
|
name: Codegen
|
||||||
|
|
||||||
|
on:
|
||||||
|
pull_request:
|
||||||
|
paths:
|
||||||
|
- "misc/bazel/**"
|
||||||
|
- "misc/codegen/**"
|
||||||
|
- "*.bazel*"
|
||||||
|
- .github/workflows/codegen.yml
|
||||||
|
- .pre-commit-config.yaml
|
||||||
|
branches:
|
||||||
|
- main
|
||||||
|
- rc/*
|
||||||
|
- codeql-cli-*
|
||||||
|
|
||||||
|
permissions:
|
||||||
|
contents: read
|
||||||
|
|
||||||
|
jobs:
|
||||||
|
codegen:
|
||||||
|
runs-on: ubuntu-latest
|
||||||
|
steps:
|
||||||
|
- uses: actions/checkout@v4
|
||||||
|
- uses: actions/setup-python@v4
|
||||||
|
with:
|
||||||
|
python-version-file: 'misc/codegen/.python-version'
|
||||||
|
- uses: pre-commit/action@646c83fcd040023954eafda54b4db0192ce70507
|
||||||
|
name: Check that python code is properly formatted
|
||||||
|
with:
|
||||||
|
extra_args: autopep8 --all-files
|
||||||
|
- name: Run codegen tests
|
||||||
|
shell: bash
|
||||||
|
run: |
|
||||||
|
bazel test //misc/codegen/...
|
||||||
4
.github/workflows/codeql-analysis.yml
vendored
4
.github/workflows/codeql-analysis.yml
vendored
@@ -34,10 +34,10 @@ jobs:
|
|||||||
- name: Setup dotnet
|
- name: Setup dotnet
|
||||||
uses: actions/setup-dotnet@v4
|
uses: actions/setup-dotnet@v4
|
||||||
with:
|
with:
|
||||||
dotnet-version: 10.0.100
|
dotnet-version: 9.0.100
|
||||||
|
|
||||||
- name: Checkout repository
|
- name: Checkout repository
|
||||||
uses: actions/checkout@v5
|
uses: actions/checkout@v4
|
||||||
|
|
||||||
# Initializes the CodeQL tools for scanning.
|
# Initializes the CodeQL tools for scanning.
|
||||||
- name: Initialize CodeQL
|
- name: Initialize CodeQL
|
||||||
|
|||||||
44
.github/workflows/compile-queries.yml
vendored
44
.github/workflows/compile-queries.yml
vendored
@@ -17,44 +17,12 @@ permissions:
|
|||||||
contents: read
|
contents: read
|
||||||
|
|
||||||
jobs:
|
jobs:
|
||||||
detect-changes:
|
|
||||||
if: github.repository_owner == 'github'
|
|
||||||
runs-on: ubuntu-latest
|
|
||||||
outputs:
|
|
||||||
languages: ${{ steps.detect.outputs.languages }}
|
|
||||||
steps:
|
|
||||||
- uses: actions/checkout@v5
|
|
||||||
- name: Detect changed languages
|
|
||||||
id: detect
|
|
||||||
run: |
|
|
||||||
if [[ "${{ github.event_name }}" == "pull_request" ]]; then
|
|
||||||
# For PRs, detect which languages have changes
|
|
||||||
changed_files=$(gh pr view ${{ github.event.pull_request.number }} --json files --jq '.files.[].path')
|
|
||||||
languages=()
|
|
||||||
for lang in actions cpp csharp go java javascript python ql ruby rust swift; do
|
|
||||||
if echo "$changed_files" | grep -qE "^($lang/|shared/)" ; then
|
|
||||||
languages+=("$lang")
|
|
||||||
fi
|
|
||||||
done
|
|
||||||
echo "languages=$(jq -c -n '$ARGS.positional' --args "${languages[@]}")" >> $GITHUB_OUTPUT
|
|
||||||
else
|
|
||||||
# For pushes to main/rc branches, run all languages
|
|
||||||
echo 'languages=["actions","cpp","csharp","go","java","javascript","python","ql","ruby","rust","swift"]' >> $GITHUB_OUTPUT
|
|
||||||
fi
|
|
||||||
env:
|
|
||||||
GH_TOKEN: ${{ github.token }}
|
|
||||||
|
|
||||||
compile-queries:
|
compile-queries:
|
||||||
needs: detect-changes
|
if: github.repository_owner == 'github'
|
||||||
if: github.repository_owner == 'github' && needs.detect-changes.outputs.languages != '[]'
|
|
||||||
runs-on: ubuntu-latest-xl
|
runs-on: ubuntu-latest-xl
|
||||||
strategy:
|
|
||||||
fail-fast: false
|
|
||||||
matrix:
|
|
||||||
language: ${{ fromJson(needs.detect-changes.outputs.languages) }}
|
|
||||||
|
|
||||||
steps:
|
steps:
|
||||||
- uses: actions/checkout@v5
|
- uses: actions/checkout@v4
|
||||||
- name: Setup CodeQL
|
- name: Setup CodeQL
|
||||||
uses: ./.github/actions/fetch-codeql
|
uses: ./.github/actions/fetch-codeql
|
||||||
with:
|
with:
|
||||||
@@ -63,16 +31,16 @@ jobs:
|
|||||||
id: query-cache
|
id: query-cache
|
||||||
uses: ./.github/actions/cache-query-compilation
|
uses: ./.github/actions/cache-query-compilation
|
||||||
with:
|
with:
|
||||||
key: ${{ matrix.language }}-queries
|
key: all-queries
|
||||||
- name: check formatting
|
- name: check formatting
|
||||||
run: find shared ${{ matrix.language }}/ql -type f \( -name "*.qll" -o -name "*.ql" \) -print0 | xargs -0 -n 3000 -P 10 codeql query format -q --check-only
|
run: find shared */ql -type f \( -name "*.qll" -o -name "*.ql" \) -print0 | xargs -0 -n 3000 -P 10 codeql query format -q --check-only
|
||||||
- name: compile queries - check-only
|
- name: compile queries - check-only
|
||||||
# run with --check-only if running in a PR (github.sha != main)
|
# run with --check-only if running in a PR (github.sha != main)
|
||||||
if : ${{ github.event_name == 'pull_request' }}
|
if : ${{ github.event_name == 'pull_request' }}
|
||||||
shell: bash
|
shell: bash
|
||||||
run: codeql query compile -q -j0 ${{ matrix.language }}/ql/{src,examples} --keep-going --warnings=error --check-only --compilation-cache "${{ steps.query-cache.outputs.cache-dir }}" --compilation-cache-size=500 --ram=56000
|
run: codeql query compile -q -j0 */ql/{src,examples} --keep-going --warnings=error --check-only --compilation-cache "${{ steps.query-cache.outputs.cache-dir }}" --compilation-cache-size=500 --ram=56000
|
||||||
- name: compile queries - full
|
- name: compile queries - full
|
||||||
# do full compile if running on main - this populates the cache
|
# do full compile if running on main - this populates the cache
|
||||||
if : ${{ github.event_name != 'pull_request' }}
|
if : ${{ github.event_name != 'pull_request' }}
|
||||||
shell: bash
|
shell: bash
|
||||||
run: codeql query compile -q -j0 ${{ matrix.language }}/ql/{src,examples} --keep-going --warnings=error --compilation-cache "${{ steps.query-cache.outputs.cache-dir }}" --compilation-cache-size=500 --ram=56000
|
run: codeql query compile -q -j0 */ql/{src,examples} --keep-going --warnings=error --compilation-cache "${{ steps.query-cache.outputs.cache-dir }}" --compilation-cache-size=500 --ram=56000
|
||||||
|
|||||||
2
.github/workflows/cpp-swift-analysis.yml
vendored
2
.github/workflows/cpp-swift-analysis.yml
vendored
@@ -28,7 +28,7 @@ jobs:
|
|||||||
|
|
||||||
steps:
|
steps:
|
||||||
- name: Checkout repository
|
- name: Checkout repository
|
||||||
uses: actions/checkout@v5
|
uses: actions/checkout@v4
|
||||||
|
|
||||||
# Initializes the CodeQL tools for scanning.
|
# Initializes the CodeQL tools for scanning.
|
||||||
- name: Initialize CodeQL
|
- name: Initialize CodeQL
|
||||||
|
|||||||
18
.github/workflows/csharp-qltest.yml
vendored
18
.github/workflows/csharp-qltest.yml
vendored
@@ -36,26 +36,26 @@ jobs:
|
|||||||
unit-tests:
|
unit-tests:
|
||||||
strategy:
|
strategy:
|
||||||
matrix:
|
matrix:
|
||||||
os: [ubuntu-latest, windows-latest]
|
os: [ubuntu-latest, windows-2019]
|
||||||
runs-on: ${{ matrix.os }}
|
runs-on: ${{ matrix.os }}
|
||||||
steps:
|
steps:
|
||||||
- uses: actions/checkout@v5
|
- uses: actions/checkout@v4
|
||||||
- name: Setup dotnet
|
- name: Setup dotnet
|
||||||
uses: actions/setup-dotnet@v4
|
uses: actions/setup-dotnet@v4
|
||||||
with:
|
with:
|
||||||
dotnet-version: 10.0.100
|
dotnet-version: 9.0.100
|
||||||
- name: Extractor unit tests
|
- name: Extractor unit tests
|
||||||
run: |
|
run: |
|
||||||
dotnet tool restore
|
dotnet tool restore
|
||||||
dotnet test -p:RuntimeFrameworkVersion=10.0.0 extractor/Semmle.Util.Tests
|
dotnet test -p:RuntimeFrameworkVersion=9.0.0 extractor/Semmle.Util.Tests
|
||||||
dotnet test -p:RuntimeFrameworkVersion=10.0.0 extractor/Semmle.Extraction.Tests
|
dotnet test -p:RuntimeFrameworkVersion=9.0.0 extractor/Semmle.Extraction.Tests
|
||||||
dotnet test -p:RuntimeFrameworkVersion=10.0.0 autobuilder/Semmle.Autobuild.CSharp.Tests
|
dotnet test -p:RuntimeFrameworkVersion=9.0.0 autobuilder/Semmle.Autobuild.CSharp.Tests
|
||||||
dotnet test -p:RuntimeFrameworkVersion=10.0.0 autobuilder/Semmle.Autobuild.Cpp.Tests
|
dotnet test -p:RuntimeFrameworkVersion=9.0.0 autobuilder/Semmle.Autobuild.Cpp.Tests
|
||||||
shell: bash
|
shell: bash
|
||||||
stubgentest:
|
stubgentest:
|
||||||
runs-on: ubuntu-latest
|
runs-on: ubuntu-latest
|
||||||
steps:
|
steps:
|
||||||
- uses: actions/checkout@v5
|
- uses: actions/checkout@v4
|
||||||
- uses: ./csharp/actions/create-extractor-pack
|
- uses: ./csharp/actions/create-extractor-pack
|
||||||
- name: Run stub generator tests
|
- name: Run stub generator tests
|
||||||
run: |
|
run: |
|
||||||
@@ -66,6 +66,6 @@ jobs:
|
|||||||
# Update existing stubs in the repo with the freshly generated ones
|
# Update existing stubs in the repo with the freshly generated ones
|
||||||
mv "$STUBS_PATH/output/stubs/_frameworks" ql/test/resources/stubs/
|
mv "$STUBS_PATH/output/stubs/_frameworks" ql/test/resources/stubs/
|
||||||
git status
|
git status
|
||||||
codeql test run --threads=0 --search-path "${{ github.workspace }}" --check-databases --check-diff-informed --check-undefined-labels --check-repeated-labels --check-redefined-labels --consistency-queries ql/consistency-queries -- ql/test/library-tests/dataflow/flowsources/aspremote
|
codeql test run --threads=0 --search-path "${{ github.workspace }}" --check-databases --check-undefined-labels --check-repeated-labels --check-redefined-labels --consistency-queries ql/consistency-queries -- ql/test/library-tests/dataflow/flowsources/aspremote
|
||||||
env:
|
env:
|
||||||
GITHUB_TOKEN: ${{ github.token }}
|
GITHUB_TOKEN: ${{ github.token }}
|
||||||
|
|||||||
4
.github/workflows/csv-coverage-metrics.yml
vendored
4
.github/workflows/csv-coverage-metrics.yml
vendored
@@ -23,7 +23,7 @@ jobs:
|
|||||||
runs-on: ubuntu-latest
|
runs-on: ubuntu-latest
|
||||||
steps:
|
steps:
|
||||||
- name: Checkout repository
|
- name: Checkout repository
|
||||||
uses: actions/checkout@v5
|
uses: actions/checkout@v4
|
||||||
- name: Setup CodeQL
|
- name: Setup CodeQL
|
||||||
uses: ./.github/actions/fetch-codeql
|
uses: ./.github/actions/fetch-codeql
|
||||||
- name: Create empty database
|
- name: Create empty database
|
||||||
@@ -51,7 +51,7 @@ jobs:
|
|||||||
runs-on: ubuntu-latest
|
runs-on: ubuntu-latest
|
||||||
steps:
|
steps:
|
||||||
- name: Checkout repository
|
- name: Checkout repository
|
||||||
uses: actions/checkout@v5
|
uses: actions/checkout@v4
|
||||||
- name: Setup CodeQL
|
- name: Setup CodeQL
|
||||||
uses: ./.github/actions/fetch-codeql
|
uses: ./.github/actions/fetch-codeql
|
||||||
- name: Create empty database
|
- name: Create empty database
|
||||||
|
|||||||
@@ -35,11 +35,11 @@ jobs:
|
|||||||
GITHUB_CONTEXT: ${{ toJSON(github.event) }}
|
GITHUB_CONTEXT: ${{ toJSON(github.event) }}
|
||||||
run: echo "$GITHUB_CONTEXT"
|
run: echo "$GITHUB_CONTEXT"
|
||||||
- name: Clone self (github/codeql) - MERGE
|
- name: Clone self (github/codeql) - MERGE
|
||||||
uses: actions/checkout@v5
|
uses: actions/checkout@v4
|
||||||
with:
|
with:
|
||||||
path: merge
|
path: merge
|
||||||
- name: Clone self (github/codeql) - BASE
|
- name: Clone self (github/codeql) - BASE
|
||||||
uses: actions/checkout@v5
|
uses: actions/checkout@v4
|
||||||
with:
|
with:
|
||||||
fetch-depth: 2
|
fetch-depth: 2
|
||||||
path: base
|
path: base
|
||||||
|
|||||||
@@ -24,7 +24,7 @@ jobs:
|
|||||||
GITHUB_CONTEXT: ${{ toJSON(github.event) }}
|
GITHUB_CONTEXT: ${{ toJSON(github.event) }}
|
||||||
run: echo "$GITHUB_CONTEXT"
|
run: echo "$GITHUB_CONTEXT"
|
||||||
- name: Clone self (github/codeql)
|
- name: Clone self (github/codeql)
|
||||||
uses: actions/checkout@v5
|
uses: actions/checkout@v4
|
||||||
- name: Set up Python 3.8
|
- name: Set up Python 3.8
|
||||||
uses: actions/setup-python@v4
|
uses: actions/setup-python@v4
|
||||||
with:
|
with:
|
||||||
|
|||||||
@@ -12,11 +12,11 @@ jobs:
|
|||||||
|
|
||||||
steps:
|
steps:
|
||||||
- name: Clone self (github/codeql)
|
- name: Clone self (github/codeql)
|
||||||
uses: actions/checkout@v5
|
uses: actions/checkout@v4
|
||||||
with:
|
with:
|
||||||
path: script
|
path: script
|
||||||
- name: Clone self (github/codeql) for analysis
|
- name: Clone self (github/codeql) for analysis
|
||||||
uses: actions/checkout@v5
|
uses: actions/checkout@v4
|
||||||
with:
|
with:
|
||||||
path: codeqlModels
|
path: codeqlModels
|
||||||
fetch-depth: 0
|
fetch-depth: 0
|
||||||
|
|||||||
2
.github/workflows/csv-coverage-update.yml
vendored
2
.github/workflows/csv-coverage-update.yml
vendored
@@ -21,7 +21,7 @@ jobs:
|
|||||||
GITHUB_CONTEXT: ${{ toJSON(github.event) }}
|
GITHUB_CONTEXT: ${{ toJSON(github.event) }}
|
||||||
run: echo "$GITHUB_CONTEXT"
|
run: echo "$GITHUB_CONTEXT"
|
||||||
- name: Clone self (github/codeql)
|
- name: Clone self (github/codeql)
|
||||||
uses: actions/checkout@v5
|
uses: actions/checkout@v4
|
||||||
with:
|
with:
|
||||||
path: ql
|
path: ql
|
||||||
fetch-depth: 0
|
fetch-depth: 0
|
||||||
|
|||||||
4
.github/workflows/csv-coverage.yml
vendored
4
.github/workflows/csv-coverage.yml
vendored
@@ -16,11 +16,11 @@ jobs:
|
|||||||
|
|
||||||
steps:
|
steps:
|
||||||
- name: Clone self (github/codeql)
|
- name: Clone self (github/codeql)
|
||||||
uses: actions/checkout@v5
|
uses: actions/checkout@v4
|
||||||
with:
|
with:
|
||||||
path: script
|
path: script
|
||||||
- name: Clone self (github/codeql) for analysis
|
- name: Clone self (github/codeql) for analysis
|
||||||
uses: actions/checkout@v5
|
uses: actions/checkout@v4
|
||||||
with:
|
with:
|
||||||
path: codeqlModels
|
path: codeqlModels
|
||||||
ref: ${{ github.event.inputs.qlModelShaOverride || github.ref }}
|
ref: ${{ github.event.inputs.qlModelShaOverride || github.ref }}
|
||||||
|
|||||||
2
.github/workflows/fast-forward.yml
vendored
2
.github/workflows/fast-forward.yml
vendored
@@ -26,7 +26,7 @@ jobs:
|
|||||||
exit 1
|
exit 1
|
||||||
|
|
||||||
- name: Checkout
|
- name: Checkout
|
||||||
uses: actions/checkout@v5
|
uses: actions/checkout@v4
|
||||||
|
|
||||||
- name: Git config
|
- name: Git config
|
||||||
shell: bash
|
shell: bash
|
||||||
|
|||||||
36
.github/workflows/go-tests-other-os.yml
vendored
Normal file
36
.github/workflows/go-tests-other-os.yml
vendored
Normal file
@@ -0,0 +1,36 @@
|
|||||||
|
name: "Go: Run Tests - Other OS"
|
||||||
|
on:
|
||||||
|
pull_request:
|
||||||
|
paths:
|
||||||
|
- "go/**"
|
||||||
|
- "!go/documentation/**"
|
||||||
|
- "!go/ql/**" # don't run other-os if only ql/ files changed
|
||||||
|
- .github/workflows/go-tests-other-os.yml
|
||||||
|
- .github/actions/**
|
||||||
|
- codeql-workspace.yml
|
||||||
|
- MODULE.bazel
|
||||||
|
- .bazelrc
|
||||||
|
- misc/bazel/**
|
||||||
|
|
||||||
|
permissions:
|
||||||
|
contents: read
|
||||||
|
|
||||||
|
jobs:
|
||||||
|
test-mac:
|
||||||
|
name: Test MacOS
|
||||||
|
runs-on: macos-latest
|
||||||
|
steps:
|
||||||
|
- name: Check out code
|
||||||
|
uses: actions/checkout@v4
|
||||||
|
- name: Run tests
|
||||||
|
uses: ./go/actions/test
|
||||||
|
|
||||||
|
test-win:
|
||||||
|
if: github.repository_owner == 'github'
|
||||||
|
name: Test Windows
|
||||||
|
runs-on: windows-latest-xl
|
||||||
|
steps:
|
||||||
|
- name: Check out code
|
||||||
|
uses: actions/checkout@v4
|
||||||
|
- name: Run tests
|
||||||
|
uses: ./go/actions/test
|
||||||
22
.github/workflows/go-tests-rtjo.yml
vendored
Normal file
22
.github/workflows/go-tests-rtjo.yml
vendored
Normal file
@@ -0,0 +1,22 @@
|
|||||||
|
name: "Go: Run RTJO Tests"
|
||||||
|
on:
|
||||||
|
pull_request:
|
||||||
|
types:
|
||||||
|
- labeled
|
||||||
|
|
||||||
|
permissions:
|
||||||
|
contents: read
|
||||||
|
|
||||||
|
jobs:
|
||||||
|
test-linux:
|
||||||
|
if: "github.repository_owner == 'github' && github.event.label.name == 'Run: RTJO Language Tests'"
|
||||||
|
name: RTJO Test Linux (Ubuntu)
|
||||||
|
runs-on: ubuntu-latest-xl
|
||||||
|
steps:
|
||||||
|
- name: Check out code
|
||||||
|
uses: actions/checkout@v4
|
||||||
|
- name: Run tests
|
||||||
|
uses: ./go/actions/test
|
||||||
|
with:
|
||||||
|
run-code-checks: true
|
||||||
|
dynamic-join-order-mode: all
|
||||||
15
.github/workflows/go-tests.yml
vendored
15
.github/workflows/go-tests.yml
vendored
@@ -1,6 +1,6 @@
|
|||||||
name: "Go: Run Tests"
|
name: "Go: Run Tests"
|
||||||
on:
|
on:
|
||||||
pull_request:
|
push:
|
||||||
paths:
|
paths:
|
||||||
- "go/**"
|
- "go/**"
|
||||||
- "!go/documentation/**"
|
- "!go/documentation/**"
|
||||||
@@ -8,6 +8,17 @@ on:
|
|||||||
- .github/workflows/go-tests.yml
|
- .github/workflows/go-tests.yml
|
||||||
- .github/actions/**
|
- .github/actions/**
|
||||||
- codeql-workspace.yml
|
- codeql-workspace.yml
|
||||||
|
branches:
|
||||||
|
- main
|
||||||
|
- "rc/*"
|
||||||
|
pull_request:
|
||||||
|
paths:
|
||||||
|
- "go/**"
|
||||||
|
- "!go/documentation/**"
|
||||||
|
- "shared/**"
|
||||||
|
- .github/workflows/go-tests.yml
|
||||||
|
- .github/actions/**
|
||||||
|
- codeql-workspace.yml
|
||||||
- MODULE.bazel
|
- MODULE.bazel
|
||||||
- .bazelrc
|
- .bazelrc
|
||||||
- misc/bazel/**
|
- misc/bazel/**
|
||||||
@@ -22,7 +33,7 @@ jobs:
|
|||||||
runs-on: ubuntu-latest-xl
|
runs-on: ubuntu-latest-xl
|
||||||
steps:
|
steps:
|
||||||
- name: Check out code
|
- name: Check out code
|
||||||
uses: actions/checkout@v5
|
uses: actions/checkout@v4
|
||||||
- name: Run tests
|
- name: Run tests
|
||||||
uses: ./go/actions/test
|
uses: ./go/actions/test
|
||||||
with:
|
with:
|
||||||
|
|||||||
2
.github/workflows/kotlin-build.yml
vendored
2
.github/workflows/kotlin-build.yml
vendored
@@ -20,7 +20,7 @@ jobs:
|
|||||||
build:
|
build:
|
||||||
runs-on: ubuntu-latest
|
runs-on: ubuntu-latest
|
||||||
steps:
|
steps:
|
||||||
- uses: actions/checkout@v5
|
- uses: actions/checkout@v4
|
||||||
- run: |
|
- run: |
|
||||||
bazel query //java/kotlin-extractor/...
|
bazel query //java/kotlin-extractor/...
|
||||||
# only build the default version as a quick check that we can build from `codeql`
|
# only build the default version as a quick check that we can build from `codeql`
|
||||||
|
|||||||
6
.github/workflows/mad_modelDiff.yml
vendored
6
.github/workflows/mad_modelDiff.yml
vendored
@@ -28,12 +28,12 @@ jobs:
|
|||||||
slug: ${{fromJson(github.event.inputs.projects || '["apache/commons-codec", "apache/commons-io", "apache/commons-beanutils", "apache/commons-logging", "apache/commons-fileupload", "apache/commons-lang", "apache/commons-validator", "apache/commons-csv", "apache/dubbo"]' )}}
|
slug: ${{fromJson(github.event.inputs.projects || '["apache/commons-codec", "apache/commons-io", "apache/commons-beanutils", "apache/commons-logging", "apache/commons-fileupload", "apache/commons-lang", "apache/commons-validator", "apache/commons-csv", "apache/dubbo"]' )}}
|
||||||
steps:
|
steps:
|
||||||
- name: Clone github/codeql from PR
|
- name: Clone github/codeql from PR
|
||||||
uses: actions/checkout@v5
|
uses: actions/checkout@v4
|
||||||
if: github.event.pull_request
|
if: github.event.pull_request
|
||||||
with:
|
with:
|
||||||
path: codeql-pr
|
path: codeql-pr
|
||||||
- name: Clone github/codeql from main
|
- name: Clone github/codeql from main
|
||||||
uses: actions/checkout@v5
|
uses: actions/checkout@v4
|
||||||
with:
|
with:
|
||||||
path: codeql-main
|
path: codeql-main
|
||||||
ref: main
|
ref: main
|
||||||
@@ -68,7 +68,7 @@ jobs:
|
|||||||
DATABASE=$2
|
DATABASE=$2
|
||||||
cd codeql-$QL_VARIANT
|
cd codeql-$QL_VARIANT
|
||||||
SHORTNAME=`basename $DATABASE`
|
SHORTNAME=`basename $DATABASE`
|
||||||
python misc/scripts/models-as-data/generate_mad.py --language java --with-summaries --with-sinks $DATABASE $SHORTNAME/$QL_VARIANT
|
python java/ql/src/utils/modelgenerator/GenerateFlowModel.py --with-summaries --with-sinks $DATABASE $SHORTNAME/$QL_VARIANT
|
||||||
mkdir -p $MODELS/$SHORTNAME
|
mkdir -p $MODELS/$SHORTNAME
|
||||||
mv java/ql/lib/ext/generated/$SHORTNAME/$QL_VARIANT $MODELS/$SHORTNAME
|
mv java/ql/lib/ext/generated/$SHORTNAME/$QL_VARIANT $MODELS/$SHORTNAME
|
||||||
cd ..
|
cd ..
|
||||||
|
|||||||
4
.github/workflows/mad_regenerate-models.yml
vendored
4
.github/workflows/mad_regenerate-models.yml
vendored
@@ -30,11 +30,11 @@ jobs:
|
|||||||
ref: "placeholder"
|
ref: "placeholder"
|
||||||
steps:
|
steps:
|
||||||
- name: Clone self (github/codeql)
|
- name: Clone self (github/codeql)
|
||||||
uses: actions/checkout@v5
|
uses: actions/checkout@v4
|
||||||
- name: Setup CodeQL binaries
|
- name: Setup CodeQL binaries
|
||||||
uses: ./.github/actions/fetch-codeql
|
uses: ./.github/actions/fetch-codeql
|
||||||
- name: Clone repositories
|
- name: Clone repositories
|
||||||
uses: actions/checkout@v5
|
uses: actions/checkout@v4
|
||||||
with:
|
with:
|
||||||
path: repos/${{ matrix.ref }}
|
path: repos/${{ matrix.ref }}
|
||||||
ref: ${{ matrix.ref }}
|
ref: ${{ matrix.ref }}
|
||||||
|
|||||||
35
.github/workflows/python-tooling.yml
vendored
35
.github/workflows/python-tooling.yml
vendored
@@ -1,35 +0,0 @@
|
|||||||
name: Python tooling
|
|
||||||
|
|
||||||
on:
|
|
||||||
pull_request:
|
|
||||||
paths:
|
|
||||||
- "misc/bazel/**"
|
|
||||||
- "misc/codegen/**"
|
|
||||||
- "misc/scripts/models-as-data/bulk_generate_mad.py"
|
|
||||||
- "*.bazel*"
|
|
||||||
- .github/workflows/codegen.yml
|
|
||||||
- .pre-commit-config.yaml
|
|
||||||
branches:
|
|
||||||
- main
|
|
||||||
- rc/*
|
|
||||||
- codeql-cli-*
|
|
||||||
|
|
||||||
permissions:
|
|
||||||
contents: read
|
|
||||||
|
|
||||||
jobs:
|
|
||||||
check-python-tooling:
|
|
||||||
runs-on: ubuntu-latest
|
|
||||||
steps:
|
|
||||||
- uses: actions/checkout@v5
|
|
||||||
- uses: actions/setup-python@v5
|
|
||||||
with:
|
|
||||||
python-version: '3.12'
|
|
||||||
- uses: pre-commit/action@646c83fcd040023954eafda54b4db0192ce70507
|
|
||||||
name: Check that python code is properly formatted
|
|
||||||
with:
|
|
||||||
extra_args: black --all-files
|
|
||||||
- name: Run codegen tests
|
|
||||||
shell: bash
|
|
||||||
run: |
|
|
||||||
bazel test //misc/codegen/...
|
|
||||||
2
.github/workflows/qhelp-pr-preview.yml
vendored
2
.github/workflows/qhelp-pr-preview.yml
vendored
@@ -43,7 +43,7 @@ jobs:
|
|||||||
if-no-files-found: error
|
if-no-files-found: error
|
||||||
retention-days: 1
|
retention-days: 1
|
||||||
|
|
||||||
- uses: actions/checkout@v5
|
- uses: actions/checkout@v4
|
||||||
with:
|
with:
|
||||||
fetch-depth: 2
|
fetch-depth: 2
|
||||||
persist-credentials: false
|
persist-credentials: false
|
||||||
|
|||||||
2
.github/workflows/ql-for-ql-build.yml
vendored
2
.github/workflows/ql-for-ql-build.yml
vendored
@@ -19,7 +19,7 @@ jobs:
|
|||||||
runs-on: ubuntu-latest-xl
|
runs-on: ubuntu-latest-xl
|
||||||
steps:
|
steps:
|
||||||
### Build the queries ###
|
### Build the queries ###
|
||||||
- uses: actions/checkout@v5
|
- uses: actions/checkout@v4
|
||||||
with:
|
with:
|
||||||
fetch-depth: 0
|
fetch-depth: 0
|
||||||
- name: Find codeql
|
- name: Find codeql
|
||||||
|
|||||||
@@ -25,7 +25,7 @@ jobs:
|
|||||||
- github/codeql
|
- github/codeql
|
||||||
runs-on: ubuntu-latest
|
runs-on: ubuntu-latest
|
||||||
steps:
|
steps:
|
||||||
- uses: actions/checkout@v5
|
- uses: actions/checkout@v4
|
||||||
|
|
||||||
- name: Find codeql
|
- name: Find codeql
|
||||||
id: find-codeql
|
id: find-codeql
|
||||||
@@ -46,14 +46,14 @@ jobs:
|
|||||||
env:
|
env:
|
||||||
CODEQL: ${{ steps.find-codeql.outputs.codeql-path }}
|
CODEQL: ${{ steps.find-codeql.outputs.codeql-path }}
|
||||||
- name: Checkout ${{ matrix.repo }}
|
- name: Checkout ${{ matrix.repo }}
|
||||||
uses: actions/checkout@v5
|
uses: actions/checkout@v4
|
||||||
with:
|
with:
|
||||||
repository: ${{ matrix.repo }}
|
repository: ${{ matrix.repo }}
|
||||||
path: ${{ github.workspace }}/repo
|
path: ${{ github.workspace }}/repo
|
||||||
- name: Create database
|
- name: Create database
|
||||||
run: |
|
run: |
|
||||||
"${CODEQL}" database create \
|
"${CODEQL}" database create \
|
||||||
--search-path "${{ github.workspace }}" \
|
--search-path "${{ github.workspace }}"
|
||||||
--threads 4 \
|
--threads 4 \
|
||||||
--language ql --source-root "${{ github.workspace }}/repo" \
|
--language ql --source-root "${{ github.workspace }}/repo" \
|
||||||
"${{ runner.temp }}/database"
|
"${{ runner.temp }}/database"
|
||||||
@@ -75,7 +75,7 @@ jobs:
|
|||||||
runs-on: ubuntu-latest
|
runs-on: ubuntu-latest
|
||||||
needs: measure
|
needs: measure
|
||||||
steps:
|
steps:
|
||||||
- uses: actions/checkout@v5
|
- uses: actions/checkout@v4
|
||||||
- uses: actions/download-artifact@v4
|
- uses: actions/download-artifact@v4
|
||||||
with:
|
with:
|
||||||
name: measurements
|
name: measurements
|
||||||
|
|||||||
4
.github/workflows/ql-for-ql-tests.yml
vendored
4
.github/workflows/ql-for-ql-tests.yml
vendored
@@ -24,7 +24,7 @@ jobs:
|
|||||||
qltest:
|
qltest:
|
||||||
runs-on: ubuntu-latest
|
runs-on: ubuntu-latest
|
||||||
steps:
|
steps:
|
||||||
- uses: actions/checkout@v5
|
- uses: actions/checkout@v4
|
||||||
- name: Find codeql
|
- name: Find codeql
|
||||||
id: find-codeql
|
id: find-codeql
|
||||||
uses: github/codeql-action/init@main
|
uses: github/codeql-action/init@main
|
||||||
@@ -64,7 +64,7 @@ jobs:
|
|||||||
needs: [qltest]
|
needs: [qltest]
|
||||||
runs-on: ${{ matrix.os }}
|
runs-on: ${{ matrix.os }}
|
||||||
steps:
|
steps:
|
||||||
- uses: actions/checkout@v5
|
- uses: actions/checkout@v4
|
||||||
- name: Install GNU tar
|
- name: Install GNU tar
|
||||||
if: runner.os == 'macOS'
|
if: runner.os == 'macOS'
|
||||||
run: |
|
run: |
|
||||||
|
|||||||
4
.github/workflows/query-list.yml
vendored
4
.github/workflows/query-list.yml
vendored
@@ -23,7 +23,7 @@ jobs:
|
|||||||
|
|
||||||
steps:
|
steps:
|
||||||
- name: Clone self (github/codeql)
|
- name: Clone self (github/codeql)
|
||||||
uses: actions/checkout@v5
|
uses: actions/checkout@v4
|
||||||
with:
|
with:
|
||||||
path: codeql
|
path: codeql
|
||||||
- name: Set up Python 3.8
|
- name: Set up Python 3.8
|
||||||
@@ -31,7 +31,7 @@ jobs:
|
|||||||
with:
|
with:
|
||||||
python-version: 3.8
|
python-version: 3.8
|
||||||
- name: Download CodeQL CLI
|
- name: Download CodeQL CLI
|
||||||
# Look under the `codeql` directory, as this is where we checked out the `github/codeql` repo
|
# Look under the `codeql` directory, as this is where we checked out the `github/codeql` repo
|
||||||
uses: ./codeql/.github/actions/fetch-codeql
|
uses: ./codeql/.github/actions/fetch-codeql
|
||||||
- name: Build code scanning query list
|
- name: Build code scanning query list
|
||||||
run: |
|
run: |
|
||||||
|
|||||||
8
.github/workflows/ruby-build.yml
vendored
8
.github/workflows/ruby-build.yml
vendored
@@ -47,7 +47,7 @@ jobs:
|
|||||||
runs-on: ${{ matrix.os }}
|
runs-on: ${{ matrix.os }}
|
||||||
|
|
||||||
steps:
|
steps:
|
||||||
- uses: actions/checkout@v5
|
- uses: actions/checkout@v4
|
||||||
- name: Install GNU tar
|
- name: Install GNU tar
|
||||||
if: runner.os == 'macOS'
|
if: runner.os == 'macOS'
|
||||||
run: |
|
run: |
|
||||||
@@ -113,7 +113,7 @@ jobs:
|
|||||||
if: github.repository_owner == 'github'
|
if: github.repository_owner == 'github'
|
||||||
runs-on: ubuntu-latest-xl
|
runs-on: ubuntu-latest-xl
|
||||||
steps:
|
steps:
|
||||||
- uses: actions/checkout@v5
|
- uses: actions/checkout@v4
|
||||||
- name: Fetch CodeQL
|
- name: Fetch CodeQL
|
||||||
uses: ./.github/actions/fetch-codeql
|
uses: ./.github/actions/fetch-codeql
|
||||||
- name: Cache compilation cache
|
- name: Cache compilation cache
|
||||||
@@ -146,7 +146,7 @@ jobs:
|
|||||||
runs-on: ubuntu-latest
|
runs-on: ubuntu-latest
|
||||||
needs: [build, compile-queries]
|
needs: [build, compile-queries]
|
||||||
steps:
|
steps:
|
||||||
- uses: actions/checkout@v5
|
- uses: actions/checkout@v4
|
||||||
- uses: actions/download-artifact@v4
|
- uses: actions/download-artifact@v4
|
||||||
with:
|
with:
|
||||||
name: ruby.dbscheme
|
name: ruby.dbscheme
|
||||||
@@ -209,7 +209,7 @@ jobs:
|
|||||||
runs-on: ${{ matrix.os }}
|
runs-on: ${{ matrix.os }}
|
||||||
needs: [package]
|
needs: [package]
|
||||||
steps:
|
steps:
|
||||||
- uses: actions/checkout@v5
|
- uses: actions/checkout@v4
|
||||||
- name: Fetch CodeQL
|
- name: Fetch CodeQL
|
||||||
uses: ./.github/actions/fetch-codeql
|
uses: ./.github/actions/fetch-codeql
|
||||||
|
|
||||||
|
|||||||
6
.github/workflows/ruby-dataset-measure.yml
vendored
6
.github/workflows/ruby-dataset-measure.yml
vendored
@@ -30,14 +30,14 @@ jobs:
|
|||||||
repo: [rails/rails, discourse/discourse, spree/spree, ruby/ruby]
|
repo: [rails/rails, discourse/discourse, spree/spree, ruby/ruby]
|
||||||
runs-on: ubuntu-latest
|
runs-on: ubuntu-latest
|
||||||
steps:
|
steps:
|
||||||
- uses: actions/checkout@v5
|
- uses: actions/checkout@v4
|
||||||
|
|
||||||
- uses: ./.github/actions/fetch-codeql
|
- uses: ./.github/actions/fetch-codeql
|
||||||
|
|
||||||
- uses: ./ruby/actions/create-extractor-pack
|
- uses: ./ruby/actions/create-extractor-pack
|
||||||
|
|
||||||
- name: Checkout ${{ matrix.repo }}
|
- name: Checkout ${{ matrix.repo }}
|
||||||
uses: actions/checkout@v5
|
uses: actions/checkout@v4
|
||||||
with:
|
with:
|
||||||
repository: ${{ matrix.repo }}
|
repository: ${{ matrix.repo }}
|
||||||
path: ${{ github.workspace }}/repo
|
path: ${{ github.workspace }}/repo
|
||||||
@@ -62,7 +62,7 @@ jobs:
|
|||||||
runs-on: ubuntu-latest
|
runs-on: ubuntu-latest
|
||||||
needs: measure
|
needs: measure
|
||||||
steps:
|
steps:
|
||||||
- uses: actions/checkout@v5
|
- uses: actions/checkout@v4
|
||||||
- uses: actions/download-artifact@v4
|
- uses: actions/download-artifact@v4
|
||||||
with:
|
with:
|
||||||
path: stats
|
path: stats
|
||||||
|
|||||||
4
.github/workflows/ruby-qltest-rtjo.yml
vendored
4
.github/workflows/ruby-qltest-rtjo.yml
vendored
@@ -25,7 +25,7 @@ jobs:
|
|||||||
strategy:
|
strategy:
|
||||||
fail-fast: false
|
fail-fast: false
|
||||||
steps:
|
steps:
|
||||||
- uses: actions/checkout@v5
|
- uses: actions/checkout@v4
|
||||||
- uses: ./.github/actions/fetch-codeql
|
- uses: ./.github/actions/fetch-codeql
|
||||||
- uses: ./ruby/actions/create-extractor-pack
|
- uses: ./ruby/actions/create-extractor-pack
|
||||||
- name: Cache compilation cache
|
- name: Cache compilation cache
|
||||||
@@ -35,6 +35,6 @@ jobs:
|
|||||||
key: ruby-qltest
|
key: ruby-qltest
|
||||||
- name: Run QL tests
|
- name: Run QL tests
|
||||||
run: |
|
run: |
|
||||||
codeql test run --dynamic-join-order-mode=all --threads=0 --ram 50000 --search-path "${{ github.workspace }}" --check-databases --check-diff-informed --check-undefined-labels --check-unused-labels --check-repeated-labels --check-redefined-labels --check-use-before-definition --consistency-queries ql/consistency-queries ql/test --compilation-cache "${{ steps.query-cache.outputs.cache-dir }}"
|
codeql test run --dynamic-join-order-mode=all --threads=0 --ram 50000 --search-path "${{ github.workspace }}" --check-databases --check-undefined-labels --check-unused-labels --check-repeated-labels --check-redefined-labels --check-use-before-definition --consistency-queries ql/consistency-queries ql/test --compilation-cache "${{ steps.query-cache.outputs.cache-dir }}"
|
||||||
env:
|
env:
|
||||||
GITHUB_TOKEN: ${{ github.token }}
|
GITHUB_TOKEN: ${{ github.token }}
|
||||||
|
|||||||
6
.github/workflows/ruby-qltest.yml
vendored
6
.github/workflows/ruby-qltest.yml
vendored
@@ -36,7 +36,7 @@ jobs:
|
|||||||
qlupgrade:
|
qlupgrade:
|
||||||
runs-on: ubuntu-latest
|
runs-on: ubuntu-latest
|
||||||
steps:
|
steps:
|
||||||
- uses: actions/checkout@v5
|
- uses: actions/checkout@v4
|
||||||
- uses: ./.github/actions/fetch-codeql
|
- uses: ./.github/actions/fetch-codeql
|
||||||
- name: Check DB upgrade scripts
|
- name: Check DB upgrade scripts
|
||||||
run: |
|
run: |
|
||||||
@@ -58,7 +58,7 @@ jobs:
|
|||||||
strategy:
|
strategy:
|
||||||
fail-fast: false
|
fail-fast: false
|
||||||
steps:
|
steps:
|
||||||
- uses: actions/checkout@v5
|
- uses: actions/checkout@v4
|
||||||
- uses: ./.github/actions/fetch-codeql
|
- uses: ./.github/actions/fetch-codeql
|
||||||
- uses: ./ruby/actions/create-extractor-pack
|
- uses: ./ruby/actions/create-extractor-pack
|
||||||
- name: Cache compilation cache
|
- name: Cache compilation cache
|
||||||
@@ -68,6 +68,6 @@ jobs:
|
|||||||
key: ruby-qltest
|
key: ruby-qltest
|
||||||
- name: Run QL tests
|
- name: Run QL tests
|
||||||
run: |
|
run: |
|
||||||
codeql test run --threads=0 --ram 50000 --search-path "${{ github.workspace }}" --check-databases --check-diff-informed --check-undefined-labels --check-unused-labels --check-repeated-labels --check-redefined-labels --check-use-before-definition --consistency-queries ql/consistency-queries ql/test --compilation-cache "${{ steps.query-cache.outputs.cache-dir }}"
|
codeql test run --threads=0 --ram 50000 --search-path "${{ github.workspace }}" --check-databases --check-undefined-labels --check-unused-labels --check-repeated-labels --check-redefined-labels --check-use-before-definition --consistency-queries ql/consistency-queries ql/test --compilation-cache "${{ steps.query-cache.outputs.cache-dir }}"
|
||||||
env:
|
env:
|
||||||
GITHUB_TOKEN: ${{ github.token }}
|
GITHUB_TOKEN: ${{ github.token }}
|
||||||
|
|||||||
2
.github/workflows/rust-analysis.yml
vendored
2
.github/workflows/rust-analysis.yml
vendored
@@ -35,7 +35,7 @@ jobs:
|
|||||||
|
|
||||||
steps:
|
steps:
|
||||||
- name: Checkout repository
|
- name: Checkout repository
|
||||||
uses: actions/checkout@v5
|
uses: actions/checkout@v4
|
||||||
|
|
||||||
- name: Query latest nightly CodeQL bundle
|
- name: Query latest nightly CodeQL bundle
|
||||||
shell: bash
|
shell: bash
|
||||||
|
|||||||
6
.github/workflows/rust.yml
vendored
6
.github/workflows/rust.yml
vendored
@@ -30,7 +30,7 @@ jobs:
|
|||||||
working-directory: rust/ast-generator
|
working-directory: rust/ast-generator
|
||||||
steps:
|
steps:
|
||||||
- name: Checkout
|
- name: Checkout
|
||||||
uses: actions/checkout@v5
|
uses: actions/checkout@v4
|
||||||
- name: Inject sources
|
- name: Inject sources
|
||||||
shell: bash
|
shell: bash
|
||||||
run: |
|
run: |
|
||||||
@@ -53,7 +53,7 @@ jobs:
|
|||||||
working-directory: rust/extractor
|
working-directory: rust/extractor
|
||||||
steps:
|
steps:
|
||||||
- name: Checkout
|
- name: Checkout
|
||||||
uses: actions/checkout@v5
|
uses: actions/checkout@v4
|
||||||
- name: Format
|
- name: Format
|
||||||
shell: bash
|
shell: bash
|
||||||
run: |
|
run: |
|
||||||
@@ -69,7 +69,7 @@ jobs:
|
|||||||
runs-on: ubuntu-latest
|
runs-on: ubuntu-latest
|
||||||
steps:
|
steps:
|
||||||
- name: Checkout
|
- name: Checkout
|
||||||
uses: actions/checkout@v5
|
uses: actions/checkout@v4
|
||||||
- name: Install CodeQL
|
- name: Install CodeQL
|
||||||
uses: ./.github/actions/fetch-codeql
|
uses: ./.github/actions/fetch-codeql
|
||||||
- name: Code generation
|
- name: Code generation
|
||||||
|
|||||||
10
.github/workflows/swift.yml
vendored
10
.github/workflows/swift.yml
vendored
@@ -32,11 +32,11 @@ jobs:
|
|||||||
if: github.repository_owner == 'github'
|
if: github.repository_owner == 'github'
|
||||||
strategy:
|
strategy:
|
||||||
matrix:
|
matrix:
|
||||||
runner: [ubuntu-latest, macos-15-xlarge]
|
runner: [ubuntu-latest, macos-13-xlarge]
|
||||||
fail-fast: false
|
fail-fast: false
|
||||||
runs-on: ${{ matrix.runner }}
|
runs-on: ${{ matrix.runner }}
|
||||||
steps:
|
steps:
|
||||||
- uses: actions/checkout@v5
|
- uses: actions/checkout@v4
|
||||||
- name: Setup (Linux)
|
- name: Setup (Linux)
|
||||||
if: runner.os == 'Linux'
|
if: runner.os == 'Linux'
|
||||||
run: |
|
run: |
|
||||||
@@ -53,7 +53,7 @@ jobs:
|
|||||||
clang-format:
|
clang-format:
|
||||||
runs-on: ubuntu-latest
|
runs-on: ubuntu-latest
|
||||||
steps:
|
steps:
|
||||||
- uses: actions/checkout@v5
|
- uses: actions/checkout@v4
|
||||||
- uses: pre-commit/action@646c83fcd040023954eafda54b4db0192ce70507
|
- uses: pre-commit/action@646c83fcd040023954eafda54b4db0192ce70507
|
||||||
name: Check that python code is properly formatted
|
name: Check that python code is properly formatted
|
||||||
with:
|
with:
|
||||||
@@ -61,7 +61,7 @@ jobs:
|
|||||||
codegen:
|
codegen:
|
||||||
runs-on: ubuntu-latest
|
runs-on: ubuntu-latest
|
||||||
steps:
|
steps:
|
||||||
- uses: actions/checkout@v5
|
- uses: actions/checkout@v4
|
||||||
- uses: ./.github/actions/fetch-codeql
|
- uses: ./.github/actions/fetch-codeql
|
||||||
- uses: pre-commit/action@646c83fcd040023954eafda54b4db0192ce70507
|
- uses: pre-commit/action@646c83fcd040023954eafda54b4db0192ce70507
|
||||||
name: Check that QL generated code was checked in
|
name: Check that QL generated code was checked in
|
||||||
@@ -77,6 +77,6 @@ jobs:
|
|||||||
check-no-override:
|
check-no-override:
|
||||||
runs-on: ubuntu-latest
|
runs-on: ubuntu-latest
|
||||||
steps:
|
steps:
|
||||||
- uses: actions/checkout@v5
|
- uses: actions/checkout@v4
|
||||||
- name: Check that no override is present in load.bzl
|
- name: Check that no override is present in load.bzl
|
||||||
run: bazel test ... --test_tag_filters=override --test_output=errors
|
run: bazel test ... --test_tag_filters=override --test_output=errors
|
||||||
|
|||||||
2
.github/workflows/sync-files.yml
vendored
2
.github/workflows/sync-files.yml
vendored
@@ -17,7 +17,7 @@ jobs:
|
|||||||
sync:
|
sync:
|
||||||
runs-on: ubuntu-latest
|
runs-on: ubuntu-latest
|
||||||
steps:
|
steps:
|
||||||
- uses: actions/checkout@v5
|
- uses: actions/checkout@v4
|
||||||
- name: Check synchronized files
|
- name: Check synchronized files
|
||||||
run: python config/sync-files.py
|
run: python config/sync-files.py
|
||||||
- name: Check dbscheme fragments
|
- name: Check dbscheme fragments
|
||||||
|
|||||||
@@ -30,7 +30,7 @@ jobs:
|
|||||||
test:
|
test:
|
||||||
runs-on: ubuntu-latest
|
runs-on: ubuntu-latest
|
||||||
steps:
|
steps:
|
||||||
- uses: actions/checkout@v5
|
- uses: actions/checkout@v4
|
||||||
- name: Check formatting
|
- name: Check formatting
|
||||||
run: cargo fmt -- --check
|
run: cargo fmt -- --check
|
||||||
- name: Run tests
|
- name: Run tests
|
||||||
@@ -38,12 +38,12 @@ jobs:
|
|||||||
fmt:
|
fmt:
|
||||||
runs-on: ubuntu-latest
|
runs-on: ubuntu-latest
|
||||||
steps:
|
steps:
|
||||||
- uses: actions/checkout@v5
|
- uses: actions/checkout@v4
|
||||||
- name: Check formatting
|
- name: Check formatting
|
||||||
run: cargo fmt --check
|
run: cargo fmt --check
|
||||||
clippy:
|
clippy:
|
||||||
runs-on: ubuntu-latest
|
runs-on: ubuntu-latest
|
||||||
steps:
|
steps:
|
||||||
- uses: actions/checkout@v5
|
- uses: actions/checkout@v4
|
||||||
- name: Run clippy
|
- name: Run clippy
|
||||||
run: cargo clippy -- --no-deps -D warnings -A clippy::new_without_default -A clippy::too_many_arguments
|
run: cargo clippy -- --no-deps -D warnings -A clippy::new_without_default -A clippy::too_many_arguments
|
||||||
|
|||||||
4
.github/workflows/validate-change-notes.yml
vendored
4
.github/workflows/validate-change-notes.yml
vendored
@@ -23,7 +23,7 @@ jobs:
|
|||||||
runs-on: ubuntu-latest
|
runs-on: ubuntu-latest
|
||||||
steps:
|
steps:
|
||||||
- name: Checkout repository
|
- name: Checkout repository
|
||||||
uses: actions/checkout@v5
|
uses: actions/checkout@v4
|
||||||
|
|
||||||
- name: Setup CodeQL
|
- name: Setup CodeQL
|
||||||
uses: ./.github/actions/fetch-codeql
|
uses: ./.github/actions/fetch-codeql
|
||||||
@@ -31,4 +31,4 @@ jobs:
|
|||||||
- name: Fail if there are any errors with existing change notes
|
- name: Fail if there are any errors with existing change notes
|
||||||
|
|
||||||
run: |
|
run: |
|
||||||
codeql pack release --groups actions,cpp,csharp,go,java,javascript,python,ruby,shared,swift -examples,-test,-experimental
|
codeql pack release --groups cpp,csharp,java,javascript,python,ruby,-examples,-test,-experimental
|
||||||
|
|||||||
2
.github/workflows/zipmerge-test.yml
vendored
2
.github/workflows/zipmerge-test.yml
vendored
@@ -18,6 +18,6 @@ jobs:
|
|||||||
runs-on: ubuntu-latest
|
runs-on: ubuntu-latest
|
||||||
|
|
||||||
steps:
|
steps:
|
||||||
- uses: actions/checkout@v5
|
- uses: actions/checkout@v4
|
||||||
- run: |
|
- run: |
|
||||||
bazel test //misc/bazel/internal/zipmerge:test --test_output=all
|
bazel test //misc/bazel/internal/zipmerge:test --test_output=all
|
||||||
|
|||||||
8
.gitignore
vendored
8
.gitignore
vendored
@@ -62,7 +62,6 @@ node_modules/
|
|||||||
|
|
||||||
# Temporary folders for working with generated models
|
# Temporary folders for working with generated models
|
||||||
.model-temp
|
.model-temp
|
||||||
/mad-generation-build
|
|
||||||
|
|
||||||
# bazel-built in-tree extractor packs
|
# bazel-built in-tree extractor packs
|
||||||
/*/extractor-pack
|
/*/extractor-pack
|
||||||
@@ -72,10 +71,3 @@ node_modules/
|
|||||||
|
|
||||||
# cargo build directory
|
# cargo build directory
|
||||||
/target
|
/target
|
||||||
|
|
||||||
# some upgrade/downgrade checks create these files
|
|
||||||
**/upgrades/*/*.dbscheme.stats
|
|
||||||
**/downgrades/*/*.dbscheme.stats
|
|
||||||
|
|
||||||
# Mergetool files
|
|
||||||
*.orig
|
|
||||||
|
|||||||
@@ -1,7 +1,5 @@
|
|||||||
# See https://pre-commit.com for more information
|
# See https://pre-commit.com for more information
|
||||||
# See https://pre-commit.com/hooks.html for more hooks
|
# See https://pre-commit.com/hooks.html for more hooks
|
||||||
default_language_version:
|
|
||||||
python: python3.12
|
|
||||||
repos:
|
repos:
|
||||||
- repo: https://github.com/pre-commit/pre-commit-hooks
|
- repo: https://github.com/pre-commit/pre-commit-hooks
|
||||||
rev: v3.2.0
|
rev: v3.2.0
|
||||||
@@ -9,18 +7,18 @@ repos:
|
|||||||
- id: trailing-whitespace
|
- id: trailing-whitespace
|
||||||
exclude: /test/.*$(?<!\.qlref)|.*\.patch$|.*\.qll?$
|
exclude: /test/.*$(?<!\.qlref)|.*\.patch$|.*\.qll?$
|
||||||
- id: end-of-file-fixer
|
- id: end-of-file-fixer
|
||||||
exclude: Cargo.lock$|/test/.*$(?<!\.qlref)|.*\.patch$|.*\.qll?$
|
exclude: /test/.*$(?<!\.qlref)|.*\.patch$|.*\.qll?$
|
||||||
|
|
||||||
- repo: https://github.com/pre-commit/mirrors-clang-format
|
- repo: https://github.com/pre-commit/mirrors-clang-format
|
||||||
rev: v17.0.6
|
rev: v17.0.6
|
||||||
hooks:
|
hooks:
|
||||||
- id: clang-format
|
- id: clang-format
|
||||||
|
|
||||||
- repo: https://github.com/psf/black
|
- repo: https://github.com/pre-commit/mirrors-autopep8
|
||||||
rev: 25.1.0
|
rev: v2.0.4
|
||||||
hooks:
|
hooks:
|
||||||
- id: black
|
- id: autopep8
|
||||||
files: ^(misc/codegen/.*|misc/scripts/models-as-data/.*)\.py$
|
files: ^misc/codegen/.*\.py
|
||||||
|
|
||||||
- repo: local
|
- repo: local
|
||||||
hooks:
|
hooks:
|
||||||
|
|||||||
28
CODEOWNERS
28
CODEOWNERS
@@ -1,39 +1,22 @@
|
|||||||
# Catch-all for anything which isn't matched by a line lower down
|
|
||||||
* @github/code-scanning-alert-coverage
|
|
||||||
|
|
||||||
# CodeQL language libraries
|
|
||||||
/actions/ @github/codeql-dynamic
|
/actions/ @github/codeql-dynamic
|
||||||
/cpp/ @github/codeql-c-analysis
|
/cpp/ @github/codeql-c-analysis
|
||||||
/csharp/ @github/codeql-csharp
|
/csharp/ @github/codeql-csharp
|
||||||
/csharp/autobuilder/Semmle.Autobuild.Cpp @github/codeql-c-extractor @github/code-scanning-language-coverage
|
/csharp/autobuilder/Semmle.Autobuild.Cpp @github/codeql-c-extractor
|
||||||
/csharp/autobuilder/Semmle.Autobuild.Cpp.Tests @github/codeql-c-extractor @github/code-scanning-language-coverage
|
/csharp/autobuilder/Semmle.Autobuild.Cpp.Tests @github/codeql-c-extractor
|
||||||
/go/ @github/codeql-go
|
/go/ @github/codeql-go
|
||||||
/go/codeql-tools/ @github/codeql-go @github/code-scanning-language-coverage
|
|
||||||
/go/downgrades/ @github/codeql-go @github/code-scanning-language-coverage
|
|
||||||
/go/extractor/ @github/codeql-go @github/code-scanning-language-coverage
|
|
||||||
/go/extractor-smoke-test/ @github/codeql-go @github/code-scanning-language-coverage
|
|
||||||
/go/ql/test/extractor-tests/ @github/codeql-go @github/code-scanning-language-coverage
|
|
||||||
/java/ @github/codeql-java
|
/java/ @github/codeql-java
|
||||||
/javascript/ @github/codeql-javascript
|
/javascript/ @github/codeql-javascript
|
||||||
/javascript/extractor/ @github/codeql-javascript @github/code-scanning-language-coverage
|
|
||||||
/python/ @github/codeql-python
|
/python/ @github/codeql-python
|
||||||
/python/extractor/ @github/codeql-python @github/code-scanning-language-coverage
|
|
||||||
/ql/ @github/codeql-ql-for-ql-reviewers
|
|
||||||
/ruby/ @github/codeql-ruby
|
/ruby/ @github/codeql-ruby
|
||||||
/ruby/extractor/ @github/codeql-ruby @github/code-scanning-language-coverage
|
|
||||||
/rust/ @github/codeql-rust
|
/rust/ @github/codeql-rust
|
||||||
/rust/extractor/ @github/codeql-rust @github/code-scanning-language-coverage
|
|
||||||
/shared/ @github/codeql-shared-libraries-reviewers
|
|
||||||
/swift/ @github/codeql-swift
|
/swift/ @github/codeql-swift
|
||||||
/swift/extractor/ @github/codeql-swift @github/code-scanning-language-coverage
|
|
||||||
/misc/codegen/ @github/codeql-swift
|
/misc/codegen/ @github/codeql-swift
|
||||||
/java/kotlin-extractor/ @github/codeql-kotlin @github/code-scanning-language-coverage
|
/java/kotlin-extractor/ @github/codeql-kotlin
|
||||||
/java/ql/test-kotlin1/ @github/codeql-kotlin
|
/java/ql/test-kotlin1/ @github/codeql-kotlin
|
||||||
/java/ql/test-kotlin2/ @github/codeql-kotlin
|
/java/ql/test-kotlin2/ @github/codeql-kotlin
|
||||||
|
|
||||||
# Experimental CodeQL cryptography
|
# Experimental CodeQL cryptography
|
||||||
**/experimental/**/quantum/ @github/ps-codeql
|
**/experimental/quantum/ @github/ps-codeql
|
||||||
/shared/quantum/ @github/ps-codeql
|
|
||||||
|
|
||||||
# CodeQL tools and associated docs
|
# CodeQL tools and associated docs
|
||||||
/docs/codeql/codeql-cli/ @github/codeql-cli-reviewers
|
/docs/codeql/codeql-cli/ @github/codeql-cli-reviewers
|
||||||
@@ -41,6 +24,9 @@
|
|||||||
/docs/codeql/ql-language-reference/ @github/codeql-frontend-reviewers
|
/docs/codeql/ql-language-reference/ @github/codeql-frontend-reviewers
|
||||||
/docs/query-*-style-guide.md @github/codeql-analysis-reviewers
|
/docs/query-*-style-guide.md @github/codeql-analysis-reviewers
|
||||||
|
|
||||||
|
# QL for QL reviewers
|
||||||
|
/ql/ @github/codeql-ql-for-ql-reviewers
|
||||||
|
|
||||||
# Bazel (excluding BUILD.bazel files)
|
# Bazel (excluding BUILD.bazel files)
|
||||||
MODULE.bazel @github/codeql-ci-reviewers
|
MODULE.bazel @github/codeql-ci-reviewers
|
||||||
.bazelversion @github/codeql-ci-reviewers
|
.bazelversion @github/codeql-ci-reviewers
|
||||||
|
|||||||
1651
Cargo.lock
generated
1651
Cargo.lock
generated
File diff suppressed because it is too large
Load Diff
@@ -10,3 +10,8 @@ members = [
|
|||||||
"rust/ast-generator",
|
"rust/ast-generator",
|
||||||
"rust/autobuild",
|
"rust/autobuild",
|
||||||
]
|
]
|
||||||
|
|
||||||
|
[patch.crates-io]
|
||||||
|
# patch for build script bug preventing bazel build
|
||||||
|
# see https://github.com/rust-lang/rustc_apfloat/pull/17
|
||||||
|
rustc_apfloat = { git = "https://github.com/redsun82/rustc_apfloat.git", rev = "32968f16ef1b082243f9bf43a3fbd65c381b3e27" }
|
||||||
|
|||||||
172
MODULE.bazel
172
MODULE.bazel
@@ -14,21 +14,21 @@ local_path_override(
|
|||||||
|
|
||||||
# see https://registry.bazel.build/ for a list of available packages
|
# see https://registry.bazel.build/ for a list of available packages
|
||||||
|
|
||||||
bazel_dep(name = "platforms", version = "1.0.0")
|
bazel_dep(name = "platforms", version = "0.0.11")
|
||||||
bazel_dep(name = "rules_go", version = "0.56.1")
|
bazel_dep(name = "rules_go", version = "0.50.1")
|
||||||
bazel_dep(name = "rules_pkg", version = "1.0.1")
|
bazel_dep(name = "rules_pkg", version = "1.0.1")
|
||||||
bazel_dep(name = "rules_nodejs", version = "6.2.0-codeql.1")
|
bazel_dep(name = "rules_nodejs", version = "6.2.0-codeql.1")
|
||||||
bazel_dep(name = "rules_python", version = "0.40.0")
|
bazel_dep(name = "rules_python", version = "0.40.0")
|
||||||
bazel_dep(name = "rules_shell", version = "0.5.0")
|
bazel_dep(name = "rules_shell", version = "0.3.0")
|
||||||
bazel_dep(name = "bazel_skylib", version = "1.8.1")
|
bazel_dep(name = "bazel_skylib", version = "1.7.1")
|
||||||
bazel_dep(name = "abseil-cpp", version = "20240116.1", repo_name = "absl")
|
bazel_dep(name = "abseil-cpp", version = "20240116.1", repo_name = "absl")
|
||||||
bazel_dep(name = "nlohmann_json", version = "3.11.3", repo_name = "json")
|
bazel_dep(name = "nlohmann_json", version = "3.11.3", repo_name = "json")
|
||||||
bazel_dep(name = "fmt", version = "12.1.0-codeql.1")
|
bazel_dep(name = "fmt", version = "10.0.0")
|
||||||
bazel_dep(name = "rules_kotlin", version = "2.1.3-codeql.1")
|
bazel_dep(name = "rules_kotlin", version = "2.0.0-codeql.1")
|
||||||
bazel_dep(name = "gazelle", version = "0.40.0")
|
bazel_dep(name = "gazelle", version = "0.40.0")
|
||||||
bazel_dep(name = "rules_dotnet", version = "0.21.5-codeql.1")
|
bazel_dep(name = "rules_dotnet", version = "0.17.4")
|
||||||
bazel_dep(name = "googletest", version = "1.14.0.bcr.1")
|
bazel_dep(name = "googletest", version = "1.14.0.bcr.1")
|
||||||
bazel_dep(name = "rules_rust", version = "0.66.0")
|
bazel_dep(name = "rules_rust", version = "0.58.0")
|
||||||
bazel_dep(name = "zstd", version = "1.5.5.bcr.1")
|
bazel_dep(name = "zstd", version = "1.5.5.bcr.1")
|
||||||
|
|
||||||
bazel_dep(name = "buildifier_prebuilt", version = "6.4.0", dev_dependency = True)
|
bazel_dep(name = "buildifier_prebuilt", version = "6.4.0", dev_dependency = True)
|
||||||
@@ -37,11 +37,7 @@ bazel_dep(name = "buildifier_prebuilt", version = "6.4.0", dev_dependency = True
|
|||||||
# the versions there are canonical, the versions here are used for CI in github/codeql, as well as for the vendoring of dependencies.
|
# the versions there are canonical, the versions here are used for CI in github/codeql, as well as for the vendoring of dependencies.
|
||||||
RUST_EDITION = "2024"
|
RUST_EDITION = "2024"
|
||||||
|
|
||||||
# run buildutils-internal/scripts/fill-rust-sha256s.py when updating (internal repo)
|
RUST_VERSION = "1.85.0"
|
||||||
# a nightly toolchain is required to enable experimental_use_cc_common_link, which we require internally
|
|
||||||
# we prefer to run the same version as internally, even if experimental_use_cc_common_link is not really
|
|
||||||
# required in this repo
|
|
||||||
RUST_VERSION = "nightly/2025-08-01"
|
|
||||||
|
|
||||||
rust = use_extension("@rules_rust//rust:extensions.bzl", "rust")
|
rust = use_extension("@rules_rust//rust:extensions.bzl", "rust")
|
||||||
rust.toolchain(
|
rust.toolchain(
|
||||||
@@ -51,29 +47,6 @@ rust.toolchain(
|
|||||||
"x86_64-apple-darwin",
|
"x86_64-apple-darwin",
|
||||||
"aarch64-apple-darwin",
|
"aarch64-apple-darwin",
|
||||||
],
|
],
|
||||||
# generated by buildutils-internal/scripts/fill-rust-sha256s.py (internal repo)
|
|
||||||
sha256s = {
|
|
||||||
"2025-08-01/rustc-nightly-x86_64-unknown-linux-gnu.tar.xz": "9bbeaf5d3fc7247d31463a9083aa251c995cc50662c8219e7a2254d76a72a9a4",
|
|
||||||
"2025-08-01/rustc-nightly-x86_64-apple-darwin.tar.xz": "c9ea539a8eff0d5d162701f99f9e1aabe14dd0dfb420d62362817a5d09219de7",
|
|
||||||
"2025-08-01/rustc-nightly-aarch64-apple-darwin.tar.xz": "ae83feebbc39cfd982e4ecc8297731fe79c185173aee138467b334c5404b3773",
|
|
||||||
"2025-08-01/rustc-nightly-x86_64-pc-windows-msvc.tar.xz": "9f170c30d802a349be60cf52ec46260802093cb1013ad667fc0d528b7b10152f",
|
|
||||||
"2025-08-01/clippy-nightly-x86_64-unknown-linux-gnu.tar.xz": "9ae5f3cd8f557c4f6df522597c69d14398cf604cfaed2b83e767c4b77a7eaaf6",
|
|
||||||
"2025-08-01/clippy-nightly-x86_64-apple-darwin.tar.xz": "983cb9ee0b6b968188e04ab2d33743d54764b2681ce565e1b3f2b9135c696a3e",
|
|
||||||
"2025-08-01/clippy-nightly-aarch64-apple-darwin.tar.xz": "ed2219dbc49d088225e1b7c5c4390fa295066e071fddaa2714018f6bb39ddbf0",
|
|
||||||
"2025-08-01/clippy-nightly-x86_64-pc-windows-msvc.tar.xz": "911f40ab5cbdd686f40e00965271fe47c4805513a308ed01f30eafb25b448a50",
|
|
||||||
"2025-08-01/cargo-nightly-x86_64-unknown-linux-gnu.tar.xz": "106463c284e48e4904c717471eeec2be5cc83a9d2cae8d6e948b52438cad2e69",
|
|
||||||
"2025-08-01/cargo-nightly-x86_64-apple-darwin.tar.xz": "6ad35c40efc41a8c531ea43235058347b6902d98a9693bf0aed7fc16d5590cef",
|
|
||||||
"2025-08-01/cargo-nightly-aarch64-apple-darwin.tar.xz": "dd28c365e9d298abc3154c797720ad36a0058f131265c9978b4c8e4e37012c8a",
|
|
||||||
"2025-08-01/cargo-nightly-x86_64-pc-windows-msvc.tar.xz": "7b431286e12d6b3834b038f078389a00cac73f351e8c3152b2504a3c06420b3b",
|
|
||||||
"2025-08-01/llvm-tools-nightly-x86_64-unknown-linux-gnu.tar.xz": "e342e305d7927cc288d386983b2bc253cfad3776b113386e903d0b302648ef47",
|
|
||||||
"2025-08-01/llvm-tools-nightly-x86_64-apple-darwin.tar.xz": "e44dd3506524d85c37b3a54bcc91d01378fd2c590b2db5c5974d12f05c1b84d1",
|
|
||||||
"2025-08-01/llvm-tools-nightly-aarch64-apple-darwin.tar.xz": "0c1b5f46dd81be4a9227b10283a0fcaa39c14fea7e81aea6fd6d9887ff6cdc41",
|
|
||||||
"2025-08-01/llvm-tools-nightly-x86_64-pc-windows-msvc.tar.xz": "423e5fd11406adccbc31b8456ceb7375ce055cdf45e90d2c3babeb2d7f58383f",
|
|
||||||
"2025-08-01/rust-std-nightly-x86_64-unknown-linux-gnu.tar.xz": "3c0ceb46a252647a1d4c7116d9ccae684fa5e42aaf3296419febd2c962c3b41d",
|
|
||||||
"2025-08-01/rust-std-nightly-x86_64-apple-darwin.tar.xz": "3be416003cab10f767390a753d1d16ae4d26c7421c03c98992cf1943e5b0efe8",
|
|
||||||
"2025-08-01/rust-std-nightly-aarch64-apple-darwin.tar.xz": "4046ac0ef951cb056b5028a399124f60999fa37792eab69d008d8d7965f389b4",
|
|
||||||
"2025-08-01/rust-std-nightly-x86_64-pc-windows-msvc.tar.xz": "191ed9d8603c3a4fe5a7bbbc2feb72049078dae2df3d3b7d5dedf3abbf823e6e",
|
|
||||||
},
|
|
||||||
versions = [RUST_VERSION],
|
versions = [RUST_VERSION],
|
||||||
)
|
)
|
||||||
use_repo(rust, "rust_toolchains")
|
use_repo(rust, "rust_toolchains")
|
||||||
@@ -89,8 +62,8 @@ use_repo(
|
|||||||
"vendor_py__cc-1.2.14",
|
"vendor_py__cc-1.2.14",
|
||||||
"vendor_py__clap-4.5.30",
|
"vendor_py__clap-4.5.30",
|
||||||
"vendor_py__regex-1.11.1",
|
"vendor_py__regex-1.11.1",
|
||||||
"vendor_py__tree-sitter-0.24.7",
|
"vendor_py__tree-sitter-0.20.4",
|
||||||
"vendor_py__tree-sitter-graph-0.12.0",
|
"vendor_py__tree-sitter-graph-0.7.0",
|
||||||
)
|
)
|
||||||
|
|
||||||
# deps for ruby+rust
|
# deps for ruby+rust
|
||||||
@@ -98,60 +71,59 @@ use_repo(
|
|||||||
tree_sitter_extractors_deps = use_extension("//misc/bazel/3rdparty:tree_sitter_extractors_extension.bzl", "r")
|
tree_sitter_extractors_deps = use_extension("//misc/bazel/3rdparty:tree_sitter_extractors_extension.bzl", "r")
|
||||||
use_repo(
|
use_repo(
|
||||||
tree_sitter_extractors_deps,
|
tree_sitter_extractors_deps,
|
||||||
"vendor_ts__anyhow-1.0.100",
|
"vendor_ts__anyhow-1.0.97",
|
||||||
"vendor_ts__argfile-0.2.1",
|
"vendor_ts__argfile-0.2.1",
|
||||||
"vendor_ts__chalk-ir-0.104.0",
|
"vendor_ts__chalk-ir-0.100.0",
|
||||||
"vendor_ts__chrono-0.4.42",
|
"vendor_ts__chrono-0.4.40",
|
||||||
"vendor_ts__clap-4.5.48",
|
"vendor_ts__clap-4.5.35",
|
||||||
"vendor_ts__dunce-1.0.5",
|
"vendor_ts__dunce-1.0.5",
|
||||||
"vendor_ts__either-1.15.0",
|
"vendor_ts__either-1.15.0",
|
||||||
"vendor_ts__encoding-0.2.33",
|
"vendor_ts__encoding-0.2.33",
|
||||||
"vendor_ts__figment-0.10.19",
|
"vendor_ts__figment-0.10.19",
|
||||||
"vendor_ts__flate2-1.1.2",
|
"vendor_ts__flate2-1.1.0",
|
||||||
"vendor_ts__glob-0.3.3",
|
"vendor_ts__glob-0.3.2",
|
||||||
"vendor_ts__globset-0.4.16",
|
"vendor_ts__globset-0.4.15",
|
||||||
"vendor_ts__itertools-0.14.0",
|
"vendor_ts__itertools-0.14.0",
|
||||||
"vendor_ts__lazy_static-1.5.0",
|
"vendor_ts__lazy_static-1.5.0",
|
||||||
"vendor_ts__mustache-0.9.0",
|
"vendor_ts__mustache-0.9.0",
|
||||||
"vendor_ts__num-traits-0.2.19",
|
"vendor_ts__num-traits-0.2.19",
|
||||||
"vendor_ts__num_cpus-1.17.0",
|
"vendor_ts__num_cpus-1.16.0",
|
||||||
"vendor_ts__proc-macro2-1.0.101",
|
"vendor_ts__proc-macro2-1.0.94",
|
||||||
"vendor_ts__quote-1.0.41",
|
"vendor_ts__quote-1.0.40",
|
||||||
"vendor_ts__ra_ap_base_db-0.0.301",
|
"vendor_ts__ra_ap_base_db-0.0.273",
|
||||||
"vendor_ts__ra_ap_cfg-0.0.301",
|
"vendor_ts__ra_ap_cfg-0.0.273",
|
||||||
"vendor_ts__ra_ap_hir-0.0.301",
|
"vendor_ts__ra_ap_hir-0.0.273",
|
||||||
"vendor_ts__ra_ap_hir_def-0.0.301",
|
"vendor_ts__ra_ap_hir_def-0.0.273",
|
||||||
"vendor_ts__ra_ap_hir_expand-0.0.301",
|
"vendor_ts__ra_ap_hir_expand-0.0.273",
|
||||||
"vendor_ts__ra_ap_hir_ty-0.0.301",
|
"vendor_ts__ra_ap_hir_ty-0.0.273",
|
||||||
"vendor_ts__ra_ap_ide_db-0.0.301",
|
"vendor_ts__ra_ap_ide_db-0.0.273",
|
||||||
"vendor_ts__ra_ap_intern-0.0.301",
|
"vendor_ts__ra_ap_intern-0.0.273",
|
||||||
"vendor_ts__ra_ap_load-cargo-0.0.301",
|
"vendor_ts__ra_ap_load-cargo-0.0.273",
|
||||||
"vendor_ts__ra_ap_parser-0.0.301",
|
"vendor_ts__ra_ap_parser-0.0.273",
|
||||||
"vendor_ts__ra_ap_paths-0.0.301",
|
"vendor_ts__ra_ap_paths-0.0.273",
|
||||||
"vendor_ts__ra_ap_project_model-0.0.301",
|
"vendor_ts__ra_ap_project_model-0.0.273",
|
||||||
"vendor_ts__ra_ap_span-0.0.301",
|
"vendor_ts__ra_ap_span-0.0.273",
|
||||||
"vendor_ts__ra_ap_stdx-0.0.301",
|
"vendor_ts__ra_ap_stdx-0.0.273",
|
||||||
"vendor_ts__ra_ap_syntax-0.0.301",
|
"vendor_ts__ra_ap_syntax-0.0.273",
|
||||||
"vendor_ts__ra_ap_vfs-0.0.301",
|
"vendor_ts__ra_ap_vfs-0.0.273",
|
||||||
"vendor_ts__rand-0.9.2",
|
"vendor_ts__rand-0.9.0",
|
||||||
"vendor_ts__rayon-1.11.0",
|
"vendor_ts__rayon-1.10.0",
|
||||||
"vendor_ts__regex-1.11.3",
|
"vendor_ts__regex-1.11.1",
|
||||||
"vendor_ts__serde-1.0.228",
|
"vendor_ts__serde-1.0.219",
|
||||||
"vendor_ts__serde_json-1.0.145",
|
"vendor_ts__serde_json-1.0.140",
|
||||||
"vendor_ts__serde_with-3.14.1",
|
"vendor_ts__serde_with-3.12.0",
|
||||||
"vendor_ts__syn-2.0.106",
|
"vendor_ts__syn-2.0.100",
|
||||||
"vendor_ts__toml-0.9.7",
|
"vendor_ts__toml-0.8.20",
|
||||||
"vendor_ts__tracing-0.1.41",
|
"vendor_ts__tracing-0.1.41",
|
||||||
"vendor_ts__tracing-flame-0.2.0",
|
"vendor_ts__tracing-flame-0.2.0",
|
||||||
"vendor_ts__tracing-subscriber-0.3.20",
|
"vendor_ts__tracing-subscriber-0.3.19",
|
||||||
"vendor_ts__tree-sitter-0.25.9",
|
"vendor_ts__tree-sitter-0.24.6",
|
||||||
"vendor_ts__tree-sitter-embedded-template-0.25.0",
|
"vendor_ts__tree-sitter-embedded-template-0.23.2",
|
||||||
"vendor_ts__tree-sitter-json-0.24.8",
|
"vendor_ts__tree-sitter-json-0.24.8",
|
||||||
"vendor_ts__tree-sitter-ql-0.23.1",
|
"vendor_ts__tree-sitter-ql-0.23.1",
|
||||||
"vendor_ts__tree-sitter-ruby-0.23.1",
|
"vendor_ts__tree-sitter-ruby-0.23.1",
|
||||||
"vendor_ts__triomphe-0.1.14",
|
"vendor_ts__triomphe-0.1.14",
|
||||||
"vendor_ts__ungrammar-1.16.1",
|
"vendor_ts__ungrammar-1.16.1",
|
||||||
"vendor_ts__zstd-0.13.3",
|
|
||||||
)
|
)
|
||||||
|
|
||||||
http_archive = use_repo_rule("@bazel_tools//tools/build_defs/repo:http.bzl", "http_archive")
|
http_archive = use_repo_rule("@bazel_tools//tools/build_defs/repo:http.bzl", "http_archive")
|
||||||
@@ -172,7 +144,7 @@ http_archive(
|
|||||||
)
|
)
|
||||||
|
|
||||||
dotnet = use_extension("@rules_dotnet//dotnet:extensions.bzl", "dotnet")
|
dotnet = use_extension("@rules_dotnet//dotnet:extensions.bzl", "dotnet")
|
||||||
dotnet.toolchain(dotnet_version = "10.0.100")
|
dotnet.toolchain(dotnet_version = "9.0.100")
|
||||||
use_repo(dotnet, "dotnet_toolchains")
|
use_repo(dotnet, "dotnet_toolchains")
|
||||||
|
|
||||||
register_toolchains("@dotnet_toolchains//:all")
|
register_toolchains("@dotnet_toolchains//:all")
|
||||||
@@ -221,6 +193,10 @@ use_repo(
|
|||||||
kotlin_extractor_deps,
|
kotlin_extractor_deps,
|
||||||
"codeql_kotlin_defaults",
|
"codeql_kotlin_defaults",
|
||||||
"codeql_kotlin_embeddable",
|
"codeql_kotlin_embeddable",
|
||||||
|
"kotlin-compiler-1.5.0",
|
||||||
|
"kotlin-compiler-1.5.10",
|
||||||
|
"kotlin-compiler-1.5.20",
|
||||||
|
"kotlin-compiler-1.5.30",
|
||||||
"kotlin-compiler-1.6.0",
|
"kotlin-compiler-1.6.0",
|
||||||
"kotlin-compiler-1.6.20",
|
"kotlin-compiler-1.6.20",
|
||||||
"kotlin-compiler-1.7.0",
|
"kotlin-compiler-1.7.0",
|
||||||
@@ -232,8 +208,10 @@ use_repo(
|
|||||||
"kotlin-compiler-2.0.20-Beta2",
|
"kotlin-compiler-2.0.20-Beta2",
|
||||||
"kotlin-compiler-2.1.0-Beta1",
|
"kotlin-compiler-2.1.0-Beta1",
|
||||||
"kotlin-compiler-2.1.20-Beta1",
|
"kotlin-compiler-2.1.20-Beta1",
|
||||||
"kotlin-compiler-2.2.0-Beta1",
|
"kotlin-compiler-embeddable-1.5.0",
|
||||||
"kotlin-compiler-2.2.20-Beta2",
|
"kotlin-compiler-embeddable-1.5.10",
|
||||||
|
"kotlin-compiler-embeddable-1.5.20",
|
||||||
|
"kotlin-compiler-embeddable-1.5.30",
|
||||||
"kotlin-compiler-embeddable-1.6.0",
|
"kotlin-compiler-embeddable-1.6.0",
|
||||||
"kotlin-compiler-embeddable-1.6.20",
|
"kotlin-compiler-embeddable-1.6.20",
|
||||||
"kotlin-compiler-embeddable-1.7.0",
|
"kotlin-compiler-embeddable-1.7.0",
|
||||||
@@ -245,8 +223,10 @@ use_repo(
|
|||||||
"kotlin-compiler-embeddable-2.0.20-Beta2",
|
"kotlin-compiler-embeddable-2.0.20-Beta2",
|
||||||
"kotlin-compiler-embeddable-2.1.0-Beta1",
|
"kotlin-compiler-embeddable-2.1.0-Beta1",
|
||||||
"kotlin-compiler-embeddable-2.1.20-Beta1",
|
"kotlin-compiler-embeddable-2.1.20-Beta1",
|
||||||
"kotlin-compiler-embeddable-2.2.0-Beta1",
|
"kotlin-stdlib-1.5.0",
|
||||||
"kotlin-compiler-embeddable-2.2.20-Beta2",
|
"kotlin-stdlib-1.5.10",
|
||||||
|
"kotlin-stdlib-1.5.20",
|
||||||
|
"kotlin-stdlib-1.5.30",
|
||||||
"kotlin-stdlib-1.6.0",
|
"kotlin-stdlib-1.6.0",
|
||||||
"kotlin-stdlib-1.6.20",
|
"kotlin-stdlib-1.6.20",
|
||||||
"kotlin-stdlib-1.7.0",
|
"kotlin-stdlib-1.7.0",
|
||||||
@@ -258,27 +238,33 @@ use_repo(
|
|||||||
"kotlin-stdlib-2.0.20-Beta2",
|
"kotlin-stdlib-2.0.20-Beta2",
|
||||||
"kotlin-stdlib-2.1.0-Beta1",
|
"kotlin-stdlib-2.1.0-Beta1",
|
||||||
"kotlin-stdlib-2.1.20-Beta1",
|
"kotlin-stdlib-2.1.20-Beta1",
|
||||||
"kotlin-stdlib-2.2.0-Beta1",
|
|
||||||
"kotlin-stdlib-2.2.20-Beta2",
|
|
||||||
)
|
)
|
||||||
|
|
||||||
go_sdk = use_extension("@rules_go//go:extensions.bzl", "go_sdk")
|
go_sdk = use_extension("@rules_go//go:extensions.bzl", "go_sdk")
|
||||||
go_sdk.download(version = "1.25.0")
|
go_sdk.download(version = "1.24.0")
|
||||||
|
|
||||||
go_deps = use_extension("@gazelle//:extensions.bzl", "go_deps")
|
go_deps = use_extension("@gazelle//:extensions.bzl", "go_deps")
|
||||||
go_deps.from_file(go_mod = "//go/extractor:go.mod")
|
go_deps.from_file(go_mod = "//go/extractor:go.mod")
|
||||||
use_repo(go_deps, "org_golang_x_mod", "org_golang_x_tools")
|
use_repo(go_deps, "org_golang_x_mod", "org_golang_x_tools")
|
||||||
|
|
||||||
ripunzip_archive = use_repo_rule("//misc/ripunzip:ripunzip.bzl", "ripunzip_archive")
|
lfs_files = use_repo_rule("//misc/bazel:lfs.bzl", "lfs_files")
|
||||||
|
|
||||||
# go to https://github.com/GoogleChrome/ripunzip/releases to find latest version and corresponding sha256s
|
lfs_files(
|
||||||
ripunzip_archive(
|
name = "ripunzip-linux",
|
||||||
name = "ripunzip",
|
srcs = ["//misc/ripunzip:ripunzip-linux"],
|
||||||
sha256_linux = "71482d7a7e4ea9176d5596161c49250c34b136b157c45f632b1111323fbfc0de",
|
executable = True,
|
||||||
sha256_macos_arm = "604194ab13f0aba3972995d995f11002b8fc285c8170401fcd46655065df20c9",
|
)
|
||||||
sha256_macos_intel = "65367b94fd579d93d46f2d2595cc4c9a60cfcf497e3c824f9d1a7b80fa8bd38a",
|
|
||||||
sha256_windows = "ac3874075def2b9e5074a3b5945005ab082cc6e689e1de658da8965bc23e643e",
|
lfs_files(
|
||||||
version = "2.0.4",
|
name = "ripunzip-windows",
|
||||||
|
srcs = ["//misc/ripunzip:ripunzip-windows.exe"],
|
||||||
|
executable = True,
|
||||||
|
)
|
||||||
|
|
||||||
|
lfs_files(
|
||||||
|
name = "ripunzip-macos",
|
||||||
|
srcs = ["//misc/ripunzip:ripunzip-macos"],
|
||||||
|
executable = True,
|
||||||
)
|
)
|
||||||
|
|
||||||
register_toolchains(
|
register_toolchains(
|
||||||
|
|||||||
@@ -1,17 +1,14 @@
|
|||||||
name: "actions"
|
name: "actions"
|
||||||
|
aliases: []
|
||||||
display_name: "GitHub Actions"
|
display_name: "GitHub Actions"
|
||||||
version: 0.0.1
|
version: 0.0.1
|
||||||
column_kind: "utf16"
|
column_kind: "utf16"
|
||||||
unicode_newlines: true
|
unicode_newlines: true
|
||||||
build_modes:
|
build_modes:
|
||||||
- none
|
- none
|
||||||
default_queries:
|
file_coverage_languages: []
|
||||||
- codeql/actions-queries
|
|
||||||
# Actions workflows are not reported separately by the GitHub API, so we can't
|
|
||||||
# associate them with a specific language.
|
|
||||||
github_api_languages: []
|
github_api_languages: []
|
||||||
scc_languages:
|
scc_languages: []
|
||||||
- YAML
|
|
||||||
file_types:
|
file_types:
|
||||||
- name: workflow
|
- name: workflow
|
||||||
display_name: GitHub Actions workflow files
|
display_name: GitHub Actions workflow files
|
||||||
|
|||||||
@@ -1,10 +0,0 @@
|
|||||||
{
|
|
||||||
"paths": [
|
|
||||||
".github/workflows/*.yml",
|
|
||||||
".github/workflows/*.yaml",
|
|
||||||
".github/reusable_workflows/**/*.yml",
|
|
||||||
".github/reusable_workflows/**/*.yaml",
|
|
||||||
"**/action.yml",
|
|
||||||
"**/action.yaml"
|
|
||||||
]
|
|
||||||
}
|
|
||||||
@@ -1,2 +0,0 @@
|
|||||||
@echo off
|
|
||||||
type "%CODEQL_EXTRACTOR_ACTIONS_ROOT%\tools\baseline-config.json"
|
|
||||||
@@ -1,3 +0,0 @@
|
|||||||
#!/bin/sh
|
|
||||||
|
|
||||||
cat "$CODEQL_EXTRACTOR_ACTIONS_ROOT/tools/baseline-config.json"
|
|
||||||
@@ -1,4 +0,0 @@
|
|||||||
---
|
|
||||||
lockVersion: 1.0.0
|
|
||||||
dependencies: {}
|
|
||||||
compiled: false
|
|
||||||
@@ -1,7 +0,0 @@
|
|||||||
name: codeql/actions-examples
|
|
||||||
groups:
|
|
||||||
- actions
|
|
||||||
- examples
|
|
||||||
dependencies:
|
|
||||||
codeql/actions-all: ${workspace}
|
|
||||||
warnOnImplicitThis: true
|
|
||||||
@@ -1,12 +0,0 @@
|
|||||||
/**
|
|
||||||
* @name Uses step with pinned SHA
|
|
||||||
* @description Finds 'uses' steps where the version is a pinned SHA.
|
|
||||||
* @id actions/examples/uses-pinned-sha
|
|
||||||
* @tags example
|
|
||||||
*/
|
|
||||||
|
|
||||||
import actions
|
|
||||||
|
|
||||||
from UsesStep uses
|
|
||||||
where uses.getVersion().regexpMatch("^[A-Fa-f0-9]{40}$")
|
|
||||||
select uses, "This 'uses' step has a pinned SHA version."
|
|
||||||
@@ -1 +0,0 @@
|
|||||||
|
|
||||||
@@ -1 +0,0 @@
|
|||||||
|
|
||||||
@@ -1,18 +0,0 @@
|
|||||||
ql/actions/ql/src/Diagnostics/SuccessfullyExtractedFiles.ql
|
|
||||||
ql/actions/ql/src/Security/CWE-077/EnvPathInjectionCritical.ql
|
|
||||||
ql/actions/ql/src/Security/CWE-077/EnvVarInjectionCritical.ql
|
|
||||||
ql/actions/ql/src/Security/CWE-094/CodeInjectionCritical.ql
|
|
||||||
ql/actions/ql/src/Security/CWE-1395/UseOfKnownVulnerableAction.ql
|
|
||||||
ql/actions/ql/src/Security/CWE-275/MissingActionsPermissions.ql
|
|
||||||
ql/actions/ql/src/Security/CWE-285/ImproperAccessControl.ql
|
|
||||||
ql/actions/ql/src/Security/CWE-312/ExcessiveSecretsExposure.ql
|
|
||||||
ql/actions/ql/src/Security/CWE-312/SecretsInArtifacts.ql
|
|
||||||
ql/actions/ql/src/Security/CWE-312/UnmaskedSecretExposure.ql
|
|
||||||
ql/actions/ql/src/Security/CWE-349/CachePoisoningViaCodeInjection.ql
|
|
||||||
ql/actions/ql/src/Security/CWE-349/CachePoisoningViaDirectCache.ql
|
|
||||||
ql/actions/ql/src/Security/CWE-349/CachePoisoningViaPoisonableStep.ql
|
|
||||||
ql/actions/ql/src/Security/CWE-367/UntrustedCheckoutTOCTOUCritical.ql
|
|
||||||
ql/actions/ql/src/Security/CWE-367/UntrustedCheckoutTOCTOUHigh.ql
|
|
||||||
ql/actions/ql/src/Security/CWE-829/ArtifactPoisoningCritical.ql
|
|
||||||
ql/actions/ql/src/Security/CWE-829/UntrustedCheckoutCritical.ql
|
|
||||||
ql/actions/ql/src/Security/CWE-829/UntrustedCheckoutHigh.ql
|
|
||||||
@@ -1,28 +0,0 @@
|
|||||||
ql/actions/ql/src/Debug/SyntaxError.ql
|
|
||||||
ql/actions/ql/src/Diagnostics/SuccessfullyExtractedFiles.ql
|
|
||||||
ql/actions/ql/src/Security/CWE-077/EnvPathInjectionCritical.ql
|
|
||||||
ql/actions/ql/src/Security/CWE-077/EnvPathInjectionMedium.ql
|
|
||||||
ql/actions/ql/src/Security/CWE-077/EnvVarInjectionCritical.ql
|
|
||||||
ql/actions/ql/src/Security/CWE-077/EnvVarInjectionMedium.ql
|
|
||||||
ql/actions/ql/src/Security/CWE-094/CodeInjectionCritical.ql
|
|
||||||
ql/actions/ql/src/Security/CWE-094/CodeInjectionMedium.ql
|
|
||||||
ql/actions/ql/src/Security/CWE-1395/UseOfKnownVulnerableAction.ql
|
|
||||||
ql/actions/ql/src/Security/CWE-275/MissingActionsPermissions.ql
|
|
||||||
ql/actions/ql/src/Security/CWE-285/ImproperAccessControl.ql
|
|
||||||
ql/actions/ql/src/Security/CWE-312/ExcessiveSecretsExposure.ql
|
|
||||||
ql/actions/ql/src/Security/CWE-312/SecretsInArtifacts.ql
|
|
||||||
ql/actions/ql/src/Security/CWE-312/UnmaskedSecretExposure.ql
|
|
||||||
ql/actions/ql/src/Security/CWE-349/CachePoisoningViaCodeInjection.ql
|
|
||||||
ql/actions/ql/src/Security/CWE-349/CachePoisoningViaDirectCache.ql
|
|
||||||
ql/actions/ql/src/Security/CWE-349/CachePoisoningViaPoisonableStep.ql
|
|
||||||
ql/actions/ql/src/Security/CWE-367/UntrustedCheckoutTOCTOUCritical.ql
|
|
||||||
ql/actions/ql/src/Security/CWE-367/UntrustedCheckoutTOCTOUHigh.ql
|
|
||||||
ql/actions/ql/src/Security/CWE-571/ExpressionIsAlwaysTrueCritical.ql
|
|
||||||
ql/actions/ql/src/Security/CWE-571/ExpressionIsAlwaysTrueHigh.ql
|
|
||||||
ql/actions/ql/src/Security/CWE-829/ArtifactPoisoningCritical.ql
|
|
||||||
ql/actions/ql/src/Security/CWE-829/ArtifactPoisoningMedium.ql
|
|
||||||
ql/actions/ql/src/Security/CWE-829/UnpinnedActionsTag.ql
|
|
||||||
ql/actions/ql/src/Security/CWE-829/UntrustedCheckoutCritical.ql
|
|
||||||
ql/actions/ql/src/Security/CWE-829/UntrustedCheckoutHigh.ql
|
|
||||||
ql/actions/ql/src/Security/CWE-829/UntrustedCheckoutMedium.ql
|
|
||||||
ql/actions/ql/src/Violations Of Best Practice/CodeQL/UnnecessaryUseOfAdvancedConfig.ql
|
|
||||||
@@ -1,24 +0,0 @@
|
|||||||
ql/actions/ql/src/Diagnostics/SuccessfullyExtractedFiles.ql
|
|
||||||
ql/actions/ql/src/Security/CWE-077/EnvPathInjectionCritical.ql
|
|
||||||
ql/actions/ql/src/Security/CWE-077/EnvPathInjectionMedium.ql
|
|
||||||
ql/actions/ql/src/Security/CWE-077/EnvVarInjectionCritical.ql
|
|
||||||
ql/actions/ql/src/Security/CWE-077/EnvVarInjectionMedium.ql
|
|
||||||
ql/actions/ql/src/Security/CWE-094/CodeInjectionCritical.ql
|
|
||||||
ql/actions/ql/src/Security/CWE-094/CodeInjectionMedium.ql
|
|
||||||
ql/actions/ql/src/Security/CWE-1395/UseOfKnownVulnerableAction.ql
|
|
||||||
ql/actions/ql/src/Security/CWE-275/MissingActionsPermissions.ql
|
|
||||||
ql/actions/ql/src/Security/CWE-285/ImproperAccessControl.ql
|
|
||||||
ql/actions/ql/src/Security/CWE-312/ExcessiveSecretsExposure.ql
|
|
||||||
ql/actions/ql/src/Security/CWE-312/SecretsInArtifacts.ql
|
|
||||||
ql/actions/ql/src/Security/CWE-312/UnmaskedSecretExposure.ql
|
|
||||||
ql/actions/ql/src/Security/CWE-349/CachePoisoningViaCodeInjection.ql
|
|
||||||
ql/actions/ql/src/Security/CWE-349/CachePoisoningViaDirectCache.ql
|
|
||||||
ql/actions/ql/src/Security/CWE-349/CachePoisoningViaPoisonableStep.ql
|
|
||||||
ql/actions/ql/src/Security/CWE-367/UntrustedCheckoutTOCTOUCritical.ql
|
|
||||||
ql/actions/ql/src/Security/CWE-367/UntrustedCheckoutTOCTOUHigh.ql
|
|
||||||
ql/actions/ql/src/Security/CWE-829/ArtifactPoisoningCritical.ql
|
|
||||||
ql/actions/ql/src/Security/CWE-829/ArtifactPoisoningMedium.ql
|
|
||||||
ql/actions/ql/src/Security/CWE-829/UnpinnedActionsTag.ql
|
|
||||||
ql/actions/ql/src/Security/CWE-829/UntrustedCheckoutCritical.ql
|
|
||||||
ql/actions/ql/src/Security/CWE-829/UntrustedCheckoutHigh.ql
|
|
||||||
ql/actions/ql/src/Security/CWE-829/UntrustedCheckoutMedium.ql
|
|
||||||
@@ -1,17 +0,0 @@
|
|||||||
ql/actions/ql/src/Debug/partial.ql
|
|
||||||
ql/actions/ql/src/Models/CompositeActionsSinks.ql
|
|
||||||
ql/actions/ql/src/Models/CompositeActionsSources.ql
|
|
||||||
ql/actions/ql/src/Models/CompositeActionsSummaries.ql
|
|
||||||
ql/actions/ql/src/Models/ReusableWorkflowsSinks.ql
|
|
||||||
ql/actions/ql/src/Models/ReusableWorkflowsSources.ql
|
|
||||||
ql/actions/ql/src/Models/ReusableWorkflowsSummaries.ql
|
|
||||||
ql/actions/ql/src/experimental/Security/CWE-074/OutputClobberingHigh.ql
|
|
||||||
ql/actions/ql/src/experimental/Security/CWE-078/CommandInjectionCritical.ql
|
|
||||||
ql/actions/ql/src/experimental/Security/CWE-078/CommandInjectionMedium.ql
|
|
||||||
ql/actions/ql/src/experimental/Security/CWE-088/ArgumentInjectionCritical.ql
|
|
||||||
ql/actions/ql/src/experimental/Security/CWE-088/ArgumentInjectionMedium.ql
|
|
||||||
ql/actions/ql/src/experimental/Security/CWE-200/SecretExfiltration.ql
|
|
||||||
ql/actions/ql/src/experimental/Security/CWE-284/CodeExecutionOnSelfHostedRunner.ql
|
|
||||||
ql/actions/ql/src/experimental/Security/CWE-829/ArtifactPoisoningPathTraversal.ql
|
|
||||||
ql/actions/ql/src/experimental/Security/CWE-829/UnversionedImmutableAction.ql
|
|
||||||
ql/actions/ql/src/experimental/Security/CWE-918/RequestForgery.ql
|
|
||||||
@@ -1,14 +0,0 @@
|
|||||||
import runs_on
|
|
||||||
import pytest
|
|
||||||
from query_suites import *
|
|
||||||
|
|
||||||
well_known_query_suites = ['actions-code-quality.qls', 'actions-code-quality-extended.qls', 'actions-security-and-quality.qls', 'actions-security-extended.qls', 'actions-code-scanning.qls']
|
|
||||||
|
|
||||||
@runs_on.posix
|
|
||||||
@pytest.mark.parametrize("query_suite", well_known_query_suites)
|
|
||||||
def test(codeql, actions, check_query_suite, query_suite):
|
|
||||||
check_query_suite(query_suite)
|
|
||||||
|
|
||||||
@runs_on.posix
|
|
||||||
def test_not_included_queries(codeql, actions, check_queries_not_included):
|
|
||||||
check_queries_not_included('actions', well_known_query_suites)
|
|
||||||
@@ -1,92 +1,6 @@
|
|||||||
## 0.4.26
|
|
||||||
|
|
||||||
### Major Analysis Improvements
|
|
||||||
|
|
||||||
* The query `actions/code-injection/medium` has been updated to include results which were incorrectly excluded while filtering out results that are reported by `actions/code-injection/critical`.
|
|
||||||
|
|
||||||
## 0.4.25
|
|
||||||
|
|
||||||
No user-facing changes.
|
|
||||||
|
|
||||||
## 0.4.24
|
|
||||||
|
|
||||||
No user-facing changes.
|
|
||||||
|
|
||||||
## 0.4.23
|
|
||||||
|
|
||||||
No user-facing changes.
|
|
||||||
|
|
||||||
## 0.4.22
|
|
||||||
|
|
||||||
No user-facing changes.
|
|
||||||
|
|
||||||
## 0.4.21
|
|
||||||
|
|
||||||
No user-facing changes.
|
|
||||||
|
|
||||||
## 0.4.20
|
|
||||||
|
|
||||||
No user-facing changes.
|
|
||||||
|
|
||||||
## 0.4.19
|
|
||||||
|
|
||||||
No user-facing changes.
|
|
||||||
|
|
||||||
## 0.4.18
|
|
||||||
|
|
||||||
No user-facing changes.
|
|
||||||
|
|
||||||
## 0.4.17
|
|
||||||
|
|
||||||
No user-facing changes.
|
|
||||||
|
|
||||||
## 0.4.16
|
|
||||||
|
|
||||||
No user-facing changes.
|
|
||||||
|
|
||||||
## 0.4.15
|
|
||||||
|
|
||||||
No user-facing changes.
|
|
||||||
|
|
||||||
## 0.4.14
|
|
||||||
|
|
||||||
No user-facing changes.
|
|
||||||
|
|
||||||
## 0.4.13
|
|
||||||
|
|
||||||
### Bug Fixes
|
|
||||||
|
|
||||||
* The `actions/artifact-poisoning/critical` and `actions/artifact-poisoning/medium` queries now exclude artifacts downloaded to `$[{ runner.temp }}` in addition to `/tmp`.
|
|
||||||
|
|
||||||
## 0.4.12
|
|
||||||
|
|
||||||
### Minor Analysis Improvements
|
|
||||||
|
|
||||||
* Fixed performance issues in the parsing of Bash scripts in workflow files,
|
|
||||||
which led to out-of-disk errors when analysing certain workflow files with
|
|
||||||
complex interpolations of shell commands or quoted strings.
|
|
||||||
|
|
||||||
## 0.4.11
|
|
||||||
|
|
||||||
No user-facing changes.
|
|
||||||
|
|
||||||
## 0.4.10
|
|
||||||
|
|
||||||
No user-facing changes.
|
|
||||||
|
|
||||||
## 0.4.9
|
|
||||||
|
|
||||||
No user-facing changes.
|
|
||||||
|
|
||||||
## 0.4.8
|
|
||||||
|
|
||||||
No user-facing changes.
|
|
||||||
|
|
||||||
## 0.4.7
|
## 0.4.7
|
||||||
|
|
||||||
### New Features
|
No user-facing changes.
|
||||||
|
|
||||||
* CodeQL and Copilot Autofix support for GitHub Actions is now Generally Available.
|
|
||||||
|
|
||||||
## 0.4.6
|
## 0.4.6
|
||||||
|
|
||||||
|
|||||||
@@ -1,3 +0,0 @@
|
|||||||
## 0.4.10
|
|
||||||
|
|
||||||
No user-facing changes.
|
|
||||||
@@ -1,3 +0,0 @@
|
|||||||
## 0.4.11
|
|
||||||
|
|
||||||
No user-facing changes.
|
|
||||||
@@ -1,7 +0,0 @@
|
|||||||
## 0.4.12
|
|
||||||
|
|
||||||
### Minor Analysis Improvements
|
|
||||||
|
|
||||||
* Fixed performance issues in the parsing of Bash scripts in workflow files,
|
|
||||||
which led to out-of-disk errors when analysing certain workflow files with
|
|
||||||
complex interpolations of shell commands or quoted strings.
|
|
||||||
@@ -1,5 +0,0 @@
|
|||||||
## 0.4.13
|
|
||||||
|
|
||||||
### Bug Fixes
|
|
||||||
|
|
||||||
* The `actions/artifact-poisoning/critical` and `actions/artifact-poisoning/medium` queries now exclude artifacts downloaded to `$[{ runner.temp }}` in addition to `/tmp`.
|
|
||||||
@@ -1,3 +0,0 @@
|
|||||||
## 0.4.14
|
|
||||||
|
|
||||||
No user-facing changes.
|
|
||||||
@@ -1,3 +0,0 @@
|
|||||||
## 0.4.15
|
|
||||||
|
|
||||||
No user-facing changes.
|
|
||||||
@@ -1,3 +0,0 @@
|
|||||||
## 0.4.16
|
|
||||||
|
|
||||||
No user-facing changes.
|
|
||||||
@@ -1,3 +0,0 @@
|
|||||||
## 0.4.17
|
|
||||||
|
|
||||||
No user-facing changes.
|
|
||||||
@@ -1,3 +0,0 @@
|
|||||||
## 0.4.18
|
|
||||||
|
|
||||||
No user-facing changes.
|
|
||||||
@@ -1,3 +0,0 @@
|
|||||||
## 0.4.19
|
|
||||||
|
|
||||||
No user-facing changes.
|
|
||||||
@@ -1,3 +0,0 @@
|
|||||||
## 0.4.20
|
|
||||||
|
|
||||||
No user-facing changes.
|
|
||||||
@@ -1,3 +0,0 @@
|
|||||||
## 0.4.21
|
|
||||||
|
|
||||||
No user-facing changes.
|
|
||||||
@@ -1,3 +0,0 @@
|
|||||||
## 0.4.22
|
|
||||||
|
|
||||||
No user-facing changes.
|
|
||||||
@@ -1,3 +0,0 @@
|
|||||||
## 0.4.23
|
|
||||||
|
|
||||||
No user-facing changes.
|
|
||||||
@@ -1,3 +0,0 @@
|
|||||||
## 0.4.24
|
|
||||||
|
|
||||||
No user-facing changes.
|
|
||||||
@@ -1,3 +0,0 @@
|
|||||||
## 0.4.25
|
|
||||||
|
|
||||||
No user-facing changes.
|
|
||||||
@@ -1,5 +0,0 @@
|
|||||||
## 0.4.26
|
|
||||||
|
|
||||||
### Major Analysis Improvements
|
|
||||||
|
|
||||||
* The query `actions/code-injection/medium` has been updated to include results which were incorrectly excluded while filtering out results that are reported by `actions/code-injection/critical`.
|
|
||||||
@@ -1,5 +1,3 @@
|
|||||||
## 0.4.7
|
## 0.4.7
|
||||||
|
|
||||||
### New Features
|
No user-facing changes.
|
||||||
|
|
||||||
* CodeQL and Copilot Autofix support for GitHub Actions is now Generally Available.
|
|
||||||
|
|||||||
@@ -1,3 +0,0 @@
|
|||||||
## 0.4.8
|
|
||||||
|
|
||||||
No user-facing changes.
|
|
||||||
@@ -1,3 +0,0 @@
|
|||||||
## 0.4.9
|
|
||||||
|
|
||||||
No user-facing changes.
|
|
||||||
@@ -1,2 +1,2 @@
|
|||||||
---
|
---
|
||||||
lastReleaseVersion: 0.4.26
|
lastReleaseVersion: 0.4.7
|
||||||
|
|||||||
@@ -70,8 +70,8 @@ class Location extends TLocation, TBaseLocation {
|
|||||||
|
|
||||||
/**
|
/**
|
||||||
* Holds if this element is at the specified location.
|
* Holds if this element is at the specified location.
|
||||||
* The location spans column `sc` of line `sl` to
|
* The location spans column `startcolumn` of line `startline` to
|
||||||
* column `ec` of line `el` in file `p`.
|
* column `endcolumn` of line `endline` in file `filepath`.
|
||||||
* For more information, see
|
* For more information, see
|
||||||
* [Providing locations in CodeQL queries](https://codeql.github.com/docs/writing-codeql-queries/providing-locations-in-codeql-queries/).
|
* [Providing locations in CodeQL queries](https://codeql.github.com/docs/writing-codeql-queries/providing-locations-in-codeql-queries/).
|
||||||
*/
|
*/
|
||||||
|
|||||||
@@ -50,8 +50,8 @@ class Expression extends AstNode instanceof ExpressionImpl {
|
|||||||
string getNormalizedExpression() { result = normalizeExpr(expression) }
|
string getNormalizedExpression() { result = normalizeExpr(expression) }
|
||||||
}
|
}
|
||||||
|
|
||||||
/** An `env` in workflow, job or step. */
|
/** A common class for `env` in workflow, job or step. */
|
||||||
class Env extends AstNode instanceof EnvImpl {
|
abstract class Env extends AstNode instanceof EnvImpl {
|
||||||
/** Gets an environment variable value given its name. */
|
/** Gets an environment variable value given its name. */
|
||||||
ScalarValueImpl getEnvVarValue(string name) { result = super.getEnvVarValue(name) }
|
ScalarValueImpl getEnvVarValue(string name) { result = super.getEnvVarValue(name) }
|
||||||
|
|
||||||
@@ -261,7 +261,7 @@ class If extends AstNode instanceof IfImpl {
|
|||||||
}
|
}
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* An Environment node representing a deployment environment.
|
* An Environemnt node representing a deployment environment.
|
||||||
*/
|
*/
|
||||||
class Environment extends AstNode instanceof EnvironmentImpl {
|
class Environment extends AstNode instanceof EnvironmentImpl {
|
||||||
string getName() { result = super.getName() }
|
string getName() { result = super.getName() }
|
||||||
|
|||||||
@@ -8,64 +8,35 @@ class BashShellScript extends ShellScript {
|
|||||||
)
|
)
|
||||||
}
|
}
|
||||||
|
|
||||||
/**
|
private string lineProducer(int i) {
|
||||||
* Gets the line at 0-based index `lineIndex` within this shell script,
|
result = this.getRawScript().regexpReplaceAll("\\\\\\s*\n", "").splitAt("\n", i)
|
||||||
* assuming newlines as separators.
|
|
||||||
*/
|
|
||||||
private string lineProducer(int lineIndex) {
|
|
||||||
result = this.getRawScript().regexpReplaceAll("\\\\\\s*\n", "").splitAt("\n", lineIndex)
|
|
||||||
}
|
}
|
||||||
|
|
||||||
private predicate cmdSubstitutionReplacement(string command, string id, int lineIndex) {
|
private predicate cmdSubstitutionReplacement(string cmdSubs, string id, int k) {
|
||||||
this.commandInSubstitution(lineIndex, command, id)
|
exists(string line | line = this.lineProducer(k) |
|
||||||
or
|
exists(int i, int j |
|
||||||
this.commandInBackticks(lineIndex, command, id)
|
cmdSubs =
|
||||||
}
|
// $() cmd substitution
|
||||||
|
line.regexpFind("\\$\\((?:[^()]+|\\((?:[^()]+|\\([^()]*\\))*\\))*\\)", i, j)
|
||||||
/**
|
.regexpReplaceAll("^\\$\\(", "")
|
||||||
* Holds if there is a command substitution `$(command)` in
|
.regexpReplaceAll("\\)$", "") and
|
||||||
* the line at `lineIndex` in the shell script,
|
id = "cmdsubs:" + k + ":" + i + ":" + j
|
||||||
* and `id` is a unique identifier for this command.
|
)
|
||||||
*/
|
or
|
||||||
private predicate commandInSubstitution(int lineIndex, string command, string id) {
|
exists(int i, int j |
|
||||||
exists(int occurrenceIndex, int occurrenceOffset |
|
// `...` cmd substitution
|
||||||
command =
|
cmdSubs =
|
||||||
// Look for the command inside a $(...) command substitution
|
line.regexpFind("\\`[^\\`]+\\`", i, j)
|
||||||
this.lineProducer(lineIndex)
|
.regexpReplaceAll("^\\`", "")
|
||||||
.regexpFind("\\$\\((?:[^()]+|\\((?:[^()]+|\\([^()]*\\))*\\))*\\)", occurrenceIndex,
|
.regexpReplaceAll("\\`$", "") and
|
||||||
occurrenceOffset)
|
id = "cmd:" + k + ":" + i + ":" + j
|
||||||
// trim starting $( - TODO do this in first regex
|
)
|
||||||
.regexpReplaceAll("^\\$\\(", "")
|
|
||||||
// trim ending ) - TODO do this in first regex
|
|
||||||
.regexpReplaceAll("\\)$", "") and
|
|
||||||
id = "cmdsubs:" + lineIndex + ":" + occurrenceIndex + ":" + occurrenceOffset
|
|
||||||
)
|
)
|
||||||
}
|
}
|
||||||
|
|
||||||
/**
|
private predicate rankedCmdSubstitutionReplacements(int i, string old, string new) {
|
||||||
* Holds if `command` is a command in backticks `` `...` `` in
|
old = rank[i](string old2 | this.cmdSubstitutionReplacement(old2, _, _) | old2) and
|
||||||
* the line at `lineIndex` in the shell script,
|
this.cmdSubstitutionReplacement(old, new, _)
|
||||||
* and `id` is a unique identifier for this command.
|
|
||||||
*/
|
|
||||||
private predicate commandInBackticks(int lineIndex, string command, string id) {
|
|
||||||
exists(int occurrenceIndex, int occurrenceOffset |
|
|
||||||
command =
|
|
||||||
this.lineProducer(lineIndex)
|
|
||||||
.regexpFind("\\`[^\\`]+\\`", occurrenceIndex, occurrenceOffset)
|
|
||||||
// trim leading backtick - TODO do this in first regex
|
|
||||||
.regexpReplaceAll("^\\`", "")
|
|
||||||
// trim trailing backtick - TODO do this in first regex
|
|
||||||
.regexpReplaceAll("\\`$", "") and
|
|
||||||
id = "cmd:" + lineIndex + ":" + occurrenceIndex + ":" + occurrenceOffset
|
|
||||||
)
|
|
||||||
}
|
|
||||||
|
|
||||||
private predicate rankedCmdSubstitutionReplacements(int i, string command, string commandId) {
|
|
||||||
// rank commands by their unique IDs
|
|
||||||
commandId = rank[i](string c, string id | this.cmdSubstitutionReplacement(c, id, _) | id) and
|
|
||||||
// since we cannot output (command, ID) tuples from the rank operation,
|
|
||||||
// we need to work out the specific command associated with the resulting ID
|
|
||||||
this.cmdSubstitutionReplacement(command, commandId, _)
|
|
||||||
}
|
}
|
||||||
|
|
||||||
private predicate doReplaceCmdSubstitutions(int line, int round, string old, string new) {
|
private predicate doReplaceCmdSubstitutions(int line, int round, string old, string new) {
|
||||||
@@ -93,56 +64,31 @@ class BashShellScript extends ShellScript {
|
|||||||
this.cmdSubstitutionReplacement(result, _, i)
|
this.cmdSubstitutionReplacement(result, _, i)
|
||||||
}
|
}
|
||||||
|
|
||||||
/**
|
|
||||||
* Holds if `quotedStr` is a string in double quotes in
|
|
||||||
* the line at `lineIndex` in the shell script,
|
|
||||||
* and `id` is a unique identifier for this quoted string.
|
|
||||||
*/
|
|
||||||
private predicate doubleQuotedString(int lineIndex, string quotedStr, string id) {
|
|
||||||
exists(int occurrenceIndex, int occurrenceOffset |
|
|
||||||
// double quoted string
|
|
||||||
quotedStr =
|
|
||||||
this.cmdSubstitutedLineProducer(lineIndex)
|
|
||||||
.regexpFind("\"((?:[^\"\\\\]|\\\\.)*)\"", occurrenceIndex, occurrenceOffset) and
|
|
||||||
id =
|
|
||||||
"qstr:" + lineIndex + ":" + occurrenceIndex + ":" + occurrenceOffset + ":" +
|
|
||||||
quotedStr.length() + ":" + quotedStr.regexpReplaceAll("[^a-zA-Z0-9]", "")
|
|
||||||
)
|
|
||||||
}
|
|
||||||
|
|
||||||
/**
|
|
||||||
* Holds if `quotedStr` is a string in single quotes in
|
|
||||||
* the line at `lineIndex` in the shell script,
|
|
||||||
* and `id` is a unique identifier for this quoted string.
