From 2789712b422ac12cb21edce665a075976d613c9f Mon Sep 17 00:00:00 2001
From: Kevin Sawicki <kevinsawicki@gmail.com>
Date: Tue, 28 Apr 2020 11:29:10 -0700
Subject: [PATCH 1/7] Send tool names as parameter to upload endpoint
---
lib/upload-lib.js | 4 +++-
lib/util.js | 18 +++++++++++++++
src/testdata/tool-names.sarif | 41 +++++++++++++++++++++++++++++++++++
src/upload-lib.ts | 5 ++++-
src/util.ts | 20 +++++++++++++++++
5 files changed, 86 insertions(+), 2 deletions(-)
create mode 100644 src/testdata/tool-names.sarif
diff --git a/lib/upload-lib.js b/lib/upload-lib.js
index 7896d419e..f28f085a4 100644
--- a/lib/upload-lib.js
+++ b/lib/upload-lib.js
@@ -100,6 +100,7 @@ async function uploadFiles(sarifFiles) {
if (matrix === "null" || matrix === "") {
matrix = undefined;
}
+ const toolNames = util.getToolNames(sarifPayload);
const payload = JSON.stringify({
"commit_oid": commitOid,
"ref": ref,
@@ -108,7 +109,8 @@ async function uploadFiles(sarifFiles) {
"workflow_run_id": workflowRunID,
"checkout_uri": checkoutURI,
"environment": matrix,
- "started_at": startedAt
+ "started_at": startedAt,
+ "tool_names": toolNames,
});
core.info('Uploading results');
const githubToken = core.getInput('token');
diff --git a/lib/util.js b/lib/util.js
index 0612c1268..d12a91044 100644
--- a/lib/util.js
+++ b/lib/util.js
@@ -262,3 +262,21 @@ async function reportActionSucceeded(action) {
await sendStatusReport(await createStatusReport(action, 'success'));
}
exports.reportActionSucceeded = reportActionSucceeded;
+/**
+ * Get the array of all the tool names contained in the given sarif contents.
+ *
+ * Returns an array of unique string tool names.
+ */
+function getToolNames(sarifContents) {
+ const sarif = JSON.parse(sarifContents);
+ const toolNames = {};
+ for (const run of sarif.runs || []) {
+ const tool = run.tool || {};
+ const driver = tool.driver || {};
+ if (typeof driver.name === "string" && driver.name.length > 0) {
+ toolNames[driver.name] = true;
+ }
+ }
+ return Object.keys(toolNames);
+}
+exports.getToolNames = getToolNames;
diff --git a/src/testdata/tool-names.sarif b/src/testdata/tool-names.sarif
new file mode 100644
index 000000000..ee6cd8cd7
--- /dev/null
+++ b/src/testdata/tool-names.sarif
@@ -0,0 +1,41 @@
+{
+ "$schema": "https://raw.githubusercontent.com/oasis-tcs/sarif-spec/master/Schemata/sarif-schema-2.1.0.json",
+ "version": "2.1.0",
+ "runs": [
+ {
+ "tool": {
+ "driver": {
+ "name": "CodeQL command-line toolchain"
+ }
+ }
+ },
+ {
+ "tool": {
+ "driver": {
+ "name": "CodeQL command-line toolchain"
+ }
+ }
+ },
+ {
+ "tool": {
+ "driver": {
+ "name": "ESLint"
+ }
+ }
+ },
+ {
+ "tool": {
+ "driver": {
+ "name": ""
+ }
+ }
+ },
+ {
+ "tool": {
+ "driver": {
+ "name": null
+ }
+ }
+ }
+ ]
+}
diff --git a/src/upload-lib.ts b/src/upload-lib.ts
index 1d35b0b2a..8c6a31e4e 100644
--- a/src/upload-lib.ts
+++ b/src/upload-lib.ts
@@ -98,6 +98,8 @@ async function uploadFiles(sarifFiles: string[]) {
matrix = undefined;
}
+ const toolNames = util.getToolNames(sarifPayload);
+
const payload = JSON.stringify({
"commit_oid": commitOid,
"ref": ref,
@@ -106,7 +108,8 @@ async function uploadFiles(sarifFiles: string[]) {
"workflow_run_id": workflowRunID,
"checkout_uri": checkoutURI,
"environment": matrix,
- "started_at": startedAt
+ "started_at": startedAt,
+ "tool_names": toolNames,
});
core.info('Uploading results');
diff --git a/src/util.ts b/src/util.ts
index 7bb3ec0a5..cfdd2419c 100644
--- a/src/util.ts
+++ b/src/util.ts
@@ -293,3 +293,23 @@ export async function reportActionFailed(action: string, cause?: string, excepti
export async function reportActionSucceeded(action: string) {
await sendStatusReport(await createStatusReport(action, 'success'));
}
+
+/**
+ * Get the array of all the tool names contained in the given sarif contents.
+ *
+ * Returns an array of unique string tool names.
+ */
+export function getToolNames(sarifContents: string): string[] {
+ const sarif = JSON.parse(sarifContents);
+ const toolNames = {};
+
+ for (const run of sarif.runs || []) {
+ const tool = run.tool || {};
+ const driver = tool.driver || {};
+ if (typeof driver.name === "string" && driver.name.length > 0) {
+ toolNames[driver.name] = true;
+ }
+ }
+
+ return Object.keys(toolNames);
+}
From a983d385c7849fe0c86ba94592d26d0fe607ebdb Mon Sep 17 00:00:00 2001
From: XhmikosR <xhmikosr@gmail.com>
Date: Wed, 29 Apr 2020 12:47:06 +0300
Subject: [PATCH 2/7] Update README.md
* indentation fixes
* fix `JavaScript` capitalization
* minor grammar tweaks
---
README.md | 108 +++++++++++++++++++++++++++++-------------------------
1 file changed, 58 insertions(+), 50 deletions(-)
diff --git a/README.md b/README.md
index 219864679..a296ea3d4 100644
--- a/README.md
+++ b/README.md
@@ -1,9 +1,10 @@
- # CodeQL Action
-This action runs GitHub's industry-leading static analysis engine, CodeQL, against a repository's source code to find security vulnerabilities. It then automatically uploads the results to GitHub so they can be displayed in the repository's security tab. CodeQL runs an extensible set of [queries](https://github.com/semmle/ql), which have been developed by the community and the [GitHub Security Lab](https://securitylab.github.com/) to find common vulnerabilities in your code.
-
+# CodeQL Action
+
+This action runs GitHub's industry-leading static analysis engine, CodeQL, against a repository's source code to find security vulnerabilities. It then automatically uploads the results to GitHub so they can be displayed in the repository's security tab. CodeQL runs an extensible set of [queries](https://github.com/semmle/ql), which have been developed by the community and the [GitHub Security Lab](https://securitylab.github.com/) to find common vulnerabilities in your code.
+
[Sign up for the Advanced Security beta](https://github.com/features/security/advanced-security/signup)
-
- ## Usage
+
+## Usage
To get code scanning results from CodeQL analysis on your repo you can use the following workflow as a template:
@@ -22,39 +23,38 @@ jobs:
strategy:
fail-fast: false
-
# CodeQL runs on ubuntu-latest, windows-latest, and macos-latest
runs-on: ubuntu-latest
steps:
- - name: Checkout repository
- uses: actions/checkout@v2
-
- # Initializes the CodeQL tools for scanning.
- - name: Initialize CodeQL
- uses: github/codeql-action/init@v1
- # Override language selection by uncommenting this and choosing your languages
- # with:
- # languages: go, javascript, csharp, python, cpp, java
-
- # Autobuild attempts to build any compiled languages (C/C++, C#, or Java).
- # If this step fails, then you should remove it and run the build manually (see below).
- - name: Autobuild
- uses: github/codeql-action/autobuild@v1
-
- # âšī¸ Command-line programs to run using the OS shell.
- # đ https://git.io/JvXDl
-
- # âī¸ If the Autobuild fails above, remove it and uncomment the following three lines
- # and modify them (or add more) to build your code if your project
- # uses a compiled language
-
- #- run: |
- # make bootstrap
- # make release
-
- - name: Perform CodeQL Analysis
- uses: github/codeql-action/analyze@v1
+ - name: Checkout repository
+ uses: actions/checkout@v2
+
+ # Initializes the CodeQL tools for scanning.
+ - name: Initialize CodeQL
+ uses: github/codeql-action/init@v1
+ # Override language selection by uncommenting this and choosing your languages
+ # with:
+ # languages: go, javascript, csharp, python, cpp, java
+
+ # Autobuild attempts to build any compiled languages (C/C++, C#, or Java).
+ # If this step fails, then you should remove it and run the build manually (see below).
+ - name: Autobuild
+ uses: github/codeql-action/autobuild@v1
+
+ # âšī¸ Command-line programs to run using the OS shell.
+ # đ https://git.io/JvXDl
+
+ # âī¸ If the Autobuild fails above, remove it and uncomment the following
+ # three lines and modify them (or add more) to build your code if your
+ # project uses a compiled language
+
+ #- run: |
+ # make bootstrap
+ # make release
+
+ - name: Perform CodeQL Analysis
+ uses: github/codeql-action/analyze@v1
```
If you prefer to integrate this within an existing CI workflow, it should end up looking something like this:
@@ -73,19 +73,23 @@ If you prefer to integrate this within an existing CI workflow, it should end up
- name: Perform CodeQL Analysis
uses: github/codeql-action/analyze@v1
```
+
### Actions triggers
-The CodeQL action should be run on `push` events, and on a `schedule`. `Push` events allow us to do detailed analysis of the delta in a pull request, while the `schedule` event ensures that GitHub regularly scans the repository for the latest vulnerabilities, even if the repository becomes inactive. This action does not support the `pull_request` event.
-### Configuration
+The CodeQL action should be run on `push` events, and on a `schedule`. `Push` events allow us to do a detailed analysis of the delta in a pull request, while the `schedule` event ensures that GitHub regularly scans the repository for the latest vulnerabilities, even if the repository becomes inactive. This action does not support the `pull_request` event.
+
+### Configuration
+
You may optionally specify additional queries for CodeQL to execute by using a config file. The queries must belong to a [QL pack](https://help.semmle.com/codeql/codeql-cli/reference/qlpack-overview.html) and can be in your repository or any public repository. You can choose a single .ql file, a folder containing multiple .ql files, a .qls [query suite](https://help.semmle.com/codeql/codeql-cli/procedures/query-suites.html) file, or any combination of the above. To use queries from other repositories use the same syntax as when [using an action](https://help.github.com/en/actions/reference/workflow-syntax-for-github-actions#jobsjob_idstepsuses).
You can choose to ignore some files or folders from the analysis, or include additional files/folders for analysis. This *only* works for Javascript and Python analysis.
Identifying potential files for extraction:
-- Scans each folder that's defined as `paths` in turn, traversing subfolders and looking for relevant files.
+
+- Scans each folder that's defined as `paths` in turn, traversing subfolders, and looking for relevant files.
- If it finds a subfolder that's defined as `paths-ignore`, stop traversing.
- If a file or folder is both in `paths` and `paths-ignore`, the `paths-ignore` is ignored.
-Use the config-file parameter of the init action to enable the configuration file. For example:
+Use the `config-file` parameter of the init action to enable the configuration file. For example:
```yaml
- uses: github/codeql-action/init@v1
@@ -103,8 +107,8 @@ queries:
uses: ./my-queries
- name: External Javascript QL pack (Runs a QL pack located in an external repo)
uses: /Semmle/ql/javascript/ql/src/Electron@master
- - name: External query (Runs a single query located in an external QL pack)
- uses: Semmle/ql/javascript/ql/src/AngularJS/DeadAngularJSEventListener.ql@master
+ - name: External query (Runs a single query located in an external QL pack)
+ uses: Semmle/ql/javascript/ql/src/AngularJS/DeadAngularJSEventListener.ql@master
- name: Select query suite (Runs a query suites)
uses: ./codeql-querypacks/complex-python-querypack/rootAndBar.qls
@@ -112,8 +116,8 @@ paths:
- src/util.ts
paths-ignore:
- - src
- - lib
+ - src
+ - lib
```
## Troubleshooting
@@ -128,6 +132,7 @@ Try passing
env:
GOFLAGS: "-mod=vendor"
```
+
to `github/codeql-action/analyze`.
### If you do not use a vendor directory
@@ -136,21 +141,24 @@ Dependencies on public repositories should just work. If you have dependencies o
```yaml
steps:
-- name: Configure git private repo access
- env:
- TOKEN: ${{ secrets.GITHUB_PAT }}
- run: |
- git config --global url."https://${TOKEN}@github.com/foo/bar".insteadOf "https://github.com/foo/bar"
- git config --global url."https://${TOKEN}@github.com/foo/baz".insteadOf "https://github.com/foo/baz"
+ - name: Configure git private repo access
+ env:
+ TOKEN: ${{ secrets.GITHUB_PAT }}
+ run: |
+ git config --global url."https://${TOKEN}@github.com/foo/bar".insteadOf "https://github.com/foo/bar"
+ git config --global url."https://${TOKEN}@github.com/foo/baz".insteadOf "https://github.com/foo/baz"
```
-before any codeql actions. A similar thing can also be done with a SSH key or deploy key.
+
+before any codeql actions. A similar thing can also be done with an SSH key or deploy key.
### C# using dotnet version 2 on linux
This currently requires invoking `dotnet` with the `/p:UseSharedCompilation=false` flag. For example:
-```
+
+```shell
dotnet build /p:UseSharedCompilation=false
```
+
Version 3 does not require the additional flag.
## License
From e7afa7cb98f20e994515b5ce1360761203624049 Mon Sep 17 00:00:00 2001
From: Arthur Baars <aibaars@github.com>
Date: Wed, 29 Apr 2020 13:07:24 +0200
Subject: [PATCH 3/7] Fix parsing of path-ignore field
---
lib/config-utils.js | 2 +-
src/config-utils.ts | 2 +-
2 files changed, 2 insertions(+), 2 deletions(-)
diff --git a/lib/config-utils.js b/lib/config-utils.js
index ae4414430..20c2e5945 100644
--- a/lib/config-utils.js
+++ b/lib/config-utils.js
@@ -84,7 +84,7 @@ function initConfig() {
});
}
const pathsIgnore = parsedYAML['paths-ignore'];
- if (pathsIgnore && queries instanceof Array) {
+ if (pathsIgnore && pathsIgnore instanceof Array) {
pathsIgnore.forEach(path => {
if (typeof path === "string") {
config.pathsIgnore.push(path);
diff --git a/src/config-utils.ts b/src/config-utils.ts
index 5221e5906..407fb5ac0 100644
--- a/src/config-utils.ts
+++ b/src/config-utils.ts
@@ -91,7 +91,7 @@ function initConfig(): Config {
}
const pathsIgnore = parsedYAML['paths-ignore'];
- if (pathsIgnore && queries instanceof Array) {
+ if (pathsIgnore && pathsIgnore instanceof Array) {
pathsIgnore.forEach(path => {
if (typeof path === "string") {
config.pathsIgnore.push(path);
From 6f11b5d2137e77ab676c0610b5a372fe06ef538e Mon Sep 17 00:00:00 2001
From: Kevin Sawicki <kevinsawicki@gmail.com>
Date: Wed, 29 Apr 2020 08:04:46 -0700
Subject: [PATCH 4/7] Add initial util test
---
src/util.test.ts | 9 +++++++++
1 file changed, 9 insertions(+)
create mode 100644 src/util.test.ts
diff --git a/src/util.test.ts b/src/util.test.ts
new file mode 100644
index 000000000..3dfd2f72d
--- /dev/null
+++ b/src/util.test.ts
@@ -0,0 +1,9 @@
+import * as fs from 'fs';
+
+import * as util from './util';
+
+test('getToolNames', () => {
+ const input = fs.readFileSync(__dirname + '/testdata/tool-names.sarif', 'utf8')
+ const toolNames = util.getToolNames(input);
+ expect(toolNames).toStrictEqual(["CodeQL command-line toolchain", "ESLint"])
+})
From 62f756fc9dcd6e91482f05fbdc4b57d3a49d7957 Mon Sep 17 00:00:00 2001
From: Kevin Sawicki <kevinsawicki@gmail.com>
Date: Wed, 29 Apr 2020 08:10:28 -0700
Subject: [PATCH 5/7] Fix other typo
---
.github/pull_request_template.md | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/.github/pull_request_template.md b/.github/pull_request_template.md
index d6467871a..52ccfdb09 100644
--- a/.github/pull_request_template.md
+++ b/.github/pull_request_template.md
@@ -1,7 +1,7 @@
### Merge / deployment checklist
-- Run test builds as necessary. Can be on this repository or elsewhere as needed in order to test the change - please include links to tests in otehr repos!
