From 2789712b422ac12cb21edce665a075976d613c9f Mon Sep 17 00:00:00 2001 From: Kevin Sawicki Date: Tue, 28 Apr 2020 11:29:10 -0700 Subject: [PATCH 1/6] Send tool names as parameter to upload endpoint --- lib/upload-lib.js | 4 +++- lib/util.js | 18 +++++++++++++++ src/testdata/tool-names.sarif | 41 +++++++++++++++++++++++++++++++++++ src/upload-lib.ts | 5 ++++- src/util.ts | 20 +++++++++++++++++ 5 files changed, 86 insertions(+), 2 deletions(-) create mode 100644 src/testdata/tool-names.sarif diff --git a/lib/upload-lib.js b/lib/upload-lib.js index 7896d419e..f28f085a4 100644 --- a/lib/upload-lib.js +++ b/lib/upload-lib.js @@ -100,6 +100,7 @@ async function uploadFiles(sarifFiles) { if (matrix === "null" || matrix === "") { matrix = undefined; } + const toolNames = util.getToolNames(sarifPayload); const payload = JSON.stringify({ "commit_oid": commitOid, "ref": ref, @@ -108,7 +109,8 @@ async function uploadFiles(sarifFiles) { "workflow_run_id": workflowRunID, "checkout_uri": checkoutURI, "environment": matrix, - "started_at": startedAt + "started_at": startedAt, + "tool_names": toolNames, }); core.info('Uploading results'); const githubToken = core.getInput('token'); diff --git a/lib/util.js b/lib/util.js index 0612c1268..d12a91044 100644 --- a/lib/util.js +++ b/lib/util.js @@ -262,3 +262,21 @@ async function reportActionSucceeded(action) { await sendStatusReport(await createStatusReport(action, 'success')); } exports.reportActionSucceeded = reportActionSucceeded; +/** + * Get the array of all the tool names contained in the given sarif contents. + * + * Returns an array of unique string tool names. + */ +function getToolNames(sarifContents) { + const sarif = JSON.parse(sarifContents); + const toolNames = {}; + for (const run of sarif.runs || []) { + const tool = run.tool || {}; + const driver = tool.driver || {}; + if (typeof driver.name === "string" && driver.name.length > 0) { + toolNames[driver.name] = true; + } + } + return Object.keys(toolNames); +} +exports.getToolNames = getToolNames; diff --git a/src/testdata/tool-names.sarif b/src/testdata/tool-names.sarif new file mode 100644 index 000000000..ee6cd8cd7 --- /dev/null +++ b/src/testdata/tool-names.sarif @@ -0,0 +1,41 @@ +{ + "$schema": "https://raw.githubusercontent.com/oasis-tcs/sarif-spec/master/Schemata/sarif-schema-2.1.0.json", + "version": "2.1.0", + "runs": [ + { + "tool": { + "driver": { + "name": "CodeQL command-line toolchain" + } + } + }, + { + "tool": { + "driver": { + "name": "CodeQL command-line toolchain" + } + } + }, + { + "tool": { + "driver": { + "name": "ESLint" + } + } + }, + { + "tool": { + "driver": { + "name": "" + } + } + }, + { + "tool": { + "driver": { + "name": null + } + } + } + ] +} diff --git a/src/upload-lib.ts b/src/upload-lib.ts index 1d35b0b2a..8c6a31e4e 100644 --- a/src/upload-lib.ts +++ b/src/upload-lib.ts @@ -98,6 +98,8 @@ async function uploadFiles(sarifFiles: string[]) { matrix = undefined; } + const toolNames = util.getToolNames(sarifPayload); + const payload = JSON.stringify({ "commit_oid": commitOid, "ref": ref, @@ -106,7 +108,8 @@ async function uploadFiles(sarifFiles: string[]) { "workflow_run_id": workflowRunID, "checkout_uri": checkoutURI, "environment": matrix, - "started_at": startedAt + "started_at": startedAt, + "tool_names": toolNames, }); core.info('Uploading results'); diff --git a/src/util.ts b/src/util.ts index 7bb3ec0a5..cfdd2419c 100644 --- a/src/util.ts +++ b/src/util.ts @@ -293,3 +293,23 @@ export async function reportActionFailed(action: string, cause?: string, excepti export async function reportActionSucceeded(action: string) { await sendStatusReport(await createStatusReport(action, 'success')); } + +/** + * Get the array of all the tool names contained in the given sarif contents. + * + * Returns an array of unique string tool names. + */ +export function getToolNames(sarifContents: string): string[] { + const sarif = JSON.parse(sarifContents); + const toolNames = {}; + + for (const run of sarif.runs || []) { + const tool = run.tool || {}; + const driver = tool.driver || {}; + if (typeof driver.name === "string" && driver.name.length > 0) { + toolNames[driver.name] = true; + } + } + + return Object.keys(toolNames); +} From b419ff6d7b5eaa802c5ac487d43f81187a272c23 Mon Sep 17 00:00:00 2001 From: David Verdeguer Date: Wed, 29 Apr 2020 11:43:39 +0200 Subject: [PATCH 2/6] Error on queries with missing/multiple languages --- lib/finalize-db.js | 4 ++-- src/finalize-db.ts | 4 ++-- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/lib/finalize-db.js b/lib/finalize-db.js index 8679a7d0f..f73bb4951 100644 --- a/lib/finalize-db.js +++ b/lib/finalize-db.js @@ -73,12 +73,12 @@ async function resolveQueryLanguages(codeqlCmd, config) { const noDeclaredLanguage = resolveQueriesOutputObject.noDeclaredLanguage; const noDeclaredLanguageQueries = Object.keys(noDeclaredLanguage); if (noDeclaredLanguageQueries.length !== 0) { - core.warning('Some queries do not declare a language:\n' + noDeclaredLanguageQueries.join('\n')); + throw new Error('Some queries do not declare a language, their qlpack.yml file is missing or is invalid'); } const multipleDeclaredLanguages = resolveQueriesOutputObject.multipleDeclaredLanguages; const multipleDeclaredLanguagesQueries = Object.keys(multipleDeclaredLanguages); if (multipleDeclaredLanguagesQueries.length !== 0) { - core.warning('Some queries declare multiple languages:\n' + multipleDeclaredLanguagesQueries.join('\n')); + throw new Error('Some queries declare multiple languages, their qlpack.yml file is missing or is invalid'); } } return res; diff --git a/src/finalize-db.ts b/src/finalize-db.ts index a03e68a1b..b9605b0e2 100644 --- a/src/finalize-db.ts +++ b/src/finalize-db.ts @@ -82,13 +82,13 @@ async function resolveQueryLanguages(codeqlCmd: string, config: configUtils.Conf const noDeclaredLanguage = resolveQueriesOutputObject.noDeclaredLanguage; const noDeclaredLanguageQueries = Object.keys(noDeclaredLanguage); if (noDeclaredLanguageQueries.length !== 0) { - core.warning('Some queries do not declare a language:\n' + noDeclaredLanguageQueries.join('\n')); + throw new Error('Some queries do not declare a language, their qlpack.yml file is missing or is invalid'); } const multipleDeclaredLanguages = resolveQueriesOutputObject.multipleDeclaredLanguages; const multipleDeclaredLanguagesQueries = Object.keys(multipleDeclaredLanguages); if (multipleDeclaredLanguagesQueries.length !== 0) { - core.warning('Some queries declare multiple languages:\n' + multipleDeclaredLanguagesQueries.join('\n')); + throw new Error('Some queries declare multiple languages, their qlpack.yml file is missing or is invalid'); } } From 6f11b5d2137e77ab676c0610b5a372fe06ef538e Mon Sep 17 00:00:00 2001 From: Kevin Sawicki Date: Wed, 29 Apr 2020 08:04:46 -0700 Subject: [PATCH 3/6] Add initial util test --- src/util.test.ts | 9 +++++++++ 1 file changed, 9 insertions(+) create mode 100644 src/util.test.ts diff --git a/src/util.test.ts b/src/util.test.ts new file mode 100644 index 000000000..3dfd2f72d --- /dev/null +++ b/src/util.test.ts @@ -0,0 +1,9 @@ +import * as fs from 'fs'; + +import * as util from './util'; + +test('getToolNames', () => { + const input = fs.readFileSync(__dirname + '/testdata/tool-names.sarif', 'utf8') + const toolNames = util.getToolNames(input); + expect(toolNames).toStrictEqual(["CodeQL command-line toolchain", "ESLint"]) +}) From 62f756fc9dcd6e91482f05fbdc4b57d3a49d7957 Mon Sep 17 00:00:00 2001 From: Kevin Sawicki Date: Wed, 29 Apr 2020 08:10:28 -0700 Subject: [PATCH 4/6] Fix other typo --- .github/pull_request_template.