github/codeql-action
0
0
Fork 0
mirror of https://github.com/github/codeql-action.git synced 2026-05-07 14:20:19 +00:00
Code Issues Packages Projects Releases Wiki Activity

Merge branch 'main' into platform_lang_pkg

Browse Source
This commit is contained in:
Marco Gario
2020-09-17 14:02:08 +02:00
parent b9f08d924a c9b06117cb
commit 7f2fa9ca20
37 changed files with 999 additions and 1421 deletions
Download Patch File Download Diff File Expand all files Collapse all files
src/actions-util.test.ts
+39
View File
@@ -0,0 +1,39 @@
import test from "ava";
import { getRef, prepareLocalRunEnvironment } from "./actions-util";
import { setupTests } from "./testing-utils";
setupTests(test);
test("getRef() throws on the empty string", (t) => {
process.env["GITHUB_REF"] = "";
t.throws(getRef);
});
test("prepareEnvironment() when a local run", (t) => {
const origLocalRun = process.env.CODEQL_LOCAL_RUN;
process.env.CODEQL_LOCAL_RUN = "false";
process.env.GITHUB_JOB = "YYY";
prepareLocalRunEnvironment();
// unchanged
t.deepEqual(process.env.GITHUB_JOB, "YYY");
process.env.CODEQL_LOCAL_RUN = "true";
prepareLocalRunEnvironment();
// unchanged
t.deepEqual(process.env.GITHUB_JOB, "YYY");
process.env.GITHUB_JOB = "";
prepareLocalRunEnvironment();
// updated
t.deepEqual(process.env.GITHUB_JOB, "UNKNOWN-JOB");
process.env.CODEQL_LOCAL_RUN = origLocalRun;
});
src/actions-util.ts
+332
View File
@@ -0,0 +1,332 @@
import * as core from "@actions/core";
import * as toolrunnner from "@actions/exec/lib/toolrunner";
import * as api from "./api-client";
import * as sharedEnv from "./shared-environment";
import { isLocalRun, GITHUB_DOTCOM_URL } from "./util";
/**
* Wrapper around core.getInput for inputs that always have a value.
* Also see getOptionalInput.
*
* This allows us to get stronger type checking of required/optional inputs
* and make behaviour more consistent between actions and the runner.
*/
export function getRequiredInput(name: string): string {
return core.getInput(name, { required: true });
}
/**
* Wrapper around core.getInput that converts empty inputs to undefined.
* Also see getRequiredInput.
*
* This allows us to get stronger type checking of required/optional inputs
* and make behaviour more consistent between actions and the runner.
*/
export function getOptionalInput(name: string): string | undefined {
const value = core.getInput(name);
return value.length > 0 ? value : undefined;
}
/**
* Get an environment parameter, but throw an error if it is not set.
*/
export function getRequiredEnvParam(paramName: string): string {
const value = process.env[paramName];
if (value === undefined || value.length === 0) {
throw new Error(`${paramName} environment variable must be set`);
}
core.debug(`${paramName}=${value}`);
return value;
}
/**
* Ensures all required environment variables are set in the context of a local run.
*/
export function prepareLocalRunEnvironment() {
if (!isLocalRun()) {
return;
}
core.debug("Action is running locally.");
if (!process.env.GITHUB_JOB) {
core.exportVariable("GITHUB_JOB", "UNKNOWN-JOB");
}
}
/**
* Gets the SHA of the commit that is currently checked out.
*/
export async function getCommitOid(): Promise<string> {
// Try to use git to get the current commit SHA. If that fails then
// log but otherwise silently fall back to using the SHA from the environment.
// The only time these two values will differ is during analysis of a PR when
// the workflow has changed the current commit to the head commit instead of
// the merge commit, which must mean that git is available.
// Even if this does go wrong, it's not a huge problem for the alerts to
// reported on the merge commit.
try {
let commitOid = "";
await new toolrunnner.ToolRunner("git", ["rev-parse", "HEAD"], {
silent: true,
listeners: {
stdout: (data) => {
commitOid += data.toString();
},
stderr: (data) => {
process.stderr.write(data);
},
},
}).exec();
return commitOid.trim();
} catch (e) {
core.info(
`Failed to call git to get current commit. Continuing with data from environment: ${e}`
);
return getRequiredEnvParam("GITHUB_SHA");
}
}
/**
* Get the path of the currently executing workflow.
*/
async function getWorkflowPath(): Promise<string> {
const repo_nwo = getRequiredEnvParam("GITHUB_REPOSITORY").split("/");
const owner = repo_nwo[0];
const repo = repo_nwo[1];
const run_id = Number(getRequiredEnvParam("GITHUB_RUN_ID"));
const apiClient = api.getActionsApiClient();
const runsResponse = await apiClient.request(
"GET /repos/:owner/:repo/actions/runs/:run_id",
{
owner,
repo,
run_id,
}
);
const workflowUrl = runsResponse.data.workflow_url;
const workflowResponse = await apiClient.request(`GET ${workflowUrl}`);
return workflowResponse.data.path;
}
/**
* Get the workflow run ID.
*/
export function getWorkflowRunID(): number {
const workflowRunID = parseInt(getRequiredEnvParam("GITHUB_RUN_ID"), 10);
if (Number.isNaN(workflowRunID)) {
throw new Error("GITHUB_RUN_ID must define a non NaN workflow run ID");
}
return workflowRunID;
}
/**
* Get the analysis key paramter for the current job.
*
* This will combine the workflow path and current job name.
* Computing this the first time requires making requests to
* the github API, but after that the result will be cached.
*/
export async function getAnalysisKey(): Promise<string> {
const analysisKeyEnvVar = "CODEQL_ACTION_ANALYSIS_KEY";
let analysisKey = process.env[analysisKeyEnvVar];
if (analysisKey !== undefined) {
return analysisKey;
}
const workflowPath = await getWorkflowPath();
const jobName = getRequiredEnvParam("GITHUB_JOB");
analysisKey = `${workflowPath}:${jobName}`;
core.exportVariable(analysisKeyEnvVar, analysisKey);
return analysisKey;
}
/**
* Get the ref currently being analyzed.
*/
export function getRef(): string {
// Will be in the form "refs/heads/master" on a push event
// or in the form "refs/pull/N/merge" on a pull_request event
const ref = getRequiredEnvParam("GITHUB_REF");
// For pull request refs we want to convert from the 'merge' ref
// to the 'head' ref, as that is what we want to analyse.
// There should have been some code earlier in the workflow to do
// the checkout, but we have no way of verifying that here.
const pull_ref_regex = /refs\/pull\/(\d+)\/merge/;
if (pull_ref_regex.test(ref)) {
return ref.replace(pull_ref_regex, "refs/pull/$1/head");
} else {
return ref;
}
}
type ActionName = "init" | "autobuild" | "finish" | "upload-sarif";
type ActionStatus = "starting" | "aborted" | "success" | "failure";
export interface StatusReportBase {
// ID of the workflow run containing the action run
workflow_run_id: number;
// Workflow name. Converted to analysis_name further down the pipeline.
workflow_name: string;
// Job name from the workflow
job_name: string;
// Analysis key, normally composed from the workflow path and job name
analysis_key: string;
// Value of the matrix for this instantiation of the job
matrix_vars?: string;
// Commit oid that the workflow was triggered on
commit_oid: string;
// Ref that the workflow was triggered on
ref: string;
// Name of the action being executed
action_name: ActionName;
// Version if the action being executed, as a commit oid
action_oid: string;
// Time the first action started. Normally the init action
started_at: string;
// Time this action started
action_started_at: string;
// Time this action completed, or undefined if not yet completed
completed_at?: string;
// State this action is currently in
status: ActionStatus;
// Cause of the failure (or undefined if status is not failure)
cause?: string;
// Stack trace of the failure (or undefined if status is not failure)
exception?: string;
}
/**
* Compose a StatusReport.
*
* @param actionName The name of the action, e.g. 'init', 'finish', 'upload-sarif'
* @param status The status. Must be 'success', 'failure', or 'starting'
* @param startedAt The time this action started executing.
* @param cause Cause of failure (only supply if status is 'failure')
* @param exception Exception (only supply if status is 'failure')
*/
export async function createStatusReportBase(
actionName: ActionName,
status: ActionStatus,
actionStartedAt: Date,
cause?: string,
exception?: string
): Promise<StatusReportBase> {
const commitOid = process.env["GITHUB_SHA"] || "";
const ref = getRef();
const workflowRunIDStr = process.env["GITHUB_RUN_ID"];
let workflowRunID = -1;
if (workflowRunIDStr) {
workflowRunID = parseInt(workflowRunIDStr, 10);
}
const workflowName = process.env["GITHUB_WORKFLOW"] || "";
const jobName = process.env["GITHUB_JOB"] || "";
const analysis_key = await getAnalysisKey();
let workflowStartedAt = process.env[sharedEnv.CODEQL_WORKFLOW_STARTED_AT];
if (workflowStartedAt === undefined) {
workflowStartedAt = actionStartedAt.toISOString();
core.exportVariable(
sharedEnv.CODEQL_WORKFLOW_STARTED_AT,
workflowStartedAt
);
}
const statusReport: StatusReportBase = {
workflow_run_id: workflowRunID,
workflow_name: workflowName,
job_name: jobName,
analysis_key,
commit_oid: commitOid,
ref,
action_name: actionName,
action_oid: "unknown", // TODO decide if it's possible to fill this in
started_at: workflowStartedAt,
action_started_at: actionStartedAt.toISOString(),
status,
};
// Add optional parameters
if (cause) {
statusReport.cause = cause;
}
if (exception) {
statusReport.exception = exception;
}
if (status === "success" || status === "failure" || status === "aborted") {
statusReport.completed_at = new Date().toISOString();
}
const matrix = getRequiredInput("matrix");
if (matrix) {
statusReport.matrix_vars = matrix;
}
return statusReport;
}
/**
* Send a status report to the code_scanning/analysis/status endpoint.
*
* Optionally checks the response from the API endpoint and sets the action
* as failed if the status report failed. This is only expected to be used
* when sending a 'starting' report.
*
* Returns whether sending the status report was successful of not.
*/
export async function sendStatusReport<S extends StatusReportBase>(
statusReport: S,
ignoreFailures?: boolean
): Promise<boolean> {
if (getRequiredEnvParam("GITHUB_SERVER_URL") !== GITHUB_DOTCOM_URL) {
core.debug("Not sending status report to GitHub Enterprise");
return true;
}
if (isLocalRun()) {
core.debug("Not sending status report because this is a local run");
return true;
}
const statusReportJSON = JSON.stringify(statusReport);
core.debug(`Sending status report: ${statusReportJSON}`);
const nwo = getRequiredEnvParam("GITHUB_REPOSITORY");
const [owner, repo] = nwo.split("/");
const client = api.getActionsApiClient();
const statusResponse = await client.request(
"PUT /repos/:owner/:repo/code-scanning/analysis/status",
{
owner,
repo,
data: statusReportJSON,
}
);
if (!ignoreFailures) {
// If the status report request fails with a 403 or a 404, then this is a deliberate
// message from the endpoint that the SARIF upload can be expected to fail too,
// so the action should fail to avoid wasting actions minutes.
//
// Other failure responses (or lack thereof) could be transitory and should not
// cause the action to fail.
if (statusResponse.status === 403) {
core.setFailed(
"The repo on which this action is running is not opted-in to CodeQL code scanning."
);
return false;
}
if (statusResponse.status === 404) {
core.setFailed(
"Not authorized to used the CodeQL code scanning feature on this repo."
);
return false;
}
}
return true;
}
src/analyze-action.ts
+27 -22
View File
@@ -1,5 +1,6 @@
import * as core from "@actions/core";
import * as actionsUtil from "./actions-util";
import { AnalysisStatusReport, runAnalyze } from "./analyze";
import { getConfig } from "./config-utils";
import { getActionsLogger } from "./logging";
@@ -7,7 +8,7 @@ import { parseRepositoryNwo } from "./repository";
import * as util from "./util";
interface FinishStatusReport
extends util.StatusReportBase,
extends actionsUtil.StatusReportBase,
AnalysisStatusReport {}
async function sendStatusReport(
@@ -19,7 +20,7 @@ async function sendStatusReport(
stats?.analyze_failure_language !== undefined || error !== undefined
? "failure"
: "success";
const statusReportBase = await util.createStatusReportBase(
const statusReportBase = await actionsUtil.createStatusReportBase(
"finish",
status,
startedAt,
@@ -30,17 +31,21 @@ async function sendStatusReport(
...statusReportBase,
...(stats || {}),
};
await util.sendStatusReport(statusReport);
await actionsUtil.sendStatusReport(statusReport);
}
async function run() {
const startedAt = new Date();
let stats: AnalysisStatusReport | undefined = undefined;
try {
util.prepareLocalRunEnvironment();
actionsUtil.prepareLocalRunEnvironment();
if (
!(await util.sendStatusReport(
await util.createStatusReportBase("finish", "starting", startedAt),
!(await actionsUtil.sendStatusReport(
await actionsUtil.createStatusReportBase(
"finish",
"starting",
startedAt
),
true
))
) {
@@ -48,7 +53,7 @@ async function run() {
}
const logger = getActionsLogger();
const config = await getConfig(
util.getRequiredEnvParam("RUNNER_TEMP"),
actionsUtil.getRequiredEnvParam("RUNNER_TEMP"),
logger
);
if (config === undefined) {
@@ -57,22 +62,22 @@ async function run() {
);
}
stats = await runAnalyze(
parseRepositoryNwo(util.getRequiredEnvParam("GITHUB_REPOSITORY")),
await util.getCommitOid(),
util.getRef(),
await util.getAnalysisKey(),
util.getRequiredEnvParam("GITHUB_WORKFLOW"),
util.getWorkflowRunID(),
core.getInput("checkout_path"),
core.getInput("matrix"),
core.getInput("token"),
util.getRequiredEnvParam("GITHUB_SERVER_URL"),
core.getInput("upload") === "true",
parseRepositoryNwo(actionsUtil.getRequiredEnvParam("GITHUB_REPOSITORY")),
await actionsUtil.getCommitOid(),
actionsUtil.getRef(),
await actionsUtil.getAnalysisKey(),
actionsUtil.getRequiredEnvParam("GITHUB_WORKFLOW"),
actionsUtil.getWorkflowRunID(),
actionsUtil.getRequiredInput("checkout_path"),
actionsUtil.getRequiredInput("matrix"),
actionsUtil.getRequiredInput("token"),
actionsUtil.getRequiredEnvParam("GITHUB_SERVER_URL"),
actionsUtil.getRequiredInput("upload") === "true",
"actions",
core.getInput("output"),
util.getMemoryFlag(core.getInput("ram")),
util.getAddSnippetsFlag(core.getInput("add-snippets")),
util.getThreadsFlag(core.getInput("threads"), logger),
actionsUtil.getRequiredInput("output"),
util.getMemoryFlag(actionsUtil.getOptionalInput("ram")),
util.getAddSnippetsFlag(actionsUtil.getRequiredInput("add-snippets")),
util.getThreadsFlag(actionsUtil.getOptionalInput("threads"), logger),
config,
logger
);
src/api-client.ts
+3 -3
View File
@@ -1,9 +1,9 @@
import * as core from "@actions/core";
import * as github from "@actions/github";
import consoleLogLevel from "console-log-level";
import * as path from "path";
import { getRequiredEnvParam, isLocalRun } from "./util";
import { getRequiredEnvParam, getRequiredInput } from "./actions-util";
import { isLocalRun } from "./util";
export const getApiClient = function (
githubAuth: string,
@@ -40,7 +40,7 @@ function getApiUrl(githubUrl: string): string {
// and called only from the action entrypoints.
