-
Notifications
You must be signed in to change notification settings - Fork 322
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Merge pull request #1107 from github/update-v2.1.13-31367d4e
Merge main into releases/v2
- Loading branch information
Showing
47 changed files
with
1,280 additions
and
138 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,20 @@ | ||
| name: Check SARIF | ||
| description: Checks a SARIF file to see if certain queries were run and others were not run. | ||
| inputs: | ||
| sarif-file: | ||
| required: true | ||
| description: The SARIF file to check | ||
|
|
||
| queries-run: | ||
| required: true | ||
| description: | | ||
| Comma separated list of query ids that should be included in this SARIF file. | ||
| queries-not-run: | ||
| required: true | ||
| description: | | ||
| Comma separated list of query ids that should NOT be included in this SARIF file. | ||
| runs: | ||
| using: node12 | ||
| main: index.js |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,43 @@ | ||
| 'use strict' | ||
|
|
||
| const core = require('@actions/core') | ||
| const fs = require('fs') | ||
|
|
||
| const sarif = JSON.parse(fs.readFileSync(core.getInput('sarif-file'), 'utf8')) | ||
| const rules = sarif.runs[0].tool.extensions.flatMap(ext => ext.rules || []) | ||
| const ruleIds = rules.map(rule => rule.id) | ||
|
|
||
| // Check that all the expected queries ran | ||
| const expectedQueriesRun = getQueryIdsInput('queries-run') | ||
| const queriesThatShouldHaveRunButDidNot = expectedQueriesRun.filter(queryId => !ruleIds.includes(queryId)) | ||
|
|
||
| if (queriesThatShouldHaveRunButDidNot.length > 0) { | ||
| core.setFailed(`The following queries were expected to run but did not: ${queriesThatShouldHaveRunButDidNot.join(', ')}`) | ||
| } | ||
|
|
||
| // Check that all the unexpected queries did not run | ||
| const expectedQueriesNotRun = getQueryIdsInput('queries-not-run') | ||
|
|
||
| const queriesThatShouldNotHaveRunButDid = expectedQueriesNotRun.filter(queryId => ruleIds.includes(queryId)) | ||
|
|
||
| if (queriesThatShouldNotHaveRunButDid.length > 0) { | ||
| core.setFailed(`The following queries were NOT expected to have run but did: ${queriesThatShouldNotHaveRunButDid.join(', ')}`) | ||
| } | ||
|
|
||
|
|
||
| core.startGroup('All queries run') | ||
| rules.forEach(rule => { | ||
| core.info(`${rule.id}: ${(rule.properties && rule.properties.name) || rule.name}`) | ||
| }) | ||
| core.endGroup() | ||
|
|
||
| core.startGroup('Full SARIF') | ||
| core.info(JSON.stringify(sarif, null, 2)) | ||
| core.endGroup() | ||
|
|
||
| function getQueryIdsInput(name) { | ||
| return core.getInput(name) | ||
| .split(',') | ||
| .map(q => q.trim()) | ||
| .filter(q => q.length > 0) | ||
| } |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,52 @@ | ||
| name: Query Filter Test | ||
| description: Runs a test of query filters using the check SARIF action | ||
| inputs: | ||
| sarif-file: | ||
| required: true | ||
| description: The SARIF file to check | ||
|
|
||
| queries-run: | ||
| required: true | ||
| description: | | ||
| Comma separated list of query ids that should be included in this SARIF file. | ||
| queries-not-run: | ||
| required: true | ||
| description: | | ||
| Comma separated list of query ids that should NOT be included in this SARIF file. | ||
| config-file: | ||
| required: true | ||
| description: | | ||
| The location of the codeql configuration file to use. | ||
| tools: | ||
| required: true | ||
| description: | | ||
| The url of codeql to use. | ||
| runs: | ||
| using: composite | ||
| steps: | ||
| - uses: ./../action/init | ||
| with: | ||
| languages: javascript | ||
| config-file: ${{ inputs.config-file }} | ||
| tools: ${{ inputs.tools }} | ||
| db-location: ${{ runner.temp }}/query-filter-test | ||
| - uses: ./../action/analyze | ||
| with: | ||
| output: ${{ runner.temp }}/results | ||
| upload-database: false | ||
| upload: false | ||
| env: | ||
| TEST_MODE: "true" | ||
| - name: Check SARIF | ||