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/pull_request_template.md b/.github/pull_request_template.md index d6467871a..52ccfdb09 100644 --- a/.github/pull_request_template.md +++ b/.github/pull_request_template.md @@ -1,7 +1,7 @@ ### Merge / deployment checklist -- Run test builds as necessary. Can be on this repository or elsewhere as needed in order to test the change - please include links to tests in otehr repos! +- Run test builds as necessary. Can be on this repository or elsewhere as needed in order to test the change - please include links to tests in other repos! - [ ] CodeQL using init/finish actions - [ ] 3rd party tool using upload action - [ ] Confirm this change is backwards compatible with existing workflows. -- [ ] Confirm the [readme](https://github.com/github/codeql-action/blob/master/README.md) has been updated if necessary. \ No newline at end of file +- [ ] Confirm the [readme](https://github.com/github/codeql-action/blob/master/README.md) has been updated if necessary. From 0cf8450c2400c10d330933a5102827114f907cbe Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Wed, 29 Apr 2020 18:03:56 +0000 Subject: [PATCH 5/6] Bump @actions/http-client from 1.0.4 to 1.0.8 Bumps [@actions/http-client](https://github.com/actions/http-client) from 1.0.4 to 1.0.8. - [Release notes](https://github.com/actions/http-client/releases) - [Changelog](https://github.com/actions/http-client/blob/master/RELEASES.md) - [Commits](https://github.com/actions/http-client/commits) Signed-off-by: dependabot[bot] --- package-lock.json | 6 +++--- package.json | 2 +- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/package-lock.json b/package-lock.json index 63573714f..f3d9d22af 100644 --- a/package-lock.json +++ b/package-lock.json @@ -15,9 +15,9 @@ "integrity": "sha512-nvFkxwiicvpzNiCBF4wFBDfnBvi7xp/as7LE1hBxBxKG2L29+gkIPBiLKMVORL+Hg3JNf07AKRfl0V5djoypjQ==" }, "@actions/http-client": { - "version": "1.0.4", - "resolved": "https://registry.npmjs.org/@actions/http-client/-/http-client-1.0.4.tgz", - "integrity": "sha512-6EzXhqapKKtYr21ZnFQVBYwfrYPKPCivuSkUN/66/BDakkH2EPjUZH8tZ3MgHdI+gQIdcsY0ybbxw9ZEOmJB6g==", + "version": "1.0.8", + "resolved": "https://registry.npmjs.org/@actions/http-client/-/http-client-1.0.8.tgz", + "integrity": "sha512-G4JjJ6f9Hb3Zvejj+ewLLKLf99ZC+9v+yCxoYf9vSyH+WkzPLB2LuUtRMGNkooMqdugGBFStIKXOuvH1W+EctA==", "requires": { "tunnel": "0.0.6" }, diff --git a/package.json b/package.json index 922361cd6..00e36b072 100644 --- a/package.json +++ b/package.json @@ -12,7 +12,7 @@ "dependencies": { "@actions/core": "^1.0.0", "@actions/exec": "^1.0.1", - "@actions/http-client": "^1.0.4", + "@actions/http-client": "^1.0.8", "@actions/io": "^1.0.1", "@actions/tool-cache": "^1.1.2", "@octokit/rest": "^17.1.0", From 34db3b0291dc246bf040e839a3cdd3f786dc4862 Mon Sep 17 00:00:00 2001 From: Justin Hutchings Date: Wed, 29 Apr 2020 14:09:20 -0700 Subject: [PATCH 6/6] Update README.md --- README.md | 2 -- 1 file changed, 2 deletions(-) diff --git a/README.md b/README.md index a296ea3d4..66f9ea2c5 100644 --- a/README.md +++ b/README.md @@ -2,8 +2,6 @@ This action runs GitHub's industry-leading static analysis engine, CodeQL, against a repository's source code to find security vulnerabilities. It then automatically uploads the results to GitHub so they can be displayed in the repository's security tab. CodeQL runs an extensible set of [queries](https://github.com/semmle/ql), which have been developed by the community and the [GitHub Security Lab](https://securitylab.github.com/) to find common vulnerabilities in your code. -[Sign up for the Advanced Security beta](https://github.com/features/security/advanced-security/signup) - ## Usage To get code scanning results from CodeQL analysis on your repo you can use the following workflow as a template: