From 37a2d1fe3cfb2e68219d9489658a2ef615d2080f Mon Sep 17 00:00:00 2001 From: Henry Mercer Date: Mon, 2 Oct 2023 17:29:54 +0100 Subject: [PATCH] Remove ML-powered queries PR checks --- .github/workflows/__ml-powered-queries.yml | 153 --------------------- pr-checks/checks/ml-powered-queries.yml | 55 -------- 2 files changed, 208 deletions(-) delete mode 100644 .github/workflows/__ml-powered-queries.yml delete mode 100644 pr-checks/checks/ml-powered-queries.yml diff --git a/.github/workflows/__ml-powered-queries.yml b/.github/workflows/__ml-powered-queries.yml deleted file mode 100644 index 15736462e..000000000 --- a/.github/workflows/__ml-powered-queries.yml +++ /dev/null @@ -1,153 +0,0 @@ -# Warning: This file is generated automatically, and should not be modified. -# Instead, please modify the template in the pr-checks directory and run: -# (cd pr-checks; pip install ruamel.yaml@0.17.31 && python3 sync.py) -# to regenerate this file. - -name: PR Check - ML-powered queries -env: - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - GO111MODULE: auto - CODEQL_EXTRACTOR_JAVA_AGENT_DISABLE_KOTLIN: 'true' -on: - push: - branches: - - main - - releases/v2 - pull_request: - types: - - opened - - synchronize - - reopened - - ready_for_review - workflow_dispatch: {} -jobs: - ml-powered-queries: - strategy: - matrix: - include: - - os: ubuntu-latest - version: stable-20220908 - - os: macos-latest - version: stable-20220908 - - os: windows-latest - version: stable-20220908 - - os: ubuntu-latest - version: stable-20221211 - - os: macos-latest - version: stable-20221211 - - os: windows-latest - version: stable-20221211 - - os: ubuntu-latest - version: stable-20230418 - - os: macos-latest - version: stable-20230418 - - os: windows-latest - version: stable-20230418 - - os: ubuntu-latest - version: stable-v2.13.5 - - os: macos-latest - version: stable-v2.13.5 - - os: windows-latest - version: stable-v2.13.5 - - os: ubuntu-latest - version: stable-v2.14.6 - - os: macos-latest - version: stable-v2.14.6 - - os: windows-latest - version: stable-v2.14.6 - - os: ubuntu-latest - version: default - - os: macos-latest - version: default - - os: windows-latest - version: default - - os: ubuntu-latest - version: latest - - os: macos-latest - version: latest - - os: windows-latest - version: latest - - os: ubuntu-latest - version: nightly-latest - - os: macos-latest - version: nightly-latest - - os: windows-latest - version: nightly-latest - name: ML-powered queries - permissions: - contents: read - security-events: write - timeout-minutes: 45 - runs-on: ${{ matrix.os }} - steps: - - name: Check out repository - uses: actions/checkout@v4 - - name: Prepare test - id: prepare-test - uses: ./.github/actions/prepare-test - with: - version: ${{ matrix.version }} - use-all-platform-bundle: 'false' - - name: Set environment variable for Swift enablement - if: >- - runner.os != 'Windows' && ( - matrix.version == '20220908' || - matrix.version == '20221211' - ) - shell: bash - run: echo "CODEQL_ENABLE_EXPERIMENTAL_FEATURES_SWIFT=true" >> $GITHUB_ENV - - uses: ./../action/init - with: - languages: javascript - queries: security-extended - source-root: ./../action/tests/ml-powered-queries-repo - tools: ${{ steps.prepare-test.outputs.tools-url }} - - - uses: ./../action/analyze - with: - output: ${{ runner.temp }}/results - upload-database: false - - - name: Upload SARIF - uses: actions/upload-artifact@v3 - with: - name: ml-powered-queries-${{ matrix.os }}-${{ matrix.version }}.sarif.json - path: ${{ runner.temp }}/results/javascript.sarif - retention-days: 7 - - - name: Check sarif - uses: ./../action/.github/actions/check-sarif - with: - sarif-file: ${{ runner.temp }}/results/javascript.sarif - queries-run: - js/ml-powered/nosql-injection,js/ml-powered/path-injection,js/ml-powered/sql-injection,js/ml-powered/xss - queries-not-run: foo,bar - - - name: Check results - shell: bash - run: | - cd "$RUNNER_TEMP/results" - # We should run at least the ML-powered queries in `expected_rules`. - expected_rules="js/ml-powered/nosql-injection js/ml-powered/path-injection js/ml-powered/sql-injection js/ml-powered/xss" - - for rule in ${expected_rules}; do - found_rule=$(jq --arg rule "${rule}" '[.runs[0].tool.extensions[].rules | select(. != null) | - flatten | .[].id] | any(. == $rule)' javascript.sarif) - echo "Did find rule '${rule}': ${found_rule}" - if [[ "${found_rule}" != "true" ]]; then - echo "Expected SARIF output to contain rule '${rule}', but found no such rule." - exit 1 - fi - done - - # We should have at least one alert from an ML-powered query. - num_alerts=$(jq '[.runs[0].results[] | - select(.properties.score != null and (.rule.id | startswith("js/ml-powered/")))] | length' \ - javascript.sarif) - echo "Found ${num_alerts} alerts from ML-powered queries."; - if [[ "${num_alerts}" -eq 0 ]]; then - echo "Expected to find at least one alert from an ML-powered query but found ${num_alerts}." - exit 1 - fi - env: - CODEQL_ACTION_TEST_MODE: true diff --git a/pr-checks/checks/ml-powered-queries.yml b/pr-checks/checks/ml-powered-queries.yml deleted file mode 100644 index 87c5c375c..000000000 --- a/pr-checks/checks/ml-powered-queries.yml +++ /dev/null @@ -1,55 +0,0 @@ -name: "ML-powered queries" -description: "Tests that ML-powered queries are run with the security-extended suite and that they produce alerts on a test DB" -steps: - - uses: ./../action/init - with: - languages: javascript - queries: security-extended - source-root: ./../action/tests/ml-powered-queries-repo - tools: ${{ steps.prepare-test.outputs.tools-url }} - - - uses: ./../action/analyze - with: - output: "${{ runner.temp }}/results" - upload-database: false - - - name: Upload SARIF - uses: actions/upload-artifact@v3 - with: - name: ml-powered-queries-${{ matrix.os }}-${{ matrix.version }}.sarif.json - path: "${{ runner.temp }}/results/javascript.sarif" - retention-days: 7 - - - name: Check sarif - uses: ./../action/.github/actions/check-sarif - with: - sarif-file: ${{ runner.temp }}/results/javascript.sarif - queries-run: js/ml-powered/nosql-injection,js/ml-powered/path-injection,js/ml-powered/sql-injection,js/ml-powered/xss - queries-not-run: foo,bar - - - name: Check results - shell: bash - run: | - cd "$RUNNER_TEMP/results" - # We should run at least the ML-powered queries in `expected_rules`. - expected_rules="js/ml-powered/nosql-injection js/ml-powered/path-injection js/ml-powered/sql-injection js/ml-powered/xss" - - for rule in ${expected_rules}; do - found_rule=$(jq --arg rule "${rule}" '[.runs[0].tool.extensions[].rules | select(. != null) | - flatten | .[].id] | any(. == $rule)' javascript.sarif) - echo "Did find rule '${rule}': ${found_rule}" - if [[ "${found_rule}" != "true" ]]; then - echo "Expected SARIF output to contain rule '${rule}', but found no such rule." - exit 1 - fi - done - - # We should have at least one alert from an ML-powered query. - num_alerts=$(jq '[.runs[0].results[] | - select(.properties.score != null and (.rule.id | startswith("js/ml-powered/")))] | length' \ - javascript.sarif) - echo "Found ${num_alerts} alerts from ML-powered queries."; - if [[ "${num_alerts}" -eq 0 ]]; then - echo "Expected to find at least one alert from an ML-powered query but found ${num_alerts}." - exit 1 - fi