| uses: ./../action/.github/check-sarif | ||
| with: | ||
| sarif-file: ${{ inputs.sarif-file }} | ||
| queries-run: ${{ inputs.queries-run}} | ||
| queries-not-run: ${{ inputs.queries-not-run}} | ||
| - name: Cleanup after test | ||
| shell: bash | ||
| run: rm -rf "$RUNNER_TEMP/results" "$RUNNER_TEMP//query-filter-test" |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,47 @@ | ||
| name: Check queries that ran | ||
|
|
||
| on: | ||
| push: | ||
| branches: | ||
| - main | ||
| - releases/v1 | ||
| - releases/v2 | ||
| pull_request: | ||
| types: | ||
| - opened | ||
| - synchronize | ||
| - reopened | ||
| - ready_for_review | ||
| workflow_dispatch: {} | ||
|
|
||
| jobs: | ||
| expected-queries: | ||
| name: Expected Queries Tests | ||
| timeout-minutes: 45 | ||
| runs-on: ubuntu-latest | ||
| steps: | ||
| - name: Check out repository | ||
| uses: actions/checkout@v3 | ||
| - name: Prepare test | ||
| id: prepare-test | ||
| uses: ./.github/prepare-test | ||
| with: | ||
| version: latest | ||
| - uses: ./../action/init | ||
| with: | ||
| languages: javascript | ||
| tools: ${{ steps.prepare-test.outputs.tools-url }} | ||
| - uses: ./../action/analyze | ||
| with: | ||
| output: ${{ runner.temp }}/results | ||
| upload-database: false | ||
| upload: false | ||
| env: | ||
| TEST_MODE: true | ||
|
|
||
| - name: Check Sarif | ||
| uses: ./../action/.github/check-sarif | ||
| with: | ||
| sarif-file: ${{ runner.temp }}/results/javascript.sarif | ||
| queries-run: js/incomplete-hostname-regexp,js/path-injection | ||
| queries-not-run: foo,bar |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,56 @@ | ||
| name: Query filters tests | ||
|
|
||
| on: | ||
| push: | ||
| branches: | ||
| - main | ||
| - releases/v1 | ||
| - releases/v2 | ||
| pull_request: | ||
| types: | ||
| - opened | ||
| - synchronize | ||
| - reopened | ||
| - ready_for_review | ||
| workflow_dispatch: {} | ||
|
|
||
| jobs: | ||
| query-filters: | ||
| name: Query Filters Tests | ||
| timeout-minutes: 45 | ||
| runs-on: ubuntu-latest | ||
| steps: | ||
| - name: Check out repository | ||
| uses: actions/checkout@v3 | ||
| - name: Prepare test | ||
| id: prepare-test | ||
| uses: ./.github/prepare-test | ||
| with: | ||
| version: latest | ||
|
|
||
| - name: Check SARIF for default queries with Single include, Single exclude | ||
| uses: ./../action/.github/query-filter-test | ||
| with: | ||
| sarif-file: ${{ runner.temp }}/results/javascript.sarif | ||
| queries-run: js/zipslip | ||
| queries-not-run: js/path-injection | ||
| config-file: ./.github/codeql/codeql-config-query-filters1.yml | ||
| tools: ${{ steps.prepare-test.outputs.tools-url }} | ||
|
|
||
| - name: Check SARIF for query packs with Single include, Single exclude | ||
| uses: ./../action/.github/query-filter-test | ||
| with: | ||
| sarif-file: ${{ runner.temp }}/results/javascript.sarif | ||
| queries-run: js/zipslip,javascript/example/empty-or-one-block | ||
| queries-not-run: js/path-injection | ||
| config-file: ./.github/codeql/codeql-config-query-filters2.yml | ||
| tools: ${{ steps.prepare-test.outputs.tools-url }} | ||
|
|
||
| - name: Check SARIF for query packs and local queries with Single include, Single exclude | ||
| uses: ./../action/.github/query-filter-test | ||
| with: | ||
| sarif-file: ${{ runner.temp }}/results/javascript.sarif | ||
| queries-run: js/zipslip,javascript/example/empty-or-one-block,inrepo-javascript-querypack/show-ifs | ||
| queries-not-run: js/path-injection,complex-python-querypack/show-ifs,complex-python-querypack/foo/bar/show-ifs | ||
| config-file: ./.github/codeql/codeql-config-query-filters3.yml | ||
| tools: ${{ steps.prepare-test.outputs.tools-url }} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Large diffs are not rendered by default.
Oops, something went wrong.
Large diffs are not rendered by default.
Oops, something went wrong.
Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.
Oops, something went wrong.
Oops, something went wrong.