Merge branch 'master' into safe-config-parsing

.github/ISSUE_TEMPLATE/config.yml

@@ -0,0 +1,5 @@
+blank_issues_enabled: true
+contact_links:
+  - name: Contact GitHub Support
+    url: https://support.github.com/contact?subject=Code+Scanning+Beta+Support&tags=code-scanning-support
+    about: Contact Support about code scanning

.github/codeql/codeql-config.yml

@@ -2,5 +2,12 @@ name: "CodeQL config"
 queries: 
   - name: Run custom queries
     uses: ./queries
+  # Run all extra query suites, both because we want to
+  # and because it'll act as extra testing. This is why
+  # we include both even though one is a superset of the
+  # other, because we're testing the parsing logic and
+  # that the suites exist in the codeql bundle.
+  - uses: security-extended
+  - uses: security-and-quality
 paths-ignore:
   - tests

.github/workflows/codeql.yml

@@ -1,6 +1,6 @@
 name: "CodeQL action"
 
-on: [push]
+on: [push, pull_request]
 
 jobs:
   build:
@@ -11,6 +11,16 @@ jobs:
 
     steps:
     - uses: actions/checkout@v1
+      with:
+        # Must fetch at least the immediate parents so that if this is
+        # a pull request then we can checkout the head of the pull request.
+        fetch-depth: 2
+
+    # If this run was triggered by a pull request event then checkout
+    # the head of the pull request instead of the merge commit.
+    - run: git checkout HEAD^2
+      if: ${{ github.event_name == 'pull_request' }}
+
     - uses: ./init
       with:
         languages: javascript

.github/workflows/integration-testing.yml

@@ -1,31 +1,40 @@
 name: "Integration Testing"
 
-on: [push]
+on: [push, pull_request]
 
 jobs:
   multi-language-repo_test-autodetect-languages:
-    strategy:
-      fail-fast: false
-      matrix:
-        os: [ubuntu-latest, windows-latest]
-    runs-on: ${{ matrix.os }}
+    runs-on: ubuntu-latest
 
     steps:
     - uses: actions/checkout@v2
     - name: Move codeql-action
       shell: bash
       run: |
         mkdir ../action
-        shopt -s dotglob
-        mv * ../action/
-        mv ../action/tests/multi-language-repo/* .
+        mv * .github ../action/
+        mv ../action/tests/multi-language-repo/{*,.github} .
     - uses: ./../action/init
     - name: Build code
       shell: bash
       run: ./build.sh
     - uses: ./../action/analyze
       env:
         TEST_MODE: true
+    - run: |
+        cd "$CODEQL_ACTION_DATABASE_DIR"
+        # List all directories as there will be precisely one directory per database
+        # but there may be other files in this directory such as query suites.
+        if [ "$(ls -d */ | wc -l)" != 6 ] || \
+           [[ ! -d cpp ]] || \
+           [[ ! -d csharp ]] || \
+           [[ ! -d go ]] || \
+           [[ ! -d java ]] || \
+           [[ ! -d javascript ]] || \
+           [[ ! -d python ]]; then
+          echo "Did not find expected number of databases. Database dir contains: $(ls)"
+          exit 1
+        fi
 
   multi-language-repo_test-custom-queries:
     strategy:
@@ -40,9 +49,8 @@ jobs:
       shell: bash
       run: |
         mkdir ../action
-        shopt -s dotglob
-        mv * ../action/
-        mv ../action/tests/multi-language-repo/* .
+        mv * .github ../action/
+        mv ../action/tests/multi-language-repo/{*,.github} .
     - uses: ./../action/init
       with:
         languages: cpp,csharp,java,javascript,python
@@ -72,9 +80,8 @@ jobs:
       shell: bash
       run: |
         mkdir ../action
-        shopt -s dotglob
-        mv * ../action/
-        mv ../action/tests/multi-language-repo/* .
+        mv * .github ../action/
+        mv ../action/tests/multi-language-repo/{*,.github} .
     - uses: ./../action/init
       with:
         languages: go
@@ -96,9 +103,8 @@ jobs:
       shell: bash
       run: |
         mkdir ../action
-        shopt -s dotglob
-        mv * ../action/
-        mv ../action/tests/multi-language-repo/* .
+        mv * .github ../action/
+        mv ../action/tests/multi-language-repo/{*,.github} .
     - name: Set up Ruby
       uses: ruby/setup-ruby@v1
       with:
@@ -117,4 +123,4 @@ jobs:
       with:
         sarif_file: rubocop.sarif
       env:
-        TEST_MODE: true
+        TEST_MODE: true

README.md

@@ -10,6 +10,8 @@ The underlying CodeQL CLI, used in this action, is licensed under the [GitHub Co
 
 ## Usage
 
+This is a short walkthrough, but for more information read [configuring code scanning](https://help.github.com/en/github/finding-security-vulnerabilities-and-errors-in-your-code/configuring-code-scanning).
+
 To get code scanning results from CodeQL analysis on your repo you can use the following workflow as a template:
 
 ```yaml
@@ -18,6 +20,7 @@ name: "Code Scanning - Action"
 
 on:
   push:
+  pull_request:
   schedule:
     - cron: '0 0 * * 0'
 
@@ -33,6 +36,17 @@ jobs:
     steps:
       - name: Checkout repository
         uses: actions/checkout@v2
+        with:
+          # Must fetch at least the immediate parents so that if this is
+          # a pull request then we can checkout the head of the pull request.
+          # Only include this option if you are running this workflow on pull requests.
+          fetch-depth: 2
+
+      # If this run was triggered by a pull request event then checkout
+      # the head of the pull request instead of the merge commit.
+      # Only include this step if you are running this workflow on pull requests.
+      - run: git checkout HEAD^2
+        if: ${{ github.event_name == 'pull_request' }}
 
       # Initializes the CodeQL tools for scanning.
       - name: Initialize CodeQL
@@ -78,97 +92,18 @@ If you prefer to integrate this within an existing CI workflow, it should end up
   uses: github/codeql-action/analyze@v1
 ```
 
