github/codeql-action
0
0
Fork 0
mirror of https://github.com/github/codeql-action.git synced 2026-04-30 02:40:12 +00:00
Code Issues Packages Projects Releases Wiki Activity

Merge remote-tracking branch 'origin/main' into mbg/ts/sync-checks

Browse Source
This commit is contained in:
Michael B. Gale
2026-03-25 12:43:53 +00:00
parent c9ad41d351 eedab83377
commit f95b8b53d0
35 changed files with 14894 additions and 9437 deletions
Download Patch File Download Diff File Expand all files Collapse all files
.github/workflows/post-release-mergeback.yml
+1 -1
View File
@@ -131,7 +131,7 @@ jobs:
echo "::endgroup::"
- name: Generate token
uses: actions/create-github-app-token@v2.2.1
uses: actions/create-github-app-token@v3.0.0
id: app-token
with:
app-id: ${{ vars.AUTOMATION_APP_ID }}
.github/workflows/rollback-release.yml
+1 -1
View File
@@ -136,7 +136,7 @@ jobs:
- name: Generate token
if: github.event_name == 'workflow_dispatch'
uses: actions/create-github-app-token@v2.2.1
uses: actions/create-github-app-token@v3.0.0
id: app-token
with:
app-id: ${{ vars.AUTOMATION_APP_ID }}
.github/workflows/update-release-branch.yml
+1 -1
View File
@@ -93,7 +93,7 @@ jobs:
pull-requests: write # needed to create pull request
steps:
- name: Generate token
uses: actions/create-github-app-token@v2.2.1
uses: actions/create-github-app-token@v3.0.0
id: app-token
with:
app-id: ${{ vars.AUTOMATION_APP_ID }}
CHANGELOG.md
+15
View File
@@ -4,6 +4,20 @@ See the [releases page](https://github.com/github/codeql-action/releases) for th
## [UNRELEASED]
- Reduced the minimum Git version required for [improved incremental analysis](https://github.com/github/roadmap/issues/1158) from 2.38.0 to 2.11.0. [#3767](https://github.com/github/codeql-action/pull/3767)
## 4.34.1 - 20 Mar 2026
- Downgrade default CodeQL bundle version to [2.24.3](https://github.com/github/codeql-action/releases/tag/codeql-bundle-v2.24.3) due to issues with a small percentage of Actions and JavaScript analyses. [#3762](https://github.com/github/codeql-action/pull/3762)
## 4.34.0 - 20 Mar 2026
- Added an experimental change which disables TRAP caching when [improved incremental analysis](https://github.com/github/roadmap/issues/1158) is enabled, since improved incremental analysis supersedes TRAP caching. This will improve performance and reduce Actions cache usage. We expect to roll this change out to everyone in March. [#3569](https://github.com/github/codeql-action/pull/3569)
- We are rolling out improved incremental analysis to C/C++ analyses that use build mode `none`. We expect this rollout to be complete by the end of April 2026. [#3584](https://github.com/github/codeql-action/pull/3584)
- Update default CodeQL bundle version to [2.25.0](https://github.com/github/codeql-action/releases/tag/codeql-bundle-v2.25.0). [#3585](https://github.com/github/codeql-action/pull/3585)
## 4.33.0 - 16 Mar 2026
- Upcoming change: Starting April 2026, the CodeQL Action will skip collecting file coverage information on pull requests to improve analysis performance. File coverage information will still be computed on non-PR analyses. Pull request analyses will log a warning about this upcoming change. [#3562](https://github.com/github/codeql-action/pull/3562)
To opt out of this change:
@@ -14,6 +28,7 @@ See the [releases page](https://github.com/github/codeql-action/releases) for th
- The CodeQL Action now loads [custom repository properties](https://docs.github.com/en/organizations/managing-organization-settings/managing-custom-properties-for-repositories-in-your-organization) on GitHub Enterprise Server, enabling the customization of features such as `github-codeql-disable-overlay` that was previously only available on GitHub.com. [#3559](https://github.com/github/codeql-action/pull/3559)
