Permalink
Cannot retrieve contributors at this time
Name already in use
A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?
codeql-action/.github/workflows/__ml-powered-queries.yml
View runs Go to fileThis commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Warning: This file is generated automatically, and should not be modified. | |
| # Instead, please modify the template in the pr-checks directory and run: | |
| # pip install ruamel.yaml && python3 sync.py | |
| # to regenerate this file. | |
| name: PR Check - ML-powered queries | |
| env: | |
| GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
| GO111MODULE: auto | |
| on: | |
| push: | |
| branches: | |
| - main | |
| - releases/v1 | |
| - releases/v2 | |
| pull_request: | |
| types: | |
| - opened | |
| - synchronize | |
| - reopened | |
| - ready_for_review | |
| workflow_dispatch: {} | |
| jobs: | |
| ml-powered-queries: | |
| strategy: | |
| matrix: | |
| include: | |
| - os: ubuntu-latest | |
| version: stable-20220120 | |
| - os: macos-latest | |
| version: stable-20220120 | |
| - os: windows-latest | |
| version: stable-20220120 | |
| - os: ubuntu-latest | |
| version: cached | |
| - os: macos-latest | |
| version: cached | |
| - os: windows-latest | |
| version: cached | |
| - os: ubuntu-latest | |
| version: latest | |
| - os: macos-latest | |
| version: latest | |
| - os: windows-latest | |
| version: latest | |
| - os: ubuntu-latest | |
| version: nightly-latest | |
| - os: macos-latest | |
| version: nightly-latest | |
| - os: windows-latest | |
| version: nightly-latest | |
| name: ML-powered queries | |
| timeout-minutes: 45 | |
| runs-on: ${{ matrix.os }} | |
| steps: | |
| - name: Check out repository | |
| uses: actions/checkout@v3 | |
| - name: Prepare test | |
| id: prepare-test | |
| uses: ./.github/prepare-test | |
| with: | |
| version: ${{ matrix.version }} | |
| - uses: ./../action/init | |
| with: | |
| languages: javascript | |
| queries: security-extended | |
| source-root: ./../action/tests/ml-powered-queries-repo | |
| tools: ${{ steps.prepare-test.outputs.tools-url }} | |
| env: | |
| TEST_MODE: true | |
| - uses: ./../action/analyze | |
| with: | |
| output: ${{ runner.temp }}/results | |
| upload-database: false | |
| env: | |
| TEST_MODE: true | |
| - name: Upload SARIF | |
| uses: actions/upload-artifact@v3 | |
| with: | |
| name: ml-powered-queries-${{ matrix.os }}-${{ matrix.version }}.sarif.json | |
| path: ${{ runner.temp }}/results/javascript.sarif | |
| retention-days: 7 | |
| - name: Check sarif | |
| uses: ./../action/.github/check-sarif | |
| if: matrix.os != 'windows-latest' || matrix.version == 'latest' || matrix.version | |
| == 'nightly-latest' | |
| with: | |
| sarif-file: ${{ runner.temp }}/results/javascript.sarif | |
| queries-run: js/ml-powered/nosql-injection,js/ml-powered/path-injection,js/ml-powered/sql-injection,js/ml-powered/xss | |
| queries-not-run: foo,bar | |
| - name: Check results | |
| # Running ML-powered queries on Windows requires CodeQL CLI 2.9.0+. We don't run these checks | |
| # against Windows and `cached` while CodeQL CLI 2.9.0 makes its way into `cached` to avoid the | |
| # test starting to fail when the cached CodeQL Bundle gets updated. Once the CodeQL Bundle | |
| # containing CodeQL CLI 2.9.0 has been fully released, we can drop this line and start running | |
| # these checks on Windows and `cached`. | |
| if: matrix.os != 'windows-latest' || matrix.version != 'cached' | |
| env: | |
| # Running on Windows requires CodeQL CLI 2.9.0+, which has so far only made it to 'latest'. | |
| SHOULD_RUN_ML_POWERED_QUERIES: ${{ matrix.os != 'windows-latest' || matrix.version | |
| == 'latest' || matrix.version == 'nightly-latest' }} | |
| shell: bash | |
| run: | | |
| echo "Expecting ML-powered queries to be run: ${SHOULD_RUN_ML_POWERED_QUERIES}" | |
| cd "$RUNNER_TEMP/results" | |
| # We should run at least the ML-powered queries in `expected_rules`. | |
| expected_rules="js/ml-powered/nosql-injection js/ml-powered/path-injection js/ml-powered/sql-injection js/ml-powered/xss" | |
| for rule in ${expected_rules}; do | |
| found_rule=$(jq --arg rule "${rule}" '[.runs[0].tool.extensions[].rules | select(. != null) | | |
| flatten | .[].id] | any(. == $rule)' javascript.sarif) | |
| echo "Did find rule '${rule}': ${found_rule}" | |
| if [[ "${found_rule}" != "true" && "${SHOULD_RUN_ML_POWERED_QUERIES}" == "true" ]]; then | |
| echo "Expected SARIF output to contain rule '${rule}', but found no such rule." | |
| exit 1 | |
| elif [[ "${found_rule}" == "true" && "${SHOULD_RUN_ML_POWERED_QUERIES}" != "true" ]]; then | |
| echo "Found rule '${rule}' in the SARIF output which shouldn't have been part of the analysis." | |
| exit 1 | |
| fi | |
| done | |
| # We should have at least one alert from an ML-powered query. | |
| num_alerts=$(jq '[.runs[0].results[] | | |
| select(.properties.score != null and (.rule.id | startswith("js/ml-powered/")))] | length' \ | |
| javascript.sarif) | |
| echo "Found ${num_alerts} alerts from ML-powered queries."; | |
| if [[ "${num_alerts}" -eq 0 && "${SHOULD_RUN_ML_POWERED_QUERIES}" == "true" ]]; then | |
| echo "Expected to find at least one alert from an ML-powered query but found ${num_alerts}." | |
| exit 1 | |
| elif [[ "${num_alerts}" -ne 0 && "${SHOULD_RUN_ML_POWERED_QUERIES}" != "true" ]]; then | |
| echo "Expected not to find any alerts from an ML-powered query but found ${num_alerts}." | |
| exit 1 | |
| fi | |
| env: | |
| INTERNAL_CODEQL_ACTION_DEBUG_LOC: true |