Merge pull request #15 from github/master

Update v1 branch
github · May 1, 2020 · 999c772 · 999c772
2 parents 74eb3b3 + 5218f93
commit 999c772
Show file tree

Hide file tree

Showing 18 changed files with 305 additions and 87 deletions.
diff --git a/.github/pull_request_template.md b/.github/pull_request_template.md
@@ -1,7 +1,7 @@
 ### Merge / deployment checklist
 
-- Run test builds as necessary. Can be on this repository or elsewhere as needed in order to test the change - please include links to tests in otehr repos!
-  - [ ] CodeQL using init/finish actions
+- Run test builds as necessary. Can be on this repository or elsewhere as needed in order to test the change - please include links to tests in other repos!
+  - [ ] CodeQL using init/analyze actions
   - [ ] 3rd party tool using upload action
 - [ ] Confirm this change is backwards compatible with existing workflows.
-- [ ] Confirm the [readme](https://github.com/github/codeql-action/blob/master/README.md) has been updated if necessary.
+- [ ] Confirm the [readme](https://github.com/github/codeql-action/blob/master/README.md) has been updated if necessary.
diff --git a/README.md b/README.md
@@ -2,8 +2,6 @@
 
 This action runs GitHub's industry-leading static analysis engine, CodeQL, against a repository's source code to find security vulnerabilities. It then automatically uploads the results to GitHub so they can be displayed in the repository's security tab. CodeQL runs an extensible set of [queries](https://github.com/semmle/ql), which have been developed by the community and the [GitHub Security Lab](https://securitylab.github.com/) to find common vulnerabilities in your code.
 
-[Sign up for the Advanced Security beta](https://github.com/features/security/advanced-security/signup)
-
 ## Usage
 
 To get code scanning results from CodeQL analysis on your repo you can use the following workflow as a template:
@@ -82,6 +80,8 @@ The CodeQL action should be run on `push` events, and on a `schedule`. `Push` ev
 
 You may optionally specify additional queries for CodeQL to execute by using a config file. The queries must belong to a [QL pack](https://help.semmle.com/codeql/codeql-cli/reference/qlpack-overview.html) and can be in your repository or any public repository. You can choose a single .ql file, a folder containing multiple .ql files, a .qls [query suite](https://help.semmle.com/codeql/codeql-cli/procedures/query-suites.html) file, or any combination of the above. To use queries from other repositories use the same syntax as when [using an action](https://help.github.com/en/actions/reference/workflow-syntax-for-github-actions#jobsjob_idstepsuses).
 
+You can disable the default queries using `disable-default-queries: true`.
+
 You can choose to ignore some files or folders from the analysis, or include additional files/folders for analysis. This *only* works for Javascript and Python analysis.
 Identifying potential files for extraction:
 
@@ -102,6 +102,8 @@ A config file looks like this:
 ```yaml
 name: "My CodeQL config"
 
+disable-default-queries: true
+
 queries:
   - name: In-repo queries (Runs the queries located in the my-queries folder of the repo)
     uses: ./my-queries

diff --git a/lib/autobuild.js b/lib/autobuild.js
diff --git a/lib/config-utils.js b/lib/config-utils.js
diff --git a/lib/finalize-db.js b/lib/finalize-db.js
diff --git a/lib/upload-lib.js b/lib/upload-lib.js
diff --git a/lib/upload-sarif.js b/lib/upload-sarif.js
diff --git a/lib/util.js b/lib/util.js
diff --git a/package-lock.json b/package-lock.json
diff --git a/package.json b/package.json
@@ -12,7 +12,7 @@
   "dependencies": {
     "@actions/core": "^1.0.0",
     "@actions/exec": "^1.0.1",
-    "@actions/http-client": "^1.0.4",
+    "@actions/http-client": "^1.0.8",
     "@actions/io": "^1.0.1",
     "@actions/tool-cache": "^1.1.2",
     "@octokit/rest": "^17.1.0",

diff --git a/src/autobuild.ts b/src/autobuild.ts
@@ -15,7 +15,8 @@ async function run() {
     // We want pick the dominant language in the repo from the ones we're able to build
     // The languages are sorted in order specified by user or by lines of code if we got
     // them from the GitHub API, so try to build the first language on the list.
-    const language = process.env[sharedEnv.CODEQL_ACTION_TRACED_LANGUAGES]?.split(',')[0];
+    const autobuildLanguages = process.env[sharedEnv.CODEQL_ACTION_TRACED_LANGUAGES]?.split(',') || [];
+    const language = autobuildLanguages[0];
 
     if (!language) {
       core.info("None of the languages in this project require extra build steps");
@@ -24,6 +25,10 @@ async function run() {
 
     core.debug(`Detected dominant traced language: ${language}`);
 
+    if (autobuildLanguages.length > 1) {
+      core.warning(`We will only automatically build ${language} code. If you wish to scan ${autobuildLanguages.slice(1).join(' and ')}, you must replace this block with custom build steps.`);
+    }
+
     core.startGroup(`Attempting to automatically build ${language} code`);
     // TODO: share config accross actions better via env variables
     const codeqlCmd = util.getRequiredEnvParam(sharedEnv.CODEQL_ACTION_CMD);
@@ -44,7 +49,7 @@ async function run() {
     core.endGroup();
 
   } catch (error) {
-    core.setFailed(error.message);
+    core.setFailed("We were unable to automatically build your code. Please replace the call to the autobuild action with your custom build steps.  " + error.message);
     await util.reportActionFailed('autobuild', error.message, error.stack);
     return;
   }
@@ -53,6 +58,6 @@ async function run() {
 }
 
 run().catch(e => {
-  core.setFailed("autobuild action failed: " + e);
+  core.setFailed("autobuild action failed.  " + e);
   console.log(e);
 });