- Once [private package registries](https://docs.github.com/en/code-security/how-tos/secure-at-scale/configure-organization-security/manage-usage-and-access/giving-org-access-private-registries) can be configured with OIDC-based authentication for organizations, the CodeQL Action will now be able to accept such configurations. [#3563](https://github.com/github/codeql-action/pull/3563)
- Fixed the retry mechanism for database uploads. Previously this would fail with the error "Response body object should not be disturbed or locked". [#3564](https://github.com/github/codeql-action/pull/3564)
- A warning is now emitted if the CodeQL Action detects a repository property whose name suggests that it relates to the CodeQL Action, but which is not one of the properties recognised by the current version of the CodeQL Action. [#3570](https://github.com/github/codeql-action/pull/3570)
## 4.32.6 - 05 Mar 2026
lib/analyze-action-post.js
Generated
+1236 -818
View File
File diff suppressed because it is too large Load Diff
lib/analyze-action.js
Generated
+1187 -765
View File
File diff suppressed because it is too large Load Diff
lib/autobuild-action.js
Generated
+1139 -721
View File
File diff suppressed because it is too large Load Diff
lib/init-action-post.js
Generated
+1268 -852
View File
File diff suppressed because it is too large Load Diff
lib/init-action.js
Generated
+1203 -789
View File
File diff suppressed because it is too large Load Diff
lib/resolve-environment-action.js
Generated
+1135 -717
View File
File diff suppressed because it is too large Load Diff
lib/setup-codeql-action.js
Generated
+1142 -722
View File
File diff suppressed because it is too large Load Diff
lib/start-proxy-action-post.js
Generated
+1232 -809
View File
File diff suppressed because it is too large Load Diff
lib/start-proxy-action.js
Generated
+1137 -712
View File
File diff suppressed because it is too large Load Diff
lib/upload-lib.js
Generated
+1129 -711
View File
File diff suppressed because it is too large Load Diff
lib/upload-sarif-action-post.js
Generated
+1234 -809
View File
File diff suppressed because it is too large Load Diff
lib/upload-sarif-action.js
Generated
+1146 -730
View File
File diff suppressed because it is too large Load Diff
package-lock.json
Generated
+111 -92
View File
@@ -1,12 +1,12 @@
{
"name": "codeql",
"version": "4.32.7",
"version": "4.34.2",
"lockfileVersion": 3,
"requires": true,
"packages": {
"": {
"name": "codeql",
"version": "4.32.7",
"version": "4.34.2",
"license": "MIT",
"workspaces": [
"pr-checks"
@@ -38,7 +38,7 @@
},
"devDependencies": {
"@ava/typescript": "6.0.0",
"@eslint/compat": "^2.0.2",
"@eslint/compat": "^2.0.3",
"@microsoft/eslint-formatter-sarif": "^3.1.0",
"@octokit/types": "^16.0.0",
"@types/archiver": "^7.0.0",
@@ -62,7 +62,7 @@
"nock": "^14.0.11",
"sinon": "^21.0.2",
"typescript": "^5.9.3",
"typescript-eslint": "^8.56.1"
"typescript-eslint": "^8.57.0"
}
},
"node_modules/@aashutoshrathi/word-wrap": {
@@ -1334,13 +1334,13 @@
}
},
"node_modules/@eslint/compat": {
"version": "2.0.2",
"resolved": "https://registry.npmjs.org/@eslint/compat/-/compat-2.0.2.tgz",
"integrity": "sha512-pR1DoD0h3HfF675QZx0xsyrsU8q70Z/plx7880NOhS02NuWLgBCOMDL787nUeQ7EWLkxv3bPQJaarjcPQb2Dwg==",
"version": "2.0.3",
"resolved": "https://registry.npmjs.org/@eslint/compat/-/compat-2.0.3.tgz",
"integrity": "sha512-SjIJhGigp8hmd1YGIBwh7Ovri7Kisl42GYFjrOyHhtfYGGoLW6teYi/5p8W50KSsawUPpuLOSmsq1bD0NGQLBw==",
"dev": true,
"license": "Apache-2.0",
"dependencies": {
"@eslint/core": "^1.1.0"
