diff --git a/.github/workflows/__analyze-ref-input.yml b/.github/workflows/__analyze-ref-input.yml index 61ad6a3b8..f20837daa 100644 --- a/.github/workflows/__analyze-ref-input.yml +++ b/.github/workflows/__analyze-ref-input.yml @@ -25,12 +25,6 @@ jobs: strategy: matrix: include: - - os: ubuntu-latest - version: stable-20220401 - - os: macos-latest - version: stable-20220401 - - os: windows-latest - version: stable-20220401 - os: ubuntu-latest version: stable-20220615 - os: macos-latest @@ -49,6 +43,12 @@ jobs: version: stable-20221211 - os: windows-latest version: stable-20221211 + - os: ubuntu-latest + version: stable-20230418 + - os: macos-latest + version: stable-20230418 + - os: windows-latest + version: stable-20230418 - os: ubuntu-latest version: cached - os: macos-latest diff --git a/.github/workflows/__go-custom-queries.yml b/.github/workflows/__go-custom-queries.yml index afa78f3c7..b75dfeab6 100644 --- a/.github/workflows/__go-custom-queries.yml +++ b/.github/workflows/__go-custom-queries.yml @@ -25,12 +25,6 @@ jobs: strategy: matrix: include: - - os: ubuntu-latest - version: stable-20220401 - - os: macos-latest - version: stable-20220401 - - os: windows-latest - version: stable-20220401 - os: ubuntu-latest version: stable-20220615 - os: macos-latest @@ -49,6 +43,12 @@ jobs: version: stable-20221211 - os: windows-latest version: stable-20221211 + - os: ubuntu-latest + version: stable-20230418 + - os: macos-latest + version: stable-20230418 + - os: windows-latest + version: stable-20230418 - os: ubuntu-latest version: cached - os: macos-latest diff --git a/.github/workflows/__go-tracing-autobuilder.yml b/.github/workflows/__go-tracing-autobuilder.yml index 963f9bc50..a28f35d9a 100644 --- a/.github/workflows/__go-tracing-autobuilder.yml +++ b/.github/workflows/__go-tracing-autobuilder.yml @@ -25,10 +25,6 @@ jobs: strategy: matrix: include: - - os: ubuntu-latest - version: stable-20220401 - - os: macos-latest - version: stable-20220401 - os: ubuntu-latest version: stable-20220615 - os: macos-latest @@ -41,6 +37,10 @@ jobs: version: stable-20221211 - os: macos-latest version: stable-20221211 + - os: ubuntu-latest + version: stable-20230418 + - os: macos-latest + version: stable-20230418 - os: ubuntu-latest version: cached - os: macos-latest diff --git a/.github/workflows/__go-tracing-custom-build-steps.yml b/.github/workflows/__go-tracing-custom-build-steps.yml index bfe814357..47605c46f 100644 --- a/.github/workflows/__go-tracing-custom-build-steps.yml +++ b/.github/workflows/__go-tracing-custom-build-steps.yml @@ -25,10 +25,6 @@ jobs: strategy: matrix: include: - - os: ubuntu-latest - version: stable-20220401 - - os: macos-latest - version: stable-20220401 - os: ubuntu-latest version: stable-20220615 - os: macos-latest @@ -41,6 +37,10 @@ jobs: version: stable-20221211 - os: macos-latest version: stable-20221211 + - os: ubuntu-latest + version: stable-20230418 + - os: macos-latest + version: stable-20230418 - os: ubuntu-latest version: cached - os: macos-latest diff --git a/.github/workflows/__go-tracing-legacy-workflow.yml b/.github/workflows/__go-tracing-legacy-workflow.yml index e0dae91d6..606f55114 100644 --- a/.github/workflows/__go-tracing-legacy-workflow.yml +++ b/.github/workflows/__go-tracing-legacy-workflow.yml @@ -25,10 +25,6 @@ jobs: strategy: matrix: include: - - os: ubuntu-latest - version: stable-20220401 - - os: macos-latest - version: stable-20220401 - os: ubuntu-latest version: stable-20220615 - os: macos-latest @@ -41,6 +37,10 @@ jobs: version: stable-20221211 - os: macos-latest version: stable-20221211 + - os: ubuntu-latest + version: stable-20230418 + - os: macos-latest + version: stable-20230418 - os: ubuntu-latest version: cached - os: macos-latest diff --git a/.github/workflows/__ml-powered-queries.yml b/.github/workflows/__ml-powered-queries.yml index c965bc239..58504a687 100644 --- a/.github/workflows/__ml-powered-queries.yml +++ b/.github/workflows/__ml-powered-queries.yml @@ -25,12 +25,6 @@ jobs: strategy: matrix: include: - - os: ubuntu-latest - version: stable-20220401 - - os: macos-latest - version: stable-20220401 - - os: windows-latest - version: stable-20220401 - os: ubuntu-latest version: stable-20220615 - os: macos-latest @@ -49,6 +43,12 @@ jobs: version: stable-20221211 - os: windows-latest version: stable-20221211 + - os: ubuntu-latest + version: stable-20230418 + - os: macos-latest + version: stable-20230418 + - os: windows-latest + version: stable-20230418 - os: ubuntu-latest version: cached - os: macos-latest @@ -110,23 +110,14 @@ jobs: - name: Check sarif uses: ./../action/.github/actions/check-sarif - # Running on Windows requires CodeQL CLI 2.9.0+. - if: "!(matrix.version == 'stable-20220401' && runner.os == 'Windows')" with: sarif-file: ${{ runner.temp }}/results/javascript.sarif - queries-run: - js/ml-powered/nosql-injection,js/ml-powered/path-injection,js/ml-powered/sql-injection,js/ml-powered/xss + queries-run: js/ml-powered/nosql-injection,js/ml-powered/path-injection,js/ml-powered/sql-injection,js/ml-powered/xss queries-not-run: foo,bar - name: Check results - env: - # Running on Windows requires CodeQL CLI 2.9.0+. - SHOULD_RUN_ML_POWERED_QUERIES: ${{ !(matrix.version == 'stable-20220401' && - runner.os == 'Windows') }} shell: bash run: | - echo "Expecting ML-powered queries to be run: ${SHOULD_RUN_ML_POWERED_QUERIES}" - cd "$RUNNER_TEMP/results" # We should run at least the ML-powered queries in `expected_rules`. expected_rules="js/ml-powered/nosql-injection js/ml-powered/path-injection js/ml-powered/sql-injection js/ml-powered/xss" @@ -135,12 +126,9 @@ jobs: found_rule=$(jq --arg rule "${rule}" '[.runs[0].tool.extensions[].rules | select(. != null) | flatten | .[].id] | any(. == $rule)' javascript.sarif) echo "Did find rule '${rule}': ${found_rule}" - if [[ "${found_rule}" != "true" && "${SHOULD_RUN_ML_POWERED_QUERIES}" == "true" ]]; then + if [[ "${found_rule}" != "true" ]]; then echo "Expected SARIF output to contain rule '${rule}', but found no such rule." exit 1 - elif [[ "${found_rule}" == "true" && "${SHOULD_RUN_ML_POWERED_QUERIES}" != "true" ]]; then - echo "Found rule '${rule}' in the SARIF output which shouldn't have been part of the analysis." - exit 1 fi done @@ -149,12 +137,9 @@ jobs: select(.properties.score != null and (.rule.id | startswith("js/ml-powered/")))] | length' \ javascript.sarif) echo "Found ${num_alerts} alerts from ML-powered queries."; - if [[ "${num_alerts}" -eq 0 && "${SHOULD_RUN_ML_POWERED_QUERIES}" == "true" ]]; then + if [[ "${num_alerts}" -eq 0 ]]; then echo "Expected to find at least one alert from an ML-powered query but found ${num_alerts}." exit 1 - elif [[ "${num_alerts}" -ne 0 && "${SHOULD_RUN_ML_POWERED_QUERIES}" != "true" ]]; then - echo "Expected not to find any alerts from an ML-powered query but found ${num_alerts}." - exit 1 fi env: CODEQL_ACTION_TEST_MODE: true diff --git a/.github/workflows/__multi-language-autodetect.yml b/.github/workflows/__multi-language-autodetect.yml index 83382ae4d..a88650c6e 100644 --- a/.github/workflows/__multi-language-autodetect.yml +++ b/.github/workflows/__multi-language-autodetect.yml @@ -25,10 +25,6 @@ jobs: strategy: matrix: include: - - os: ubuntu-latest - version: stable-20220401 - - os: macos-latest - version: stable-20220401 - os: ubuntu-latest version: stable-20220615 - os: macos-latest @@ -41,6 +37,10 @@ jobs: version: stable-20221211 - os: macos-latest version: stable-20221211 + - os: ubuntu-latest + version: stable-20230418 + - os: macos-latest + version: stable-20230418 - os: ubuntu-latest version: cached - os: macos-latest diff --git a/.github/workflows/__packaging-codescanning-config-inputs-js.yml b/.github/workflows/__packaging-codescanning-config-inputs-js.yml index 8a106ff43..89717d46f 100644 --- a/.github/workflows/__packaging-codescanning-config-inputs-js.yml +++ b/.github/workflows/__packaging-codescanning-config-inputs-js.yml @@ -83,8 +83,7 @@ jobs: uses: ./../action/.github/actions/check-sarif with: sarif-file: ${{ runner.temp }}/results/javascript.sarif - queries-run: - javascript/example/empty-or-one-block,javascript/example/empty-or-one-block,javascript/example/other-query-block,javascript/example/two-block + queries-run: javascript/example/empty-or-one-block,javascript/example/empty-or-one-block,javascript/example/other-query-block,javascript/example/two-block queries-not-run: foo,bar - name: Assert Results diff --git a/.github/workflows/__packaging-config-inputs-js.yml b/.github/workflows/__packaging-config-inputs-js.yml index 994c09a0d..00f21105d 100644 --- a/.github/workflows/__packaging-config-inputs-js.yml +++ b/.github/workflows/__packaging-config-inputs-js.yml @@ -83,8 +83,7 @@ jobs: uses: ./../action/.github/actions/check-sarif with: sarif-file: ${{ runner.temp }}/results/javascript.sarif - queries-run: - javascript/example/empty-or-one-block,javascript/example/empty-or-one-block,javascript/example/other-query-block,javascript/example/two-block + queries-run: javascript/example/empty-or-one-block,javascript/example/empty-or-one-block,javascript/example/other-query-block,javascript/example/two-block queries-not-run: foo,bar - name: Assert Results diff --git a/.github/workflows/__packaging-config-js.yml b/.github/workflows/__packaging-config-js.yml index 70013f6f8..bf86b610e 100644 --- a/.github/workflows/__packaging-config-js.yml +++ b/.github/workflows/__packaging-config-js.yml @@ -82,8 +82,7 @@ jobs: uses: ./../action/.github/actions/check-sarif with: sarif-file: ${{ runner.temp }}/results/javascript.sarif - queries-run: - javascript/example/empty-or-one-block,javascript/example/empty-or-one-block,javascript/example/other-query-block,javascript/example/two-block + queries-run: javascript/example/empty-or-one-block,javascript/example/empty-or-one-block,javascript/example/other-query-block,javascript/example/two-block queries-not-run: foo,bar - name: Assert Results diff --git a/.github/workflows/__packaging-inputs-js.yml b/.github/workflows/__packaging-inputs-js.yml index 26485c1c9..98fa6b356 100644 --- a/.github/workflows/__packaging-inputs-js.yml +++ b/.github/workflows/__packaging-inputs-js.yml @@ -82,8 +82,7 @@ jobs: uses: ./../action/.github/actions/check-sarif with: sarif-file: ${{ runner.temp }}/results/javascript.sarif - queries-run: - javascript/example/empty-or-one-block,javascript/example/empty-or-one-block,javascript/example/other-query-block,javascript/example/two-block + queries-run: javascript/example/empty-or-one-block,javascript/example/empty-or-one-block,javascript/example/other-query-block,javascript/example/two-block queries-not-run: foo,bar - name: Assert Results diff --git a/.github/workflows/__remote-config.yml b/.github/workflows/__remote-config.yml index b302fb7d9..e699528ad 100644 --- a/.github/workflows/__remote-config.yml +++ b/.github/workflows/__remote-config.yml @@ -25,12 +25,6 @@ jobs: strategy: matrix: include: - - os: ubuntu-latest - version: stable-20220401 - - os: macos-latest - version: stable-20220401 - - os: windows-latest - version: stable-20220401 - os: ubuntu-latest version: stable-20220615 - os: macos-latest @@ -49,6 +43,12 @@ jobs: version: stable-20221211 - os: windows-latest version: stable-20221211 + - os: ubuntu-latest + version: stable-20230418 + - os: macos-latest + version: stable-20230418 + - os: windows-latest + version: stable-20230418 - os: ubuntu-latest version: cached - os: macos-latest diff --git a/.github/workflows/__unset-environment.yml b/.github/workflows/__unset-environment.yml index f7a7f27c8..9c34631e4 100644 --- a/.github/workflows/__unset-environment.yml +++ b/.github/workflows/__unset-environment.yml @@ -25,14 +25,14 @@ jobs: strategy: matrix: include: - - os: ubuntu-latest - version: stable-20220401 - os: ubuntu-latest version: stable-20220615 - os: ubuntu-latest version: stable-20220908 - os: ubuntu-latest version: stable-20221211 + - os: ubuntu-latest + version: stable-20230418 - os: ubuntu-latest version: cached - os: ubuntu-latest diff --git a/.github/workflows/__upload-ref-sha-input.yml b/.github/workflows/__upload-ref-sha-input.yml index 4108065aa..0f708b389 100644 --- a/.github/workflows/__upload-ref-sha-input.yml +++ b/.github/workflows/__upload-ref-sha-input.yml @@ -25,12 +25,6 @@ jobs: strategy: matrix: include: - - os: ubuntu-latest - version: stable-20220401 - - os: macos-latest - version: stable-20220401 - - os: windows-latest - version: stable-20220401 - os: ubuntu-latest version: stable-20220615 - os: macos-latest @@ -49,6 +43,12 @@ jobs: version: stable-20221211 - os: windows-latest version: stable-20221211 + - os: ubuntu-latest + version: stable-20230418 + - os: macos-latest + version: stable-20230418 + - os: windows-latest + version: stable-20230418 - os: ubuntu-latest version: cached - os: macos-latest diff --git a/.github/workflows/__with-checkout-path.yml b/.github/workflows/__with-checkout-path.yml index ec83717fe..17bfb1add 100644 --- a/.github/workflows/__with-checkout-path.yml +++ b/.github/workflows/__with-checkout-path.yml @@ -25,12 +25,6 @@ jobs: strategy: matrix: include: - - os: ubuntu-latest - version: stable-20220401 - - os: macos-latest - version: stable-20220401 - - os: windows-latest - version: stable-20220401 - os: ubuntu-latest version: stable-20220615 - os: macos-latest @@ -49,6 +43,12 @@ jobs: version: stable-20221211 - os: windows-latest version: stable-20221211 + - os: ubuntu-latest + version: stable-20230418 + - os: macos-latest + version: stable-20230418 + - os: windows-latest + version: stable-20230418 - os: ubuntu-latest version: cached - os: macos-latest diff --git a/.github/workflows/debug-artifacts.yml b/.github/workflows/debug-artifacts.yml index 9336a03bf..b91ac304c 100644 --- a/.github/workflows/debug-artifacts.yml +++ b/.github/workflows/debug-artifacts.yml @@ -25,10 +25,10 @@ jobs: - ubuntu-latest - macos-latest version: - - stable-20220401 - stable-20220615 - stable-20220908 - stable-20221211 + - stable-20230418 - cached - latest - nightly-latest @@ -74,7 +74,7 @@ jobs: - name: Check expected artifacts exist shell: bash run: | - VERSIONS="stable-20220401 stable-20220615 stable-20220908 stable-20221211 cached latest nightly-latest" + VERSIONS="stable-20220615 stable-20220908 stable-20221211 stable-20230418 cached latest nightly-latest" LANGUAGES="cpp csharp go java javascript python" for version in $VERSIONS; do for os in ubuntu-latest macos-latest; do diff --git a/pr-checks/checks/ml-powered-queries.yml b/pr-checks/checks/ml-powered-queries.yml index 2312b967d..87c5c375c 100644 --- a/pr-checks/checks/ml-powered-queries.yml +++ b/pr-checks/checks/ml-powered-queries.yml @@ -22,21 +22,14 @@ steps: - name: Check sarif uses: ./../action/.github/actions/check-sarif - # Running on Windows requires CodeQL CLI 2.9.0+. - if: "!(matrix.version == 'stable-20220401' && runner.os == 'Windows')" with: sarif-file: ${{ runner.temp }}/results/javascript.sarif queries-run: js/ml-powered/nosql-injection,js/ml-powered/path-injection,js/ml-powered/sql-injection,js/ml-powered/xss queries-not-run: foo,bar - name: Check results - env: - # Running on Windows requires CodeQL CLI 2.9.0+. - SHOULD_RUN_ML_POWERED_QUERIES: ${{ !(matrix.version == 'stable-20220401' && runner.os == 'Windows') }} shell: bash run: | - echo "Expecting ML-powered queries to be run: ${SHOULD_RUN_ML_POWERED_QUERIES}" - cd "$RUNNER_TEMP/results" # We should run at least the ML-powered queries in `expected_rules`. expected_rules="js/ml-powered/nosql-injection js/ml-powered/path-injection js/ml-powered/sql-injection js/ml-powered/xss" @@ -45,12 +38,9 @@ steps: found_rule=$(jq --arg rule "${rule}" '[.runs[0].tool.extensions[].rules | select(. != null) | flatten | .[].id] | any(. == $rule)' javascript.sarif) echo "Did find rule '${rule}': ${found_rule}" - if [[ "${found_rule}" != "true" && "${SHOULD_RUN_ML_POWERED_QUERIES}" == "true" ]]; then + if [[ "${found_rule}" != "true" ]]; then echo "Expected SARIF output to contain rule '${rule}', but found no such rule." exit 1 - elif [[ "${found_rule}" == "true" && "${SHOULD_RUN_ML_POWERED_QUERIES}" != "true" ]]; then - echo "Found rule '${rule}' in the SARIF output which shouldn't have been part of the analysis." - exit 1 fi done @@ -59,10 +49,7 @@ steps: select(.properties.score != null and (.rule.id | startswith("js/ml-powered/")))] | length' \ javascript.sarif) echo "Found ${num_alerts} alerts from ML-powered queries."; - if [[ "${num_alerts}" -eq 0 && "${SHOULD_RUN_ML_POWERED_QUERIES}" == "true" ]]; then + if [[ "${num_alerts}" -eq 0 ]]; then echo "Expected to find at least one alert from an ML-powered query but found ${num_alerts}." exit 1 - elif [[ "${num_alerts}" -ne 0 && "${SHOULD_RUN_ML_POWERED_QUERIES}" != "true" ]]; then - echo "Expected not to find any alerts from an ML-powered query but found ${num_alerts}." - exit 1 fi diff --git a/pr-checks/sync.py b/pr-checks/sync.py index bde096454..5c0c32246 100644 --- a/pr-checks/sync.py +++ b/pr-checks/sync.py @@ -5,14 +5,14 @@ # The default set of CodeQL Bundle versions to use for the PR checks. defaultTestVersions = [ - # The oldest supported CodeQL version: 2.8.5. If bumping, update `CODEQL_MINIMUM_VERSION` in `codeql.ts` - "stable-20220401", - # The last CodeQL release in the 2.9 series: 2.9.4. + # The oldest supported CodeQL version: 2.9.4. If bumping, update `CODEQL_MINIMUM_VERSION` in `codeql.ts` "stable-20220615", # The last CodeQL release in the 2.10 series: 2.10.5. "stable-20220908", # The last CodeQL release in the 2.11 series: 2.11.6. "stable-20221211", + # The last CodeQL release in the 2.12 series: 2.12.7. + "stable-20230418", # The version of CodeQL currently in the toolcache. Typically either the latest release or the one before. "cached", # The latest release of CodeQL.