-### Actions triggers
-
-The CodeQL action should be run on `push` events, and on a `schedule`. `Push` events allow us to do a detailed analysis of the delta in a pull request, while the `schedule` event ensures that GitHub regularly scans the repository for the latest vulnerabilities, even if the repository becomes inactive. This action does not support the `pull_request` event.
-
-### Configuration
-
-You may optionally specify additional queries for CodeQL to execute by using a config file. The queries must belong to a [QL pack](https://help.semmle.com/codeql/codeql-cli/reference/qlpack-overview.html) and can be in your repository or any public repository. You can choose a single .ql file, a folder containing multiple .ql files, a .qls [query suite](https://help.semmle.com/codeql/codeql-cli/procedures/query-suites.html) file, or any combination of the above. To use queries stored in your repository or from other repositories use the same syntax as when [using an action](https://help.github.com/en/actions/reference/workflow-syntax-for-github-actions#jobsjob_idstepsuses). Note that when using local queries starting with `./`, the path is relative to the root of the repository and not to the location of the config file.
+### Configuration file
 
-You can disable the default queries using `disable-default-queries: true`.
-
-You can choose to ignore some files or folders from the analysis, or include additional files/folders for analysis. This *only* works for Javascript and Python analysis.
-Identifying potential files for extraction:
-
-- Scans each folder that's defined as `paths` in turn, traversing subfolders, and looking for relevant files.
-- If it finds a subfolder that's defined as `paths-ignore`, stop traversing.
-- If a file or folder is both in `paths` and `paths-ignore`, the `paths-ignore` is ignored.
-
-Use the `config-file` parameter of the init action to enable the configuration file. For example:
+Use the `config-file` parameter of the `init` action to enable the configuration file. The value of `config-file` is the path to the configuration file you want to use. This example loads the configuration file `./.github/codeql/codeql-config.yml`.
 
 ```yaml
 - uses: github/codeql-action/init@v1
   with:
     config-file: ./.github/codeql/codeql-config.yml
 ```
 
-A config file looks like this:
-
-```yaml
-name: "My CodeQL config"
-
-disable-default-queries: true
-
-queries:
-  - name: In-repo queries (Runs the queries located in the my-queries folder of the repo)
-    uses: ./my-queries
-  - name: External Javascript QL pack (Runs a QL pack located in an external repo)
-    uses: /Semmle/ql/javascript/ql/src/Electron@master
-  - name: External query (Runs a single query located in an external QL pack)
-    uses: Semmle/ql/javascript/ql/src/AngularJS/DeadAngularJSEventListener.ql@master
-  - name: Select query suite (Runs a query suites)
-    uses: ./codeql-querypacks/complex-python-querypack/rootAndBar.qls
-
-paths:
-  - src/util.ts
-
-paths-ignore:
-  - src
-  - lib
-```
+The configuration file must be located within the local repository. For information on how to write a configuration file, see "[Using a custom configuration](https://help.github.com/en/github/finding-security-vulnerabilities-and-errors-in-your-code/configuring-code-scanning#using-a-custom-configuration)."
 
 ## Troubleshooting
 
-### Trouble with Go dependencies
-
-#### If you use a vendor directory
-
-Try passing
-
-```yaml
-env:
-  GOFLAGS: "-mod=vendor"
-```
-
-to `github/codeql-action/analyze`.
-
-#### If you do not use a vendor directory
-
-Dependencies on public repositories should just work. If you have dependencies on private repositories, one option is to use `git config` and a [personal access token](https://help.github.com/en/github/authenticating-to-github/creating-a-personal-access-token-for-the-command-line) to authenticate when downloading dependencies. Add a section like
-
-```yaml
-steps:
-  - name: Configure git private repo access
-    env:
-      TOKEN: ${{ secrets.GITHUB_PAT }}
-    run: |
-      git config --global url."https://${TOKEN}@github.com/foo/bar".insteadOf "https://github.com/foo/bar"
-      git config --global url."https://${TOKEN}@github.com/foo/baz".insteadOf "https://github.com/foo/baz"
-```
-
-before any codeql actions. A similar thing can also be done with an SSH key or deploy key.
-
-### C# using dotnet version 2 on linux
-
-This currently requires invoking `dotnet` with the `/p:UseSharedCompilation=false` flag. For example:
-
-```shell
-dotnet build /p:UseSharedCompilation=false
-```
-
-Version 3 does not require the additional flag.
-
-### Analysing Go together with other languages on `macos-latest`
-
-When running on macos it is currently not possible to analyze Go in conjunction with any of Java, C/C++, or C#. Each language can still be analyzed separately.
+Read about [troubleshooting code scanning](https://help.github.com/en/github/finding-security-vulnerabilities-and-errors-in-your-code/troubleshooting-code-scanning).

init/action.yml

@@ -5,7 +5,7 @@ inputs:
   tools:
     description: URL of CodeQL tools
     required: false
-    default: https://github.com/github/codeql-action/releases/download/codeql-bundle-20200427/codeql-bundle.tar.gz
+    default: https://github.com/github/codeql-action/releases/download/codeql-bundle-20200601/codeql-bundle.tar.gz
   languages:
     description: The languages to be analysed
     required: false