export function getActionsApiClient(allowLocalRun = false) {
return getApiClient(
core.getInput("token"),
getRequiredInput("token"),
getRequiredEnvParam("GITHUB_SERVER_URL"),
allowLocalRun
);
src/autobuild-action.ts
+12 -8
View File
@@ -1,12 +1,12 @@
import * as core from "@actions/core";
import * as actionsUtil from "./actions-util";
import { determineAutobuildLanguage, runAutobuild } from "./autobuild";
import * as config_utils from "./config-utils";
import { Language } from "./languages";
import { getActionsLogger } from "./logging";
import * as util from "./util";
interface AutobuildStatusReport extends util.StatusReportBase {
interface AutobuildStatusReport extends actionsUtil.StatusReportBase {
// Comma-separated set of languages being autobuilt
autobuild_languages: string;
// Language that failed autobuilding (or undefined if all languages succeeded).
@@ -23,7 +23,7 @@ async function sendCompletedStatusReport(
failingLanguage !== undefined || cause !== undefined
? "failure"
: "success";
const statusReportBase = await util.createStatusReportBase(
const statusReportBase = await actionsUtil.createStatusReportBase(
"autobuild",
status,
startedAt,
@@ -35,7 +35,7 @@ async function sendCompletedStatusReport(
autobuild_languages: allLanguages.join(","),
autobuild_failure: failingLanguage,
};
await util.sendStatusReport(statusReport);
await actionsUtil.sendStatusReport(statusReport);
}
async function run() {
@@ -43,10 +43,14 @@ async function run() {
const startedAt = new Date();
let language: Language | undefined = undefined;
try {
util.prepareLocalRunEnvironment();
actionsUtil.prepareLocalRunEnvironment();
if (
!(await util.sendStatusReport(
await util.createStatusReportBase("autobuild", "starting", startedAt),
!(await actionsUtil.sendStatusReport(
await actionsUtil.createStatusReportBase(
"autobuild",
"starting",
startedAt
),
true
))
) {
@@ -54,7 +58,7 @@ async function run() {
}
const config = await config_utils.getConfig(
util.getRequiredEnvParam("RUNNER_TEMP"),
actionsUtil.getRequiredEnvParam("RUNNER_TEMP"),
logger
);
if (config === undefined) {
src/codeql.ts
+2 -1
View File
@@ -9,6 +9,7 @@ import * as stream from "stream";
import * as globalutil from "util";
import uuidV4 from "uuid/v4";
import { getRequiredEnvParam } from "./actions-util";
import * as api from "./api-client";
import * as defaults from "./defaults.json"; // Referenced from codeql-action-sync-tool!
import { errorMatchers } from "./error-matcher";
@@ -125,7 +126,7 @@ function getCodeQLActionRepository(mode: util.Mode): string {
// Actions do not know their own repository name,
// so we currently use this hack to find the name based on where our files are.
// This can be removed once the change to the runner in https://github.com/actions/runner/pull/585 is deployed.
const runnerTemp = util.getRequiredEnvParam("RUNNER_TEMP");
const runnerTemp = getRequiredEnvParam("RUNNER_TEMP");
const actionsDirectory = path.join(path.dirname(runnerTemp), "_actions");
const relativeScriptPath = path.relative(actionsDirectory, __filename);
// This handles the case where the Action does not come from an Action repository,
src/codeql.ts.orig
-676
View File
@@ -1,676 +0,0 @@
<<<<<<< HEAD
import * as toolrunnner from '@actions/exec/lib/toolrunner';
import * as http from '@actions/http-client';
import { IHeaders } from '@actions/http-client/interfaces';
import * as toolcache from '@actions/tool-cache';
import * as fs from 'fs';
import * as path from 'path';
import * as semver from 'semver';
import * as stream from 'stream';
import * as globalutil from 'util';
import uuidV4 from 'uuid/v4';
import * as api from './api-client';
import * as defaults from './defaults.json'; // Referenced from codeql-action-sync-tool!
import { errorMatchers} from './error-matcher';
import { Language } from './languages';
import { Logger } from './logging';
import { toolrunnerErrorCatcher } from './toolrunner-error-catcher';
import * as util from './util';
type Options = (string|number|boolean)[];
=======
import * as toolrunnner from "@actions/exec/lib/toolrunner";
import * as http from "@actions/http-client";
import { IHeaders } from "@actions/http-client/interfaces";
import * as toolcache from "@actions/tool-cache";
import * as fs from "fs";
import * as path from "path";
import * as semver from "semver";
import * as stream from "stream";
import * as globalutil from "util";
import uuidV4 from "uuid/v4";
import * as api from "./api-client";
import * as defaults from "./defaults.json"; // Referenced from codeql-action-sync-tool!
import { Language } from "./languages";
import { Logger } from "./logging";
import * as util from "./util";
type Options = Array<string | number | boolean>;
>>>>>>> main
/**
* Extra command line options for the codeql commands.
*/
interface ExtraOptions {
"*"?: Options;
database?: {
"*"?: Options;
init?: Options;
"trace-command"?: Options;
analyze?: Options;
finalize?: Options;
};
resolve?: {
"*"?: Options;
extractor?: Options;
queries?: Options;
};
}
export interface CodeQL {
/**
* Get the path of the CodeQL executable.
*/
getPath(): string;
/**
* Print version information about CodeQL.
*/
printVersion(): Promise<void>;
/**
* Run 'codeql database trace-command' on 'tracer-env.js' and parse
* the result to get environment variables set by CodeQL.
*/
getTracerEnv(databasePath: string): Promise<{ [key: string]: string }>;
/**
* Run 'codeql database init'.
*/
databaseInit(
databasePath: string,
language: Language,
sourceRoot: string
): Promise<void>;
/**
* Runs the autobuilder for the given language.
*/
runAutobuild(language: Language): Promise<void>;
/**
* Extract code for a scanned language using 'codeql database trace-command'
* and running the language extracter.
*/
extractScannedLanguage(database: string, language: Language): Promise<void>;
/**
* Finalize a database using 'codeql database finalize'.
*/
finalizeDatabase(databasePath: string): Promise<void>;
/**
* Run 'codeql resolve queries'.
*/
resolveQueries(
queries: string[],
extraSearchPath: string | undefined
): Promise<ResolveQueriesOutput>;
/**
* Run 'codeql database analyze'.
*/
databaseAnalyze(
databasePath: string,
sarifFile: string,
querySuite: string,
memoryFlag: string,
addSnippetsFlag: string,
threadsFlag: string
): Promise<void>;
}
export interface ResolveQueriesOutput {
byLanguage: {
[language: string]: {
[queryPath: string]: {};
};
};
noDeclaredLanguage: {
[queryPath: string]: {};
};
multipleDeclaredLanguages: {
[queryPath: string]: {};
};
}
/**
* Stores the CodeQL object, and is populated by `setupCodeQL` or `getCodeQL`.
* Can be overridden in tests using `setCodeQL`.
*/
let cachedCodeQL: CodeQL | undefined = undefined;
const CODEQL_BUNDLE_VERSION = defaults.bundleVersion;
const CODEQL_BUNDLE_NAME = "codeql-bundle.tar.gz";
const CODEQL_DEFAULT_ACTION_REPOSITORY = "github/codeql-action";
function getCodeQLActionRepository(mode: util.Mode): string {
if (mode !== "actions") {
return CODEQL_DEFAULT_ACTION_REPOSITORY;
}
// Actions do not know their own repository name,
// so we currently use this hack to find the name based on where our files are.
// This can be removed once the change to the runner in https://github.com/actions/runner/pull/585 is deployed.
const runnerTemp = util.getRequiredEnvParam("RUNNER_TEMP");
const actionsDirectory = path.join(path.dirname(runnerTemp), "_actions");
const relativeScriptPath = path.relative(actionsDirectory, __filename);
// This handles the case where the Action does not come from an Action repository,
// e.g. our integration tests which use the Action code from the current checkout.
if (
relativeScriptPath.startsWith("..") ||
path.isAbsolute(relativeScriptPath)
) {
return CODEQL_DEFAULT_ACTION_REPOSITORY;
}
const relativeScriptPathParts = relativeScriptPath.split(path.sep);
return `${relativeScriptPathParts[0]}/${relativeScriptPathParts[1]}`;
}
async function getCodeQLBundleDownloadURL(
githubAuth: string,
githubUrl: string,
mode: util.Mode,
logger: Logger
): Promise<string> {
const codeQLActionRepository = getCodeQLActionRepository(mode);
const potentialDownloadSources = [
// This GitHub instance, and this Action.
[githubUrl, codeQLActionRepository],
// This GitHub instance, and the canonical Action.
[githubUrl, CODEQL_DEFAULT_ACTION_REPOSITORY],
// GitHub.com, and the canonical Action.
[util.GITHUB_DOTCOM_URL, CODEQL_DEFAULT_ACTION_REPOSITORY],
];
// We now filter out any duplicates.
// Duplicates will happen either because the GitHub instance is GitHub.com, or because the Action is not a fork.
const uniqueDownloadSources = potentialDownloadSources.filter(
(url, index, self) => index === self.indexOf(url)
);
for (const downloadSource of uniqueDownloadSources) {
const [apiURL, repository] = downloadSource;
// If we've reached the final case, short-circuit the API check since we know the bundle exists and is public.
if (
apiURL === util.GITHUB_DOTCOM_URL &&
repository === CODEQL_DEFAULT_ACTION_REPOSITORY
) {
break;
}
const [repositoryOwner, repositoryName] = repository.split("/");
try {
const release = await api
.getApiClient(githubAuth, githubUrl)
.repos.getReleaseByTag({
owner: repositoryOwner,
repo: repositoryName,
tag: CODEQL_BUNDLE_VERSION,
});
for (const asset of release.data.assets) {
if (asset.name === CODEQL_BUNDLE_NAME) {
logger.info(
`Found CodeQL bundle in ${downloadSource[1]} on ${downloadSource[0]} with URL ${asset.url}.`
);
return asset.url;
}
}
} catch (e) {
logger.info(
`Looked for CodeQL bundle in ${downloadSource[1]} on ${downloadSource[0]} but got error ${e}.`
);
}
}
return `https://github.com/${CODEQL_DEFAULT_ACTION_REPOSITORY}/releases/download/${CODEQL_BUNDLE_VERSION}/${CODEQL_BUNDLE_NAME}`;
}
// We have to download CodeQL manually because the toolcache doesn't support Accept headers.
// This can be removed once https://github.com/actions/toolkit/pull/530 is merged and released.
async function toolcacheDownloadTool(
url: string,
headers: IHeaders | undefined,
tempDir: string,
logger: Logger
): Promise<string> {
const client = new http.HttpClient("CodeQL Action");
const dest = path.join(tempDir, uuidV4());
const response: http.HttpClientResponse = await client.get(url, headers);
if (response.message.statusCode !== 200) {
logger.info(
`Failed to download from "${url}". Code(${response.message.statusCode}) Message(${response.message.statusMessage})`
);
throw new Error(`Unexpected HTTP response: ${response.message.statusCode}`);
}
const pipeline = globalutil.promisify(stream.pipeline);
fs.mkdirSync(path.dirname(dest), { recursive: true });
await pipeline(response.message, fs.createWriteStream(dest));
return dest;
}
export async function setupCodeQL(
codeqlURL: string | undefined,
githubAuth: string,
githubUrl: string,
tempDir: string,
toolsDir: string,
mode: util.Mode,
logger: Logger
): Promise<CodeQL> {
// Setting these two env vars makes the toolcache code safe to use outside,
// of actions but this is obviously not a great thing we're doing and it would
// be better to write our own implementation to use outside of actions.
process.env["RUNNER_TEMP"] = tempDir;
process.env["RUNNER_TOOL_CACHE"] = toolsDir;
try {
const codeqlURLVersion = getCodeQLURLVersion(
codeqlURL || `/${CODEQL_BUNDLE_VERSION}/`,
logger
);
let codeqlFolder = toolcache.find("CodeQL", codeqlURLVersion);
if (codeqlFolder) {
logger.debug(`CodeQL found in cache ${codeqlFolder}`);
} else {
if (!codeqlURL) {
codeqlURL = await getCodeQLBundleDownloadURL(
githubAuth,
githubUrl,
mode,
logger
);
}
const headers: IHeaders = { accept: "application/octet-stream" };
// We only want to provide an authorization header if we are downloading
// from the same GitHub instance the Action is running on.
// This avoids leaking Enterprise tokens to dotcom.
if (codeqlURL.startsWith(`${githubUrl}/`)) {
logger.debug("Downloading CodeQL bundle with token.");
headers.authorization = `token ${githubAuth}`;
} else {
logger.debug("Downloading CodeQL bundle without token.");
}
logger.info(
`Downloading CodeQL tools from ${codeqlURL}. This may take a while.`
);
const codeqlPath = await toolcacheDownloadTool(
codeqlURL,
headers,
tempDir,
logger
);
logger.debug(`CodeQL bundle download to ${codeqlPath} complete.`);
const codeqlExtracted = await toolcache.extractTar(codeqlPath);
codeqlFolder = await toolcache.cacheDir(
codeqlExtracted,
"CodeQL",
codeqlURLVersion
);
}
let codeqlCmd = path.join(codeqlFolder, "codeql", "codeql");
if (process.platform === "win32") {
codeqlCmd += ".exe";
} else if (process.platform !== "linux" && process.platform !== "darwin") {
throw new Error(`Unsupported platform: ${process.platform}`);
}
cachedCodeQL = getCodeQLForCmd(codeqlCmd);
return cachedCodeQL;
} catch (e) {
logger.error(e);
throw new Error("Unable to download and extract CodeQL CLI");
}
}
export function getCodeQLURLVersion(url: string, logger: Logger): string {
const match = url.match(/\/codeql-bundle-(.*)\//);
if (match === null || match.length < 2) {
throw new Error(
`Malformed tools url: ${url}. Version could not be inferred`
);
}
let version = match[1];
if (!semver.valid(version)) {
logger.debug(
`Bundle version ${version} is not in SemVer format. Will treat it as pre-release 0.0.0-${version}.`
);
version = `0.0.0-${version}`;
}
const s = semver.clean(version);
if (!s) {
throw new Error(
`Malformed tools url ${url}. Version should be in SemVer format but have ${version} instead`
);
}
return s;
}
/**
* Use the CodeQL executable located at the given path.
*/
export function getCodeQL(cmd: string): CodeQL {
if (cachedCodeQL === undefined) {
cachedCodeQL = getCodeQLForCmd(cmd);
}
return cachedCodeQL;
}
function resolveFunction<T>(
partialCodeql: Partial<CodeQL>,
methodName: string,
defaultImplementation?: T
): T {
if (typeof partialCodeql[methodName] !== "function") {
if (defaultImplementation !== undefined) {
return defaultImplementation;
}
const dummyMethod = () => {
throw new Error(`CodeQL ${methodName} method not correctly defined`);
};
return dummyMethod as any;
}
return partialCodeql[methodName];
}
/**
* Set the functionality for CodeQL methods. Only for use in tests.
*
* Accepts a partial object and any undefined methods will be implemented
* to immediately throw an exception indicating which method is missing.
*/
export function setCodeQL(partialCodeql: Partial<CodeQL>): CodeQL {
cachedCodeQL = {
getPath: resolveFunction(partialCodeql, "getPath", () => "/tmp/dummy-path"),
printVersion: resolveFunction(partialCodeql, "printVersion"),
getTracerEnv: resolveFunction(partialCodeql, "getTracerEnv"),
databaseInit: resolveFunction(partialCodeql, "databaseInit"),
runAutobuild: resolveFunction(partialCodeql, "runAutobuild"),
extractScannedLanguage: resolveFunction(
partialCodeql,
"extractScannedLanguage"
),
finalizeDatabase: resolveFunction(partialCodeql, "finalizeDatabase"),
resolveQueries: resolveFunction(partialCodeql, "resolveQueries"),
databaseAnalyze: resolveFunction(partialCodeql, "databaseAnalyze"),
};
return cachedCodeQL;
}
/**
* Get the cached CodeQL object. Should only be used from tests.
*
* TODO: Work out a good way for tests to get this from the test context
* instead of having to have this method.
*/
export function getCachedCodeQL(): CodeQL {
if (cachedCodeQL === undefined) {
// Should never happen as setCodeQL is called by testing-utils.setupTests
throw new Error("cachedCodeQL undefined");
}
return cachedCodeQL;
}
function getCodeQLForCmd(cmd: string): CodeQL {
return {
getPath() {
return cmd;
},
async printVersion() {
await new toolrunnner.ToolRunner(cmd, [
"version",
"--format=json",
]).exec();
},
async getTracerEnv(databasePath: string) {
// Write tracer-env.js to a temp location.
const tracerEnvJs = path.resolve(
databasePath,
"working",
"tracer-env.js"
);
fs.mkdirSync(path.dirname(tracerEnvJs), { recursive: true });
fs.writeFileSync(
tracerEnvJs,
`
const fs = require('fs');
const env = {};
for (let entry of Object.entries(process.env)) {
const key = entry[0];
const value = entry[1];
if (typeof value !== 'undefined' && key !== '_' && !key.startsWith('JAVA_MAIN_CLASS_')) {
env[key] = value;
}
}
process.stdout.write(process.argv[2]);
fs.writeFileSync(process.argv[2], JSON.stringify(env), 'utf-8');`
);
const envFile = path.resolve(databasePath, "working", "env.tmp");
await new toolrunnner.ToolRunner(cmd, [
"database",
"trace-command",
databasePath,
...getExtraOptionsFromEnv(["database", "trace-command"]),
process.execPath,
tracerEnvJs,
envFile,
]).exec();
return JSON.parse(fs.readFileSync(envFile, "utf-8"));
},
async databaseInit(
databasePath: string,
language: Language,
sourceRoot: string
) {
await new toolrunnner.ToolRunner(cmd, [
"database",
"init",
databasePath,
`--language=${language}`,
`--source-root=${sourceRoot}`,
...getExtraOptionsFromEnv(["database", "init"]),
]).exec();
},
async runAutobuild(language: Language) {
const cmdName =
process.platform === "win32" ? "autobuild.cmd" : "autobuild.sh";
const autobuildCmd = path.join(
path.dirname(cmd),
language,
"tools",
cmdName
);
// Update JAVA_TOOL_OPTIONS to contain '-Dhttp.keepAlive=false'
// This is because of an issue with Azure pipelines timing out connections after 4 minutes
// and Maven not properly handling closed connections
// Otherwise long build processes will timeout when pulling down Java packages
// https://developercommunity.visualstudio.com/content/problem/292284/maven-hosted-agent-connection-timeout.html
const javaToolOptions = process.env["JAVA_TOOL_OPTIONS"] || "";
process.env["JAVA_TOOL_OPTIONS"] = [
...javaToolOptions.split(/\s+/),
"-Dhttp.keepAlive=false",
"-Dmaven.wagon.http.pool=false",
].join(" ");
await new toolrunnner.ToolRunner(autobuildCmd).exec();
},
async extractScannedLanguage(databasePath: string, language: Language) {
// Get extractor location
let extractorPath = "";
await new toolrunnner.ToolRunner(
cmd,
[
"resolve",
"extractor",
"--format=json",
`--language=${language}`,
...getExtraOptionsFromEnv(["resolve", "extractor"]),
],
{
silent: true,
listeners: {
stdout: (data) => {
extractorPath += data.toString();
},
stderr: (data) => {
process.stderr.write(data);
},
},
}
).exec();
// Set trace command
const ext = process.platform === "win32" ? ".cmd" : ".sh";
const traceCommand = path.resolve(
JSON.parse(extractorPath),
"tools",
`autobuild${ext}`
);
// Run trace command
<<<<<<< HEAD
await toolrunnerErrorCatcher(
cmd, [
'database',
'trace-command',
...getExtraOptionsFromEnv(['database', 'trace-command']),
databasePath,
'--',
traceCommand
],
errorMatchers
);
},
finalizeDatabase: async function(databasePath: string) {
await toolrunnerErrorCatcher(
cmd, [
'database',
'finalize',
...getExtraOptionsFromEnv(['database', 'finalize']),
databasePath
],
errorMatchers);
=======
await new toolrunnner.ToolRunner(cmd, [
"database",
"trace-command",
...getExtraOptionsFromEnv(["database", "trace-command"]),
databasePath,
"--",
traceCommand,
]).exec();
},
async finalizeDatabase(databasePath: string) {
await new toolrunnner.ToolRunner(cmd, [
"database",
"finalize",
...getExtraOptionsFromEnv(["database", "finalize"]),
databasePath,
]).exec();
>>>>>>> main
},
async resolveQueries(
queries: string[],
extraSearchPath: string | undefined
) {
const codeqlArgs = [
"resolve",
"queries",
...queries,
"--format=bylanguage",
...getExtraOptionsFromEnv(["resolve", "queries"]),
];
if (extraSearchPath !== undefined) {
codeqlArgs.push("--search-path", extraSearchPath);
}
let output = "";
await new toolrunnner.ToolRunner(cmd, codeqlArgs, {
listeners: {
stdout: (data: Buffer) => {
output += data.toString();
},
},
}).exec();
return JSON.parse(output);
},
async databaseAnalyze(
databasePath: string,
sarifFile: string,
querySuite: string,
memoryFlag: string,
addSnippetsFlag: string,
threadsFlag: string
) {
await new toolrunnner.ToolRunner(cmd, [
"database",
"analyze",
memoryFlag,
threadsFlag,
databasePath,
"--format=sarif-latest",
`--output=${sarifFile}`,
addSnippetsFlag,
...getExtraOptionsFromEnv(["database", "analyze"]),
querySuite,
]).exec();
},
};
}
/**
* Gets the options for `path` of `options` as an array of extra option strings.
*/
function getExtraOptionsFromEnv(path: string[]) {
const options: ExtraOptions = util.getExtraOptionsEnvParam();
return getExtraOptions(options, path, []);
}
/**
* Gets the options for `path` of `options` as an array of extra option strings.
*
* - the special terminal step name '*' in `options` matches all path steps
* - throws an exception if this conversion is impossible.
*/
export /* exported for testing */ function getExtraOptions(
options: any,
path: string[],
pathInfo: string[]
): string[] {
/**
* Gets `options` as an array of extra option strings.
*
* - throws an exception mentioning `pathInfo` if this conversion is impossible.
*/
function asExtraOptions(options: any, pathInfo: string[]): string[] {
if (options === undefined) {
return [];
}
if (!Array.isArray(options)) {
const msg = `The extra options for '${pathInfo.join(
"."
)}' ('${JSON.stringify(options)}') are not in an array.`;
throw new Error(msg);
}
return options.map((o) => {
const t = typeof o;
if (t !== "string" && t !== "number" && t !== "boolean") {
const msg = `The extra option for '${pathInfo.join(
"."
)}' ('${JSON.stringify(o)}') is not a primitive value.`;
throw new Error(msg);
}
return `${o}`;
});
}
const all = asExtraOptions(options?.["*"], pathInfo.concat("*"));
const specific =
path.length === 0
? asExtraOptions(options, pathInfo)
: getExtraOptions(
options?.[path[0]],
path?.slice(1),
pathInfo.concat(path[0])
);
return all.concat(specific);
}
src/init-action.ts
+34 -29
View File
@@ -1,14 +1,14 @@
import * as core from "@actions/core";
import * as actionsUtil from "./actions-util";
import { CodeQL } from "./codeql";
import * as configUtils from "./config-utils";
import { initCodeQL, initConfig, injectWindowsTracer, runInit } from "./init";
import { getLanguages } from "./languages";
import { getActionsLogger } from "./logging";
import { parseRepositoryNwo } from "./repository";
import * as util from "./util";
interface InitSuccessStatusReport extends util.StatusReportBase {
interface InitSuccessStatusReport extends actionsUtil.StatusReportBase {
// Comma-separated list of languages that analysis was run for
// This may be from the workflow file or may be calculated from repository contents
languages: string;
@@ -28,14 +28,14 @@ async function sendSuccessStatusReport(
startedAt: Date,
config: configUtils.Config
) {
const statusReportBase = await util.createStatusReportBase(
const statusReportBase = await actionsUtil.createStatusReportBase(
"init",
"success",
startedAt
);
const languages = config.languages.join(",");
const workflowLanguages = core.getInput("languages", { required: false });
const workflowLanguages = actionsUtil.getOptionalInput("languages");
const paths = (config.originalUserInput.paths || []).join(",");
const pathsIgnore = (config.originalUserInput["paths-ignore"] || []).join(
","
@@ -52,14 +52,14 @@ async function sendSuccessStatusReport(
const statusReport: InitSuccessStatusReport = {
...statusReportBase,
languages,
workflow_languages: workflowLanguages,
workflow_languages: workflowLanguages || "",
paths,
paths_ignore: pathsIgnore,
disable_default_queries: disableDefaultQueries,
queries,
};
await util.sendStatusReport(statusReport);
await actionsUtil.sendStatusReport(statusReport);
}
async function run() {
@@ -69,55 +69,60 @@ async function run() {
let codeql: CodeQL;
try {
util.prepareLocalRunEnvironment();
actionsUtil.prepareLocalRunEnvironment();
if (
!(await util.sendStatusReport(
await util.createStatusReportBase("init", "starting", startedAt),
!(await actionsUtil.sendStatusReport(
await actionsUtil.createStatusReportBase("init", "starting", startedAt),
true
))
) {
return;
}
const repositoryNWO = parseRepositoryNwo(
util.getRequiredEnvParam("GITHUB_REPOSITORY")
actionsUtil.getRequiredEnvParam("GITHUB_REPOSITORY")
);
const languages = await getLanguages(
core.getInput("languages"),
actionsUtil.getOptionalInput("languages"),
repositoryNWO,
core.getInput("token"),
util.getRequiredEnvParam("GITHUB_SERVER_URL"),
actionsUtil.getRequiredInput("token"),
actionsUtil.getRequiredEnvParam("GITHUB_SERVER_URL"),
logger
);
codeql = await initCodeQL(
core.getInput("tools"),
actionsUtil.getOptionalInput("tools"),
languages,
core.getInput("token"),
util.getRequiredEnvParam("GITHUB_SERVER_URL"),
util.getRequiredEnvParam("RUNNER_TEMP"),
util.getRequiredEnvParam("RUNNER_TOOL_CACHE"),
actionsUtil.getRequiredInput("token"),
actionsUtil.getRequiredEnvParam("GITHUB_SERVER_URL"),
actionsUtil.getRequiredEnvParam("RUNNER_TEMP"),
actionsUtil.getRequiredEnvParam("RUNNER_TOOL_CACHE"),
"actions",
logger
);
config = await initConfig(
languages,
core.getInput("queries"),
core.getInput("config-file"),
util.getRequiredEnvParam("RUNNER_TEMP"),
util.getRequiredEnvParam("RUNNER_TOOL_CACHE"),
actionsUtil.getOptionalInput("queries"),
actionsUtil.getOptionalInput("config-file"),
actionsUtil.getRequiredEnvParam("RUNNER_TEMP"),
actionsUtil.getRequiredEnvParam("RUNNER_TOOL_CACHE"),
codeql,
util.getRequiredEnvParam("GITHUB_WORKSPACE"),
core.getInput("token"),
util.getRequiredEnvParam("GITHUB_SERVER_URL"),
actionsUtil.getRequiredEnvParam("GITHUB_WORKSPACE"),
actionsUtil.getRequiredInput("token"),
actionsUtil.getRequiredEnvParam("GITHUB_SERVER_URL"),
logger
);
} catch (e) {
core.setFailed(e.message);
console.log(e);
await util.sendStatusReport(
await util.createStatusReportBase("init", "aborted", startedAt, e.message)
await actionsUtil.sendStatusReport(
await actionsUtil.createStatusReportBase(
"init",
"aborted",
startedAt,
e.message
)
);
return;
}
@@ -155,8 +160,8 @@ async function run() {
} catch (error) {
core.setFailed(error.message);
console.log(error);
await util.sendStatusReport(
await util.createStatusReportBase(
await actionsUtil.sendStatusReport(
await actionsUtil.createStatusReportBase(
"init",
"failure",
startedAt,
src/runner.ts
+3 -1
View File
@@ -242,7 +242,9 @@ program
const shEnvFile = path.join(config.tempDir, "codeql-env.sh");
const shEnvFileContents = Object.entries(tracerConfig.env)
// Some vars contain ${LIB} that we do not want to be expanded when executing this script
.map(([key, value]) => `export ${key}="${value.replace("$", "\\$")}"`)
.map(
([key, value]) => `export ${key}="${value.replace(/\$/g, "\\$")}"`
)
.join("\n");
fs.writeFileSync(shEnvFile, shEnvFileContents);
src/upload-sarif-action.ts
+23 -19
View File
@@ -1,19 +1,19 @@
import * as core from "@actions/core";
import * as actionsUtil from "./actions-util";
import { getActionsLogger } from "./logging";
import { parseRepositoryNwo } from "./repository";
import * as upload_lib from "./upload-lib";
import * as util from "./util";
interface UploadSarifStatusReport
extends util.StatusReportBase,
extends actionsUtil.StatusReportBase,
upload_lib.UploadStatusReport {}
async function sendSuccessStatusReport(
startedAt: Date,
uploadStats: upload_lib.UploadStatusReport
) {
const statusReportBase = await util.createStatusReportBase(
const statusReportBase = await actionsUtil.createStatusReportBase(
"upload-sarif",
"success",
startedAt
@@ -22,14 +22,18 @@ async function sendSuccessStatusReport(
...statusReportBase,
...uploadStats,
};
await util.sendStatusReport(statusReport);
await actionsUtil.sendStatusReport(statusReport);
}
async function run() {
const startedAt = new Date();
if (
!(await util.sendStatusReport(
await util.createStatusReportBase("upload-sarif", "starting", startedAt),
!(await actionsUtil.sendStatusReport(
await actionsUtil.createStatusReportBase(
"upload-sarif",
"starting",
startedAt
),
true
))
) {
@@ -38,17 +42,17 @@ async function run() {
try {
const uploadStats = await upload_lib.upload(
core.getInput("sarif_file"),
parseRepositoryNwo(util.getRequiredEnvParam("GITHUB_REPOSITORY")),
await util.getCommitOid(),
util.getRef(),
await util.getAnalysisKey(),
util.getRequiredEnvParam("GITHUB_WORKFLOW"),
util.getWorkflowRunID(),
core.getInput("checkout_path"),
core.getInput("matrix"),
core.getInput("token"),
util.getRequiredEnvParam("GITHUB_SERVER_URL"),
actionsUtil.getRequiredInput("sarif_file"),
parseRepositoryNwo(actionsUtil.getRequiredEnvParam("GITHUB_REPOSITORY")),
await actionsUtil.getCommitOid(),
actionsUtil.getRef(),
await actionsUtil.getAnalysisKey(),
actionsUtil.getRequiredEnvParam("GITHUB_WORKFLOW"),
actionsUtil.getWorkflowRunID(),
actionsUtil.getRequiredInput("checkout_path"),
actionsUtil.getRequiredInput("matrix"),
actionsUtil.getRequiredInput("token"),
actionsUtil.getRequiredEnvParam("GITHUB_SERVER_URL"),
"actions",
getActionsLogger()
);
@@ -56,8 +60,8 @@ async function run() {
} catch (error) {
core.setFailed(error.message);
console.log(error);
await util.sendStatusReport(
await util.createStatusReportBase(
await actionsUtil.sendStatusReport(
await actionsUtil.createStatusReportBase(
"upload-sarif",
"failure",
startedAt,
src/util.test.ts
+15 -45
View File
@@ -20,12 +20,13 @@ test("getToolNames", (t) => {
test("getMemoryFlag() should return the correct --ram flag", (t) => {
const totalMem = Math.floor(os.totalmem() / (1024 * 1024));
const tests = {
"": `--ram=${totalMem - 256}`,
"512": "--ram=512",
};
const tests = [
[undefined, `--ram=${totalMem - 256}`],
["", `--ram=${totalMem - 256}`],
["512", "--ram=512"],
];
for (const [input, expectedFlag] of Object.entries(tests)) {
for (const [input, expectedFlag] of tests) {
const flag = util.getMemoryFlag(input);
t.deepEqual(flag, expectedFlag);
}
@@ -50,14 +51,16 @@ test("getAddSnippetsFlag() should return the correct flag", (t) => {
test("getThreadsFlag() should return the correct --threads flag", (t) => {
const numCpus = os.cpus().length;
const tests = {
"0": "--threads=0",
"1": "--threads=1",
[`${numCpus + 1}`]: `--threads=${numCpus}`,
[`${-numCpus - 1}`]: `--threads=${-numCpus}`,
};
const tests = [
["0", "--threads=0"],
["1", "--threads=1"],
[undefined, `--threads=${numCpus}`],
["", `--threads=${numCpus}`],
[`${numCpus + 1}`, `--threads=${numCpus}`],
[`${-numCpus - 1}`, `--threads=${-numCpus}`],
];
for (const [input, expectedFlag] of Object.entries(tests)) {
for (const [input, expectedFlag] of tests) {
const flag = util.getThreadsFlag(input, getRunnerLogger(true));
t.deepEqual(flag, expectedFlag);
}
@@ -67,11 +70,6 @@ test("getThreadsFlag() throws if the threads input is not an integer", (t) => {
t.throws(() => util.getThreadsFlag("hello!", getRunnerLogger(true)));
});
test("getRef() throws on the empty string", (t) => {
process.env["GITHUB_REF"] = "";
t.throws(util.getRef);
});
test("isLocalRun() runs correctly", (t) => {
const origLocalRun = process.env.CODEQL_LOCAL_RUN;
@@ -93,34 +91,6 @@ test("isLocalRun() runs correctly", (t) => {
process.env.CODEQL_LOCAL_RUN = origLocalRun;
});
test("prepareEnvironment() when a local run", (t) => {
const origLocalRun = process.env.CODEQL_LOCAL_RUN;
process.env.CODEQL_LOCAL_RUN = "false";
process.env.GITHUB_JOB = "YYY";
util.prepareLocalRunEnvironment();
// unchanged
t.deepEqual(process.env.GITHUB_JOB, "YYY");
process.env.CODEQL_LOCAL_RUN = "true";
util.prepareLocalRunEnvironment();
// unchanged
t.deepEqual(process.env.GITHUB_JOB, "YYY");
process.env.GITHUB_JOB = "";
util.prepareLocalRunEnvironment();
// updated
t.deepEqual(process.env.GITHUB_JOB, "UNKNOWN-JOB");
process.env.CODEQL_LOCAL_RUN = origLocalRun;
});
test("getExtraOptionsEnvParam() succeeds on valid JSON with invalid options (for now)", (t) => {
const origExtraOptions = process.env.CODEQL_ACTION_EXTRA_OPTIONS;
src/util.ts
-307
View File
@@ -1,13 +1,9 @@
import * as core from "@actions/core";
import * as toolrunnner from "@actions/exec/lib/toolrunner";
import * as fs from "fs";
import * as os from "os";
import * as path from "path";
import * as api from "./api-client";
import { Language } from "./languages";
import { Logger } from "./logging";
import * as sharedEnv from "./shared-environment";
/**
* Are we running on actions, or not.
@@ -19,18 +15,6 @@ export type Mode = "actions" | "runner";
*/
export const GITHUB_DOTCOM_URL = "https://github.com";
/**
* Get an environment parameter, but throw an error if it is not set.
*/
export function getRequiredEnvParam(paramName: string): string {
const value = process.env[paramName];
if (value === undefined || value.length === 0) {
throw new Error(`${paramName} environment variable must be set`);
}
core.debug(`${paramName}=${value}`);
return value;
}
/**
* Get the extra options for the codeql commands.
*/
@@ -57,297 +41,6 @@ export function isLocalRun(): boolean {
);
}
/**
* Ensures all required environment variables are set in the context of a local run.
*/
export function prepareLocalRunEnvironment() {
if (!isLocalRun()) {
return;
}
core.debug("Action is running locally.");
if (!process.env.GITHUB_JOB) {
core.exportVariable("GITHUB_JOB", "UNKNOWN-JOB");
}
}
/**
* Gets the SHA of the commit that is currently checked out.
*/
export async function getCommitOid(): Promise<string> {
// Try to use git to get the current commit SHA. If that fails then
// log but otherwise silently fall back to using the SHA from the environment.
// The only time these two values will differ is during analysis of a PR when
// the workflow has changed the current commit to the head commit instead of
// the merge commit, which must mean that git is available.
// Even if this does go wrong, it's not a huge problem for the alerts to
// reported on the merge commit.
try {
let commitOid = "";
await new toolrunnner.ToolRunner("git", ["rev-parse", "HEAD"], {
silent: true,
listeners: {
stdout: (data) => {
commitOid += data.toString();
},
stderr: (data) => {
process.stderr.write(data);
},
},
}).exec();
return commitOid.trim();
} catch (e) {
core.info(
`Failed to call git to get current commit. Continuing with data from environment: ${e}`
);
return getRequiredEnvParam("GITHUB_SHA");
}
}
/**
* Get the path of the currently executing workflow.
*/
async function getWorkflowPath(): Promise<string> {
const repo_nwo = getRequiredEnvParam("GITHUB_REPOSITORY").split("/");
const owner = repo_nwo[0];
const repo = repo_nwo[1];
const run_id = Number(getRequiredEnvParam("GITHUB_RUN_ID"));
const apiClient = api.getActionsApiClient();
const runsResponse = await apiClient.request(
"GET /repos/:owner/:repo/actions/runs/:run_id",
{
owner,
repo,
run_id,
}
);
const workflowUrl = runsResponse.data.workflow_url;
const workflowResponse = await apiClient.request(`GET ${workflowUrl}`);
return workflowResponse.data.path;
}
/**
* Get the workflow run ID.
*/
export function getWorkflowRunID(): number {
const workflowRunID = parseInt(getRequiredEnvParam("GITHUB_RUN_ID"), 10);
if (Number.isNaN(workflowRunID)) {
throw new Error("GITHUB_RUN_ID must define a non NaN workflow run ID");
}
return workflowRunID;
}
/**
* Get the analysis key paramter for the current job.
*
* This will combine the workflow path and current job name.
* Computing this the first time requires making requests to
* the github API, but after that the result will be cached.
*/
export async function getAnalysisKey(): Promise<string> {
const analysisKeyEnvVar = "CODEQL_ACTION_ANALYSIS_KEY";
let analysisKey = process.env[analysisKeyEnvVar];
if (analysisKey !== undefined) {
return analysisKey;
}
const workflowPath = await getWorkflowPath();
const jobName = getRequiredEnvParam("GITHUB_JOB");
analysisKey = `${workflowPath}:${jobName}`;
core.exportVariable(analysisKeyEnvVar, analysisKey);
return analysisKey;
}
/**
* Get the ref currently being analyzed.
*/
export function getRef(): string {
// Will be in the form "refs/heads/master" on a push event
// or in the form "refs/pull/N/merge" on a pull_request event
const ref = getRequiredEnvParam("GITHUB_REF");
// For pull request refs we want to convert from the 'merge' ref
// to the 'head' ref, as that is what we want to analyse.
// There should have been some code earlier in the workflow to do
// the checkout, but we have no way of verifying that here.
const pull_ref_regex = /refs\/pull\/(\d+)\/merge/;
if (pull_ref_regex.test(ref)) {
return ref.replace(pull_ref_regex, "refs/pull/$1/head");
} else {
return ref;
}
}
type ActionName = "init" | "autobuild" | "finish" | "upload-sarif";
type ActionStatus = "starting" | "aborted" | "success" | "failure";
export interface StatusReportBase {
// ID of the workflow run containing the action run
workflow_run_id: number;
// Workflow name. Converted to analysis_name further down the pipeline.
workflow_name: string;
// Job name from the workflow
job_name: string;
// Analysis key, normally composed from the workflow path and job name
analysis_key: string;
// Value of the matrix for this instantiation of the job
matrix_vars?: string;
// Commit oid that the workflow was triggered on
commit_oid: string;
// Ref that the workflow was triggered on
ref: string;
// Name of the action being executed
action_name: ActionName;
// Version if the action being executed, as a commit oid
action_oid: string;
// Time the first action started. Normally the init action
started_at: string;
// Time this action started
action_started_at: string;
// Time this action completed, or undefined if not yet completed
completed_at?: string;
// State this action is currently in
status: ActionStatus;
// Cause of the failure (or undefined if status is not failure)
cause?: string;
// Stack trace of the failure (or undefined if status is not failure)
exception?: string;
}
/**
* Compose a StatusReport.
*
* @param actionName The name of the action, e.g. 'init', 'finish', 'upload-sarif'
* @param status The status. Must be 'success', 'failure', or 'starting'
* @param startedAt The time this action started executing.
* @param cause Cause of failure (only supply if status is 'failure')
* @param exception Exception (only supply if status is 'failure')
*/
export async function createStatusReportBase(
actionName: ActionName,
status: ActionStatus,
actionStartedAt: Date,
cause?: string,
exception?: string
): Promise<StatusReportBase> {
const commitOid = process.env["GITHUB_SHA"] || "";
const ref = getRef();
const workflowRunIDStr = process.env["GITHUB_RUN_ID"];
let workflowRunID = -1;
if (workflowRunIDStr) {
workflowRunID = parseInt(workflowRunIDStr, 10);
}
const workflowName = process.env["GITHUB_WORKFLOW"] || "";
const jobName = process.env["GITHUB_JOB"] || "";
const analysis_key = await getAnalysisKey();
let workflowStartedAt = process.env[sharedEnv.CODEQL_WORKFLOW_STARTED_AT];
if (workflowStartedAt === undefined) {
workflowStartedAt = actionStartedAt.toISOString();
core.exportVariable(
sharedEnv.CODEQL_WORKFLOW_STARTED_AT,
workflowStartedAt
);
}
const statusReport: StatusReportBase = {
workflow_run_id: workflowRunID,
workflow_name: workflowName,
job_name: jobName,
analysis_key,
commit_oid: commitOid,
ref,
action_name: actionName,
action_oid: "unknown", // TODO decide if it's possible to fill this in
started_at: workflowStartedAt,
action_started_at: actionStartedAt.toISOString(),
status,
};
// Add optional parameters
if (cause) {
statusReport.cause = cause;
}
if (exception) {
statusReport.exception = exception;
}
if (status === "success" || status === "failure" || status === "aborted") {
statusReport.completed_at = new Date().toISOString();
}
const matrix: string | undefined = core.getInput("matrix");
if (matrix) {
statusReport.matrix_vars = matrix;
}
return statusReport;
}
/**
* Send a status report to the code_scanning/analysis/status endpoint.
*
* Optionally checks the response from the API endpoint and sets the action
* as failed if the status report failed. This is only expected to be used
* when sending a 'starting' report.
*
* Returns whether sending the status report was successful of not.
*/
export async function sendStatusReport<S extends StatusReportBase>(
statusReport: S,
ignoreFailures?: boolean
): Promise<boolean> {
if (getRequiredEnvParam("GITHUB_SERVER_URL") !== GITHUB_DOTCOM_URL) {
core.debug("Not sending status report to GitHub Enterprise");
return true;
}
if (isLocalRun()) {
core.debug("Not sending status report because this is a local run");
return true;
}
const statusReportJSON = JSON.stringify(statusReport);
core.debug(`Sending status report: ${statusReportJSON}`);
const nwo = getRequiredEnvParam("GITHUB_REPOSITORY");
const [owner, repo] = nwo.split("/");
const client = api.getActionsApiClient();
const statusResponse = await client.request(
"PUT /repos/:owner/:repo/code-scanning/analysis/status",
{
owner,
repo,
data: statusReportJSON,
}
);
if (!ignoreFailures) {
// If the status report request fails with a 403 or a 404, then this is a deliberate
// message from the endpoint that the SARIF upload can be expected to fail too,
// so the action should fail to avoid wasting actions minutes.
//
// Other failure responses (or lack thereof) could be transitory and should not
// cause the action to fail.
if (statusResponse.status === 403) {
core.setFailed(
"The repo on which this action is running is not opted-in to CodeQL code scanning."
);
return false;
}
if (statusResponse.status === 404) {
core.setFailed(
"Not authorized to used the CodeQL code scanning feature on this repo."
);
return false;
}
}
return true;
}
/**
* Get the array of all the tool names contained in the given sarif contents.
*