+- Run test builds as necessary. Can be on this repository or elsewhere as needed in order to test the change - please include links to tests in other repos!
- [ ] CodeQL using init/finish actions
- [ ] 3rd party tool using upload action
- [ ] Confirm this change is backwards compatible with existing workflows.
-- [ ] Confirm the [readme](https://github.com/github/codeql-action/blob/master/README.md) has been updated if necessary.
\ No newline at end of file
+- [ ] Confirm the [readme](https://github.com/github/codeql-action/blob/master/README.md) has been updated if necessary.
From 0cf8450c2400c10d330933a5102827114f907cbe Mon Sep 17 00:00:00 2001
From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com>
Date: Wed, 29 Apr 2020 18:03:56 +0000
Subject: [PATCH 6/7] Bump @actions/http-client from 1.0.4 to 1.0.8
Bumps [@actions/http-client](https://github.com/actions/http-client) from 1.0.4 to 1.0.8.
- [Release notes](https://github.com/actions/http-client/releases)
- [Changelog](https://github.com/actions/http-client/blob/master/RELEASES.md)
- [Commits](https://github.com/actions/http-client/commits)
Signed-off-by: dependabot[bot] <support@github.com>
---
package-lock.json | 6 +++---
package.json | 2 +-
2 files changed, 4 insertions(+), 4 deletions(-)
diff --git a/package-lock.json b/package-lock.json
index 63573714f..f3d9d22af 100644
--- a/package-lock.json
+++ b/package-lock.json
@@ -15,9 +15,9 @@
"integrity": "sha512-nvFkxwiicvpzNiCBF4wFBDfnBvi7xp/as7LE1hBxBxKG2L29+gkIPBiLKMVORL+Hg3JNf07AKRfl0V5djoypjQ=="
},
"@actions/http-client": {
- "version": "1.0.4",
- "resolved": "https://registry.npmjs.org/@actions/http-client/-/http-client-1.0.4.tgz",
- "integrity": "sha512-6EzXhqapKKtYr21ZnFQVBYwfrYPKPCivuSkUN/66/BDakkH2EPjUZH8tZ3MgHdI+gQIdcsY0ybbxw9ZEOmJB6g==",
+ "version": "1.0.8",
+ "resolved": "https://registry.npmjs.org/@actions/http-client/-/http-client-1.0.8.tgz",
+ "integrity": "sha512-G4JjJ6f9Hb3Zvejj+ewLLKLf99ZC+9v+yCxoYf9vSyH+WkzPLB2LuUtRMGNkooMqdugGBFStIKXOuvH1W+EctA==",
"requires": {
"tunnel": "0.0.6"
},
diff --git a/package.json b/package.json
index 922361cd6..00e36b072 100644
--- a/package.json
+++ b/package.json
@@ -12,7 +12,7 @@
"dependencies": {
"@actions/core": "^1.0.0",
"@actions/exec": "^1.0.1",
- "@actions/http-client": "^1.0.4",
+ "@actions/http-client": "^1.0.8",
"@actions/io": "^1.0.1",
"@actions/tool-cache": "^1.1.2",
"@octokit/rest": "^17.1.0",
From 34db3b0291dc246bf040e839a3cdd3f786dc4862 Mon Sep 17 00:00:00 2001
From: Justin Hutchings <jhutchings1@users.noreply.github.com>
Date: Wed, 29 Apr 2020 14:09:20 -0700
Subject: [PATCH 7/7] Update README.md
---
README.md | 2 --
1 file changed, 2 deletions(-)
diff --git a/README.md b/README.md
index a296ea3d4..66f9ea2c5 100644
--- a/README.md
+++ b/README.md
@@ -2,8 +2,6 @@
This action runs GitHub's industry-leading static analysis engine, CodeQL, against a repository's source code to find security vulnerabilities. It then automatically uploads the results to GitHub so they can be displayed in the repository's security tab. CodeQL runs an extensible set of [queries](https://github.com/semmle/ql), which have been developed by the community and the [GitHub Security Lab](https://securitylab.github.com/) to find common vulnerabilities in your code.
-[Sign up for the Advanced Security beta](https://github.com/features/security/advanced-security/signup)
-
## Usage
To get code scanning results from CodeQL analysis on your repo you can use the following workflow as a template: