Skip to content

Commit

Permalink
Merge pull request #616 from github/update-v1.0.5-1c26d408
Browse files Browse the repository at this point in the history
Merge main into v1
  • Loading branch information
adityasharad authored Jul 12, 2021
2 parents 03450ff + aa03f9b commit 500dad9
Show file tree
Hide file tree
Showing 25 changed files with 394 additions and 211 deletions.
115 changes: 103 additions & 12 deletions .github/workflows/pr-checks.yml
Original file line number Diff line number Diff line change
Expand Up @@ -7,6 +7,7 @@ on:
push:
branches: [main, v1]
pull_request:
workflow_dispatch:

jobs:
lint-js:
Expand Down Expand Up @@ -119,9 +120,6 @@ jobs:
with:
config-file: ".github/codeql/codeql-config-packaging.yml"
languages: javascript
# TODO: this can be removed when cli v2.5.6 is released and available in the tool cache
tools: https://github.com/dsp-testing/aeisenberg-codeql-action-packaging/releases/download/codeql-bundle-20210615/codeql-bundle-linux64.tar.gz

- name: Build code
shell: bash
run: ./build.sh
Expand Down Expand Up @@ -164,8 +162,6 @@ jobs:
config-file: ".github/codeql/codeql-config-packaging2.yml"
languages: javascript
packs: dsp-testing/[email protected], dsp-testing/codeql-pack2
# TODO: this can be removed when cli v2.5.6 is released and available in the tool cache
tools: https://github.com/dsp-testing/aeisenberg-codeql-action-packaging/releases/download/codeql-bundle-20210615/codeql-bundle-linux64.tar.gz

- name: Build code
shell: bash
Expand Down Expand Up @@ -209,8 +205,6 @@ jobs:
config-file: ".github/codeql/codeql-config-packaging3.yml"
packs: +dsp-testing/[email protected]
languages: javascript
# TODO: this can be removed when cli v2.5.6 is released and available in the tool cache
tools: https://github.com/dsp-testing/aeisenberg-codeql-action-packaging/releases/download/codeql-bundle-20210615/codeql-bundle-linux64.tar.gz

- name: Build code
shell: bash
Expand All @@ -234,13 +228,67 @@ jobs:
exit 1
fi
# Tests a split workflow where database construction and query execution happen in different steps
test-split-workflow:
needs: [check-js, check-node-modules]
runs-on: ubuntu-latest

steps:
- uses: actions/checkout@v2
- name: Move codeql-action
shell: bash
run: |
mkdir ../action
mv * .github ../action/
mv ../action/tests/multi-language-repo/{*,.github} .
mv ../action/.github/workflows .github
- uses: ./../action/init
with:
config-file: ".github/codeql/codeql-config-packaging3.yml"
packs: +dsp-testing/[email protected]
languages: javascript
tools: latest
- name: Build code
shell: bash
run: ./build.sh
- uses: ./../action/analyze
with:
skip-queries: true
output: "${{ runner.temp }}/results"
env:
TEST_MODE: true
- name: Assert No Results
run: |
if [ "$(ls -A $RUNNER_TEMP/results)" ]; then
echo "Expected results directory to be empty after skipping query execution!"
exit 1
fi
- uses: ./../action/analyze
with:
output: "${{ runner.temp }}/results"
env:
TEST_MODE: true
- name: Assert Results
run: |
cd "$RUNNER_TEMP/results"
# We should have 3 hits from these rules
EXPECTED_RULES="javascript/example/empty-or-one-block javascript/example/empty-or-one-block javascript/example/two-block"
# use tr to replace newlines with spaces and xargs to trim leading and trailing whitespace
RULES="$(cat javascript.sarif | jq -r '.runs[0].results[].ruleId' | sort | tr "\n" " " | xargs)"
echo "Found matching rules '$RULES'"
if [ "$RULES" != "$EXPECTED_RULES" ]; then
echo "Did not match expected rules '$EXPECTED_RULES'."
exit 1
fi
# Identify the CodeQL tool versions to integration test against.
check-codeql-versions:
needs: [check-js, check-node-modules]
runs-on: ubuntu-latest
outputs:
versions: ${{ steps.compare.outputs.versions }}
nightly-url: ${{ steps.get-url.outputs.nightly-url }}

steps:
- uses: actions/checkout@v2
Expand All @@ -266,22 +314,45 @@ jobs:
with:
tools: latest
languages: javascript
- name: Compare default and latest CodeQL bundle versions
- name: Remove empty database
# allows us to run init a third time
run: |
rm -rf "$RUNNER_TEMP/codeql_databases"
- name: Get nightly release URL
id: get-url
env:
GITHUB_TOKEN: '${{ secrets.GITHUB_TOKEN }}'
shell: bash
# This workflow step gets an unstable testing version of the CodeQL CLI. It should not be used outside of these tests.
run: |
export LATEST=`gh release list --repo dsp-testing/codeql-cli-nightlies -L 1 | cut -f 3`
echo "::set-output name=nightly-url::https://github.com/dsp-testing/codeql-cli-nightlies/releases/download/$LATEST/codeql-bundle.tar.gz"
- name: Init with a CodeQL bundle from a nightly release
id: init-nightly
uses: ./../action/init
with:
tools: ${{ steps.get-url.outputs.nightly-url }}
languages: javascript
- name: Compare CodeQL bundle versions
id: compare
env:
CODEQL_DEFAULT: ${{ steps.init-default.outputs.codeql-path }}
CODEQL_LATEST: ${{ steps.init-latest.outputs.codeql-path }}
CODEQL_NIGHTLY: ${{ steps.init-nightly.outputs.codeql-path }}
NIGHTLY_URL: ${{ steps.get-url.outputs.nightly-url }}
run: |
CODEQL_VERSION_DEFAULT="$("$CODEQL_DEFAULT" version --format terse)"
CODEQL_VERSION_LATEST="$("$CODEQL_LATEST" version --format terse)"
CODEQL_VERSION_NIGHTLY="$("$CODEQL_NIGHTLY" version --format terse)"
echo "Default CodeQL bundle version is $CODEQL_VERSION_DEFAULT"
echo "Latest CodeQL bundle version is $CODEQL_VERSION_LATEST"
echo "Nightly CodeQL bundle version is $CODEQL_VERSION_NIGHTLY"
if [[ "$CODEQL_VERSION_DEFAULT" == "$CODEQL_VERSION_LATEST" ]]; then
# Just use `tools: null` to avoid duplication in the integration tests.
VERSIONS_JSON='[null]'
# Skip `tools: latest` since it would be the same as `tools: null`
VERSIONS_JSON="[null, \"$NIGHTLY_URL\"]"
else
# Use both `tools: null` and `tools: latest` in the integration tests.
VERSIONS_JSON='[null, "latest"]'
# Run integration tests with all three bundles.
VERSIONS_JSON="[null, \"$NIGHTLY_URL\", \"latest\"]"
fi
# Output a JSON-encoded list with the distinct versions to test against.
echo "Suggested matrix config for integration tests: $VERSIONS_JSON"
Expand Down Expand Up @@ -803,3 +874,23 @@ jobs:
# Deliberately don't use TEST_MODE here. This is specifically testing
# the compatibility with the API.
runner/dist/codeql-runner-linux upload --sarif-file src/testdata/empty-sarif.sarif --repository $GITHUB_REPOSITORY --commit $GITHUB_SHA --ref $GITHUB_REF --github-url $GITHUB_SERVER_URL --github-auth ${{ github.token }}
multi-language-repo_test-local-codeql:
needs: [check-js, check-node-modules, check-codeql-versions]
runs-on: ubuntu-latest

steps:
- uses: actions/checkout@v2
- name: Move codeql-action
run: |
wget ${{ needs.check-codeql-versions.outputs.nightly-url }}
mkdir ../action
mv * .github ../action/
mv ../action/tests/multi-language-repo/{*,.github} .
mv ../action/.github/workflows .github
- uses: ./../action/init
with:
tools: ../action/codeql-bundle.tar.gz
- name: Build code
run: ./build.sh
- uses: ./../action/analyze
5 changes: 5 additions & 0 deletions CHANGELOG.md
Original file line number Diff line number Diff line change
@@ -1,5 +1,10 @@
# CodeQL Action and CodeQL Runner Changelog

## 1.0.5 - 12 Jul 2021

- The `analyze` step of the Action now supports a `skip-queries` option to merely build the CodeQL database without analyzing. This functionality is not present in the runner. Additionally, the step will no longer fail if it encounters a finalized database, and will instead continue with query execution. [#602](https://github.com/github/codeql-action/pull/602)
- Update the warning message when the baseline lines of code count is unavailable. [#608](https://github.com/github/codeql-action/pull/608)

## 1.0.4 - 28 Jun 2021

- Fix `RUNNER_TEMP environment variable must be set` when using runner. [#594](https://github.com/github/codeql-action/pull/594)
Expand Down
8 changes: 8 additions & 0 deletions README.md
Original file line number Diff line number Diff line change
Expand Up @@ -128,3 +128,11 @@ By default, this will override any queries specified in a config file. If you wi
## Troubleshooting

Read about [troubleshooting code scanning](https://help.github.com/en/github/finding-security-vulnerabilities-and-errors-in-your-code/troubleshooting-code-scanning).

### Note on "missing analysis" message

The very first time code scanning is run and if it is on a pull request, you will probably get a message mentioning a "missing analysis". This is expected.

After code scanning has analyzed the code in a pull request, it needs to compare the analysis of the topic branch (the merge commit of the branch you used to create the pull request) with the analysis of the base branch (the branch into which you want to merge the pull request). This allows code scanning to compute which alerts are newly introduced by the pull request, which alerts were already present in the base branch, and whether any existing alerts are fixed by the changes in the pull request. Initially, if you use a pull request to add code scanning to a repository, the base branch has not yet been analyzed, so it's not possible to compute these details. In this case, when you click through from the results check on the pull request you will see the "Missing analysis for base commit SHA-HASH" message.

For more information and other causes of this message, see [Reasons for the "missing analysis" message](https://docs.github.com/en/code-security/secure-coding/automatically-scanning-your-code-for-vulnerabilities-and-errors/setting-up-code-scanning-for-a-repository#reasons-for-the-missing-analysis-message)
4 changes: 4 additions & 0 deletions analyze/action.yml
Original file line number Diff line number Diff line change
Expand Up @@ -24,6 +24,10 @@ inputs:
description: Specify whether or not to add code snippets to the output sarif file.
required: false
default: "false"
skip-queries:
description: If this option is set, the CodeQL database will be built but no queries will be run on it. Thus, no results will be produced.
required: false
default: "false"
threads:
description: The number of threads to be used by CodeQL.
required: false
Expand Down
32 changes: 23 additions & 9 deletions lib/analyze-action.js

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

Loading

0 comments on commit 500dad9

Please sign in to comment.