Merge branch 'master' into analysisName

README.md

@@ -2,6 +2,12 @@
 
 This action runs GitHub's industry-leading static analysis engine, CodeQL, against a repository's source code to find security vulnerabilities. It then automatically uploads the results to GitHub so they can be displayed in the repository's security tab. CodeQL runs an extensible set of [queries](https://github.com/semmle/ql), which have been developed by the community and the [GitHub Security Lab](https://securitylab.github.com/) to find common vulnerabilities in your code.
 
+## License
+
+This project is released under the [MIT License](LICENSE).
+
+The underlying CodeQL CLI, used in this action, is licensed under the [GitHub CodeQL Terms and Conditions](https://securitylab.github.com/tools/codeql/license). As such, this action may be used on open source projects hosted on GitHub, and on  private repositories that are owned by an organisation with GitHub Advanced Security enabled.
+
 ## Usage
 
 To get code scanning results from CodeQL analysis on your repo you can use the following workflow as a template:
@@ -137,7 +143,7 @@ env:
 
 to `github/codeql-action/analyze`.
 
-### If you do not use a vendor directory
+#### If you do not use a vendor directory
 
 Dependencies on public repositories should just work. If you have dependencies on private repositories, one option is to use `git config` and a [personal access token](https://help.github.com/en/github/authenticating-to-github/creating-a-personal-access-token-for-the-command-line) to authenticate when downloading dependencies. Add a section like
 
@@ -163,6 +169,6 @@ dotnet build /p:UseSharedCompilation=false
 
 Version 3 does not require the additional flag.
 
-## License
+### Analysing Go together with other languages on `macos-latest`
 
-This project is released under the [MIT License](LICENSE).
+When running on macos it is currently not possible to analyze Go in conjunction with any of Java, C/C++, or C#. Each language can still be analyzed separately.

queries/undeclared-action-input.ql

@@ -0,0 +1,65 @@
+/**
+ * @name Undeclared action input
+ * @description Code tries to use an input parameter that is not defined for this action.
+   Perhaps this code is shared by multiple actions.
+ * @kind problem
+ * @problem.severity error
+ * @id javascript/codeql-action/undeclared-action-input
+ */
+
+import javascript
+
+class ActionDeclaration extends File {
+  ActionDeclaration() {
+    getRelativePath().matches("%/action.yml")
+  }
+
+  string getName() {
+    result = getRelativePath().regexpCapture("(.*)/action.yml", 1)
+  }
+
+  YAMLDocument getRootNode() {
+    result.getFile() = this
+  }
+
+  string getAnInput() {
+    result = getRootNode().(YAMLMapping).lookup("inputs").(YAMLMapping).getKey(_).(YAMLString).getValue()
+  }
+
+  FunctionDeclStmt getEntrypoint() {
+    result.getFile().getRelativePath() = getRootNode().
+      (YAMLMapping).lookup("runs").
+      (YAMLMapping).lookup("main").
+      (YAMLString).getValue().regexpReplaceAll("\\.\\./lib/(.*)\\.js", "src/$1.ts") and
+    result.getName() = "run"
+  }
+}
+
+Expr getAFunctionChildExpr(Function f) {
+  result.getContainer() = f
+}
+
+/*
+ * Result is a function that is called from the body of the given function `f`
+ */
+Function calledBy(Function f) {
+  result = getAFunctionChildExpr(f).(InvokeExpr).getResolvedCallee()
+  or
+  result.getEnclosingContainer() = f // assume outer function causes inner function to be called
+}
+
+class GetInputMethodCallExpr extends MethodCallExpr {
+  GetInputMethodCallExpr() {
+    getMethodName() = "getInput"
+  }
+
+  string getInputName() {
+    result = getArgument(0).(StringLiteral).getValue()
+  }
+}
+
+from ActionDeclaration action, GetInputMethodCallExpr getInputCall, string inputName
+where getAFunctionChildExpr(calledBy*(action.getEntrypoint())) = getInputCall and
+  inputName = getInputCall.getInputName() and
+  not inputName = action.getAnInput()
+select getInputCall, "The $@ input is not defined for the $@ action", inputName, inputName, action, action.getName()

src/autobuild.ts

@@ -15,7 +15,8 @@ async function run() {
     // We want pick the dominant language in the repo from the ones we're able to build
     // The languages are sorted in order specified by user or by lines of code if we got
     // them from the GitHub API, so try to build the first language on the list.
-    const language = process.env[sharedEnv.CODEQL_ACTION_TRACED_LANGUAGES]?.split(',')[0];
+    const autobuildLanguages = process.env[sharedEnv.CODEQL_ACTION_TRACED_LANGUAGES]?.split(',') || [];
+    const language = autobuildLanguages[0];
 
     if (!language) {
       core.info("None of the languages in this project require extra build steps");
@@ -24,6 +25,10 @@ async function run() {
 
     core.debug(`Detected dominant traced language: ${language}`);
 
+    if (autobuildLanguages.length > 1) {
+      core.warning(`We will only automatically build ${language} code. If you wish to scan ${autobuildLanguages.slice(1).join(' and ')}, you must replace this block with custom build steps.`);
+    }
+
     core.startGroup(`Attempting to automatically build ${language} code`);
     // TODO: share config accross actions better via env variables
     const codeqlCmd = util.getRequiredEnvParam(sharedEnv.CODEQL_ACTION_CMD);
@@ -44,7 +49,7 @@ async function run() {
     core.endGroup();
 
   } catch (error) {
-    core.setFailed(error.message);
+    core.setFailed("We were unable to automatically build your code. Please replace the call to the autobuild action with your custom build steps.  " + error.message);
     await util.reportActionFailed('autobuild', error.message, error.stack);
     return;
   }
@@ -53,6 +58,6 @@ async function run() {
 }
 
 run().catch(e => {
-  core.setFailed("autobuild action failed: " + e);
+  core.setFailed("autobuild action failed.  " + e);
   console.log(e);
 });