|
|
||||||
*/
|
|
||||||
private predicate singleQuotedString(int lineIndex, string quotedStr, string id) {
|
|
||||||
exists(int occurrenceIndex, int occurrenceOffset |
|
|
||||||
// single quoted string
|
|
||||||
quotedStr =
|
|
||||||
this.cmdSubstitutedLineProducer(lineIndex)
|
|
||||||
.regexpFind("'((?:\\\\.|[^'\\\\])*)'", occurrenceIndex, occurrenceOffset) and
|
|
||||||
id =
|
|
||||||
"qstr:" + lineIndex + ":" + occurrenceIndex + ":" + occurrenceOffset + ":" +
|
|
||||||
quotedStr.length() + ":" + quotedStr.regexpReplaceAll("[^a-zA-Z0-9]", "")
|
|
||||||
)
|
|
||||||
}
|
|
||||||
|
|
||||||
private predicate quotedStringReplacement(string quotedStr, string id) {
|
private predicate quotedStringReplacement(string quotedStr, string id) {
|
||||||
exists(int lineIndex |
|
exists(string line, int k | line = this.cmdSubstitutedLineProducer(k) |
|
||||||
this.doubleQuotedString(lineIndex, quotedStr, id)
|
exists(int i, int j |
|
||||||
|
// double quoted string
|
||||||
|
quotedStr = line.regexpFind("\"((?:[^\"\\\\]|\\\\.)*)\"", i, j) and
|
||||||
|
id =
|
||||||
|
"qstr:" + k + ":" + i + ":" + j + ":" + quotedStr.length() + ":" +
|
||||||
|
quotedStr.regexpReplaceAll("[^a-zA-Z0-9]", "")
|
||||||
|
)
|
||||||
or
|
or
|
||||||
this.singleQuotedString(lineIndex, quotedStr, id)
|
exists(int i, int j |
|
||||||
|
// single quoted string
|
||||||
|
quotedStr = line.regexpFind("'((?:\\\\.|[^'\\\\])*)'", i, j) and
|
||||||
|
id =
|
||||||
|
"qstr:" + k + ":" + i + ":" + j + ":" + quotedStr.length() + ":" +
|
||||||
|
quotedStr.regexpReplaceAll("[^a-zA-Z0-9]", "")
|
||||||
|
)
|
||||||
) and
|
) and
|
||||||
// Only do this for strings that might otherwise disrupt subsequent parsing
|
// Only do this for strings that might otherwise disrupt subsequent parsing
|
||||||
quotedStr.regexpMatch("[\"'].*[$\n\r'\"" + Bash::separator() + "].*[\"']")
|
quotedStr.regexpMatch("[\"'].*[$\n\r'\"" + Bash::separator() + "].*[\"']")
|
||||||
}
|
}
|
||||||
|
|
||||||
private predicate rankedQuotedStringReplacements(int i, string quotedString, string quotedStringId) {
|
private predicate rankedQuotedStringReplacements(int i, string old, string new) {
|
||||||
// rank quoted strings by their nearly-unique IDs
|
old = rank[i](string old2 | this.quotedStringReplacement(old2, _) | old2) and
|
||||||
quotedStringId = rank[i](string s, string id | this.quotedStringReplacement(s, id) | id) and
|
this.quotedStringReplacement(old, new)
|
||||||
// since we cannot output (string, ID) tuples from the rank operation,
|
|
||||||
// we need to work out the specific string associated with the resulting ID
|
|
||||||
this.quotedStringReplacement(quotedString, quotedStringId)
|
|
||||||
}
|
}
|
||||||
|
|
||||||
private predicate doReplaceQuotedStrings(int line, int round, string old, string new) {
|
private predicate doReplaceQuotedStrings(int line, int round, string old, string new) {
|
||||||
|
|||||||
@@ -72,7 +72,7 @@ string normalizePath(string path) {
|
|||||||
then result = path
|
then result = path
|
||||||
else
|
else
|
||||||
// foo -> GITHUB_WORKSPACE/foo
|
// foo -> GITHUB_WORKSPACE/foo
|
||||||
if path.regexpMatch("^[^$/~].*")
|
if path.regexpMatch("^[^/~].*")
|
||||||
then result = "GITHUB_WORKSPACE/" + path.regexpReplaceAll("/$", "")
|
then result = "GITHUB_WORKSPACE/" + path.regexpReplaceAll("/$", "")
|
||||||
else
|
else
|
||||||
// ~/foo -> ~/foo
|
// ~/foo -> ~/foo
|
||||||
|
|||||||
@@ -125,11 +125,12 @@ abstract class AstNodeImpl extends TAstNode {
|
|||||||
* Gets the enclosing Step.
|
* Gets the enclosing Step.
|
||||||
*/
|
*/
|
||||||
StepImpl getEnclosingStep() {
|
StepImpl getEnclosingStep() {
|
||||||
this instanceof StepImpl and
|
if this instanceof StepImpl
|
||||||
result = this
|
then result = this
|
||||||
or
|
else
|
||||||
this instanceof ScalarValueImpl and
|
if this instanceof ScalarValueImpl
|
||||||
result.getAChildNode*() = this.getParentNode()
|
then result.getAChildNode*() = this.getParentNode()
|
||||||
|
else none()
|
||||||
}
|
}
|
||||||
|
|
||||||
/**
|
/**
|
||||||
@@ -1415,8 +1416,9 @@ class ExternalJobImpl extends JobImpl, UsesImpl {
|
|||||||
override string getVersion() {
|
override string getVersion() {
|
||||||
exists(YamlString name |
|
exists(YamlString name |
|
||||||
n.lookup("uses") = name and
|
n.lookup("uses") = name and
|
||||||
not name.getValue().matches("\\.%") and
|
if not name.getValue().matches("\\.%")
|
||||||
result = name.getValue().regexpCapture(repoUsesParser(), 4)
|
then result = name.getValue().regexpCapture(repoUsesParser(), 4)
|
||||||
|
else none()
|
||||||
)
|
)
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|||||||
@@ -286,7 +286,7 @@ private module Cached {
|
|||||||
/**
|
/**
|
||||||
* Holds if `cfn` is the `i`th node in basic block `bb`.
|
* Holds if `cfn` is the `i`th node in basic block `bb`.
|
||||||
*
|
*
|
||||||
* In other words, `i` is the shortest distance from a node `bbStart`
|
* In other words, `i` is the shortest distance from a node `bb`
|
||||||
* that starts a basic block to `cfn` along the `intraBBSucc` relation.
|
* that starts a basic block to `cfn` along the `intraBBSucc` relation.
|
||||||
*/
|
*/
|
||||||
cached
|
cached
|
||||||
|
|||||||
@@ -3,8 +3,6 @@ private import codeql.controlflow.Cfg as CfgShared
|
|||||||
private import codeql.Locations
|
private import codeql.Locations
|
||||||
|
|
||||||
module Completion {
|
module Completion {
|
||||||
import codeql.controlflow.SuccessorType
|
|
||||||
|
|
||||||
private newtype TCompletion =
|
private newtype TCompletion =
|
||||||
TSimpleCompletion() or
|
TSimpleCompletion() or
|
||||||
TBooleanCompletion(boolean b) { b in [false, true] } or
|
TBooleanCompletion(boolean b) { b in [false, true] } or
|
||||||
@@ -27,7 +25,7 @@ module Completion {
|
|||||||
|
|
||||||
override predicate isValidFor(AstNode e) { not any(Completion c).isValidForSpecific(e) }
|
override predicate isValidFor(AstNode e) { not any(Completion c).isValidForSpecific(e) }
|
||||||
|
|
||||||
override DirectSuccessor getAMatchingSuccessorType() { any() }
|
override NormalSuccessor getAMatchingSuccessorType() { any() }
|
||||||
}
|
}
|
||||||
|
|
||||||
class BooleanCompletion extends NormalCompletion, TBooleanCompletion {
|
class BooleanCompletion extends NormalCompletion, TBooleanCompletion {
|
||||||
@@ -51,6 +49,34 @@ module Completion {
|
|||||||
|
|
||||||
override ReturnSuccessor getAMatchingSuccessorType() { any() }
|
override ReturnSuccessor getAMatchingSuccessorType() { any() }
|
||||||
}
|
}
|
||||||
|
|
||||||
|
cached
|
||||||
|
private newtype TSuccessorType =
|
||||||
|
TNormalSuccessor() or
|
||||||
|
TBooleanSuccessor(boolean b) { b in [false, true] } or
|
||||||
|
TReturnSuccessor()
|
||||||
|
|
||||||
|
class SuccessorType extends TSuccessorType {
|
||||||
|
string toString() { none() }
|
||||||
|
}
|
||||||
|
|
||||||
|
class NormalSuccessor extends SuccessorType, TNormalSuccessor {
|
||||||
|
override string toString() { result = "successor" }
|
||||||
|
}
|
||||||
|
|
||||||
|
class BooleanSuccessor extends SuccessorType, TBooleanSuccessor {
|
||||||
|
boolean value;
|
||||||
|
|
||||||
|
BooleanSuccessor() { this = TBooleanSuccessor(value) }
|
||||||
|
|
||||||
|
override string toString() { result = value.toString() }
|
||||||
|
|
||||||
|
boolean getValue() { result = value }
|
||||||
|
}
|
||||||
|
|
||||||
|
class ReturnSuccessor extends SuccessorType, TReturnSuccessor {
|
||||||
|
override string toString() { result = "return" }
|
||||||
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
module CfgScope {
|
module CfgScope {
|
||||||
@@ -101,8 +127,14 @@ private module Implementation implements CfgShared::InputSig<Location> {
|
|||||||
last(scope.(CompositeAction), e, c)
|
last(scope.(CompositeAction), e, c)
|
||||||
}
|
}
|
||||||
|
|
||||||
|
predicate successorTypeIsSimple(SuccessorType t) { t instanceof NormalSuccessor }
|
||||||
|
|
||||||
|
predicate successorTypeIsCondition(SuccessorType t) { t instanceof BooleanSuccessor }
|
||||||
|
|
||||||
SuccessorType getAMatchingSuccessorType(Completion c) { result = c.getAMatchingSuccessorType() }
|
SuccessorType getAMatchingSuccessorType(Completion c) { result = c.getAMatchingSuccessorType() }
|
||||||
|
|
||||||
|
predicate isAbnormalExitType(SuccessorType t) { none() }
|
||||||
|
|
||||||
int idOfAstNode(AstNode node) { none() }
|
int idOfAstNode(AstNode node) { none() }
|
||||||
|
|
||||||
int idOfCfgScope(CfgScope scope) { none() }
|
int idOfCfgScope(CfgScope scope) { none() }
|
||||||
|
|||||||
@@ -63,10 +63,10 @@ predicate madSource(DataFlow::Node source, string kind, string fieldName) {
|
|||||||
(
|
(
|
||||||
if fieldName.trim().matches("env.%")
|
if fieldName.trim().matches("env.%")
|
||||||
then source.asExpr() = uses.getInScopeEnvVarExpr(fieldName.trim().replaceAll("env.", ""))
|
then source.asExpr() = uses.getInScopeEnvVarExpr(fieldName.trim().replaceAll("env.", ""))
|
||||||
else (
|
else
|
||||||
fieldName.trim().matches("output.%") and
|
if fieldName.trim().matches("output.%")
|
||||||
source.asExpr() = uses
|
then source.asExpr() = uses
|
||||||
)
|
else none()
|
||||||
)
|
)
|
||||||
)
|
)
|
||||||
}
|
}
|
||||||
|
|||||||
@@ -31,14 +31,14 @@ abstract class RemoteFlowSource extends SourceNode {
|
|||||||
class GitHubCtxSource extends RemoteFlowSource {
|
class GitHubCtxSource extends RemoteFlowSource {
|
||||||
string flag;
|
string flag;
|
||||||
string event;
|
string event;
|
||||||
|
GitHubExpression e;
|
||||||
|
|
||||||
GitHubCtxSource() {
|
GitHubCtxSource() {
|
||||||
exists(GitHubExpression e |
|
this.asExpr() = e and
|
||||||
this.asExpr() = e and
|
// github.head_ref
|
||||||
// github.head_ref
|
e.getFieldName() = "head_ref" and
|
||||||
e.getFieldName() = "head_ref" and
|
flag = "branch" and
|
||||||
flag = "branch"
|
(
|
||||||
|
|
|
||||||
event = e.getATriggerEvent().getName() and
|
event = e.getATriggerEvent().getName() and
|
||||||
event = "pull_request_target"
|
event = "pull_request_target"
|
||||||
or
|
or
|
||||||
@@ -148,6 +148,7 @@ class GhCLICommandSource extends RemoteFlowSource, CommandSource {
|
|||||||
class GitHubEventPathSource extends RemoteFlowSource, CommandSource {
|
class GitHubEventPathSource extends RemoteFlowSource, CommandSource {
|
||||||
string cmd;
|
string cmd;
|
||||||
string flag;
|
string flag;
|
||||||
|
string access_path;
|
||||||
Run run;
|
Run run;
|
||||||
|
|
||||||
// Examples
|
// Examples
|
||||||
@@ -162,7 +163,7 @@ class GitHubEventPathSource extends RemoteFlowSource, CommandSource {
|
|||||||
run.getScript().getACommand() = cmd and
|
run.getScript().getACommand() = cmd and
|
||||||
cmd.matches("jq%") and
|
cmd.matches("jq%") and
|
||||||
cmd.matches("%GITHUB_EVENT_PATH%") and
|
cmd.matches("%GITHUB_EVENT_PATH%") and
|
||||||
exists(string regexp, string access_path |
|
exists(string regexp |
|
||||||
untrustedEventPropertiesDataModel(regexp, flag) and
|
untrustedEventPropertiesDataModel(regexp, flag) and
|
||||||
not flag = "json" and
|
not flag = "json" and
|
||||||
access_path = "github.event" + cmd.regexpCapture(".*\\s+([^\\s]+)\\s+.*", 1) and
|
access_path = "github.event" + cmd.regexpCapture(".*\\s+([^\\s]+)\\s+.*", 1) and
|
||||||
|
|||||||
@@ -1,7 +1,6 @@
|
|||||||
private import actions
|
private import actions
|
||||||
private import codeql.actions.TaintTracking
|
private import codeql.actions.TaintTracking
|
||||||
private import codeql.actions.dataflow.ExternalFlow
|
private import codeql.actions.dataflow.ExternalFlow
|
||||||
private import codeql.actions.security.ControlChecks
|
|
||||||
import codeql.actions.dataflow.FlowSources
|
import codeql.actions.dataflow.FlowSources
|
||||||
import codeql.actions.DataFlow
|
import codeql.actions.DataFlow
|
||||||
|
|
||||||
@@ -19,6 +18,7 @@ abstract class ArgumentInjectionSink extends DataFlow::Node {
|
|||||||
*/
|
*/
|
||||||
class ArgumentInjectionFromEnvVarSink extends ArgumentInjectionSink {
|
class ArgumentInjectionFromEnvVarSink extends ArgumentInjectionSink {
|
||||||
string command;
|
string command;
|
||||||
|
string argument;
|
||||||
|
|
||||||
ArgumentInjectionFromEnvVarSink() {
|
ArgumentInjectionFromEnvVarSink() {
|
||||||
exists(Run run, string var |
|
exists(Run run, string var |
|
||||||
@@ -27,7 +27,7 @@ class ArgumentInjectionFromEnvVarSink extends ArgumentInjectionSink {
|
|||||||
exists(run.getInScopeEnvVarExpr(var)) or
|
exists(run.getInScopeEnvVarExpr(var)) or
|
||||||
var = "GITHUB_HEAD_REF"
|
var = "GITHUB_HEAD_REF"
|
||||||
) and
|
) and
|
||||||
run.getScript().getAnEnvReachingArgumentInjectionSink(var, command, _)
|
run.getScript().getAnEnvReachingArgumentInjectionSink(var, command, argument)
|
||||||
)
|
)
|
||||||
}
|
}
|
||||||
|
|
||||||
@@ -43,12 +43,13 @@ class ArgumentInjectionFromEnvVarSink extends ArgumentInjectionSink {
|
|||||||
*/
|
*/
|
||||||
class ArgumentInjectionFromCommandSink extends ArgumentInjectionSink {
|
class ArgumentInjectionFromCommandSink extends ArgumentInjectionSink {
|
||||||
string command;
|
string command;
|
||||||
|
string argument;
|
||||||
|
|
||||||
ArgumentInjectionFromCommandSink() {
|
ArgumentInjectionFromCommandSink() {
|
||||||
exists(CommandSource source, Run run |
|
exists(CommandSource source, Run run |
|
||||||
run = source.getEnclosingRun() and
|
run = source.getEnclosingRun() and
|
||||||
this.asExpr() = run.getScript() and
|
this.asExpr() = run.getScript() and
|
||||||
run.getScript().getACmdReachingArgumentInjectionSink(source.getCommand(), command, _)
|
run.getScript().getACmdReachingArgumentInjectionSink(source.getCommand(), command, argument)
|
||||||
)
|
)
|
||||||
}
|
}
|
||||||
|
|
||||||
@@ -64,16 +65,6 @@ class ArgumentInjectionFromMaDSink extends ArgumentInjectionSink {
|
|||||||
override string getCommand() { result = "unknown" }
|
override string getCommand() { result = "unknown" }
|
||||||
}
|
}
|
||||||
|
|
||||||
/**
|
|
||||||
* Gets the event that is relevant for the given node in the context of argument injection.
|
|
||||||
*
|
|
||||||
* This is used to highlight the event in the query results when an alert is raised.
|
|
||||||
*/
|
|
||||||
Event getRelevantEventInPrivilegedContext(DataFlow::Node node) {
|
|
||||||
inPrivilegedContext(node.asExpr(), result) and
|
|
||||||
not exists(ControlCheck check | check.protects(node.asExpr(), result, "argument-injection"))
|
|
||||||
}
|
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* A taint-tracking configuration for unsafe user input
|
* A taint-tracking configuration for unsafe user input
|
||||||
* that is used to construct and evaluate a code script.
|
* that is used to construct and evaluate a code script.
|
||||||
@@ -97,14 +88,6 @@ private module ArgumentInjectionConfig implements DataFlow::ConfigSig {
|
|||||||
run.getScript().getAnEnvReachingArgumentInjectionSink(var, _, _)
|
run.getScript().getAnEnvReachingArgumentInjectionSink(var, _, _)
|
||||||
)
|
)
|
||||||
}
|
}
|
||||||
|
|
||||||
predicate observeDiffInformedIncrementalMode() { any() }
|
|
||||||
|
|
||||||
Location getASelectedSinkLocation(DataFlow::Node sink) {
|
|
||||||
result = sink.getLocation()
|
|
||||||
or
|
|
||||||
result = getRelevantEventInPrivilegedContext(sink).getLocation()
|
|
||||||
}
|
|
||||||
}
|
}
|
||||||
|
|
||||||
/** Tracks flow of unsafe user input that is used to construct and evaluate a code script. */
|
/** Tracks flow of unsafe user input that is used to construct and evaluate a code script. */
|
||||||
|
|||||||
Some files were not shown because too many files have changed in this diff Show More
Reference in New Issue
Block a user