"@eslint/core": "^1.1.1"
},
"engines": {
"node": "^20.19.0 || ^22.13.0 || >=24"
@@ -1396,9 +1396,9 @@
}
},
"node_modules/@eslint/core": {
"version": "1.1.0",
"resolved": "https://registry.npmjs.org/@eslint/core/-/core-1.1.0.tgz",
"integrity": "sha512-/nr9K9wkr3P1EzFTdFdMoLuo1PmIxjmwvPozwoSodjNBdefGujXQUF93u1DDZpEaTuDvMsIQddsd35BwtrW9Xw==",
"version": "1.1.1",
"resolved": "https://registry.npmjs.org/@eslint/core/-/core-1.1.1.tgz",
"integrity": "sha512-QUPblTtE51/7/Zhfv8BDwO0qkkzQL7P/aWWbqcf4xWLEYn1oKjdO0gglQBB4GAsu7u6wjijbCmzsUTy6mnk6oQ==",
"dev": true,
"license": "Apache-2.0",
"dependencies": {
@@ -2547,17 +2547,17 @@
"license": "MIT"
},
"node_modules/@typescript-eslint/eslint-plugin": {
"version": "8.56.1",
"resolved": "https://registry.npmjs.org/@typescript-eslint/eslint-plugin/-/eslint-plugin-8.56.1.tgz",
"integrity": "sha512-Jz9ZztpB37dNC+HU2HI28Bs9QXpzCz+y/twHOwhyrIRdbuVDxSytJNDl6z/aAKlaRIwC7y8wJdkBv7FxYGgi0A==",
"version": "8.57.0",
"resolved": "https://registry.npmjs.org/@typescript-eslint/eslint-plugin/-/eslint-plugin-8.57.0.tgz",
"integrity": "sha512-qeu4rTHR3/IaFORbD16gmjq9+rEs9fGKdX0kF6BKSfi+gCuG3RCKLlSBYzn/bGsY9Tj7KE/DAQStbp8AHJGHEQ==",
"dev": true,
"license": "MIT",
"dependencies": {
"@eslint-community/regexpp": "^4.12.2",
"@typescript-eslint/scope-manager": "8.56.1",
"@typescript-eslint/type-utils": "8.56.1",
"@typescript-eslint/utils": "8.56.1",
"@typescript-eslint/visitor-keys": "8.56.1",
"@typescript-eslint/scope-manager": "8.57.0",
"@typescript-eslint/type-utils": "8.57.0",
"@typescript-eslint/utils": "8.57.0",
"@typescript-eslint/visitor-keys": "8.57.0",
"ignore": "^7.0.5",
"natural-compare": "^1.4.0",
"ts-api-utils": "^2.4.0"
@@ -2570,7 +2570,7 @@
"url": "https://opencollective.com/typescript-eslint"
},
"peerDependencies": {
"@typescript-eslint/parser": "^8.56.1",
"@typescript-eslint/parser": "^8.57.0",
"eslint": "^8.57.0 || ^9.0.0 || ^10.0.0",
"typescript": ">=4.8.4 <6.0.0"
}
@@ -2586,16 +2586,16 @@
}
},
"node_modules/@typescript-eslint/parser": {
"version": "8.56.1",
"resolved": "https://registry.npmjs.org/@typescript-eslint/parser/-/parser-8.56.1.tgz",
"integrity": "sha512-klQbnPAAiGYFyI02+znpBRLyjL4/BrBd0nyWkdC0s/6xFLkXYQ8OoRrSkqacS1ddVxf/LDyODIKbQ5TgKAf/Fg==",
"version": "8.57.0",
"resolved": "https://registry.npmjs.org/@typescript-eslint/parser/-/parser-8.57.0.tgz",
"integrity": "sha512-XZzOmihLIr8AD1b9hL9ccNMzEMWt/dE2u7NyTY9jJG6YNiNthaD5XtUHVF2uCXZ15ng+z2hT3MVuxnUYhq6k1g==",
"dev": true,
"license": "MIT",
"dependencies": {
"@typescript-eslint/scope-manager": "8.56.1",
"@typescript-eslint/types": "8.56.1",
"@typescript-eslint/typescript-estree": "8.56.1",
"@typescript-eslint/visitor-keys": "8.56.1",
"@typescript-eslint/scope-manager": "8.57.0",
"@typescript-eslint/types": "8.57.0",
"@typescript-eslint/typescript-estree": "8.57.0",
"@typescript-eslint/visitor-keys": "8.57.0",
"debug": "^4.4.3"
},
"engines": {
@@ -2629,14 +2629,14 @@
}
},
"node_modules/@typescript-eslint/project-service": {
"version": "8.56.1",
"resolved": "https://registry.npmjs.org/@typescript-eslint/project-service/-/project-service-8.56.1.tgz",
"integrity": "sha512-TAdqQTzHNNvlVFfR+hu2PDJrURiwKsUvxFn1M0h95BB8ah5jejas08jUWG4dBA68jDMI988IvtfdAI53JzEHOQ==",
"version": "8.57.0",
"resolved": "https://registry.npmjs.org/@typescript-eslint/project-service/-/project-service-8.57.0.tgz",
"integrity": "sha512-pR+dK0BlxCLxtWfaKQWtYr7MhKmzqZxuii+ZjuFlZlIGRZm22HnXFqa2eY+90MUz8/i80YJmzFGDUsi8dMOV5w==",
"dev": true,
"license": "MIT",
"dependencies": {
"@typescript-eslint/tsconfig-utils": "^8.56.1",
"@typescript-eslint/types": "^8.56.1",
"@typescript-eslint/tsconfig-utils": "^8.57.0",
"@typescript-eslint/types": "^8.57.0",
"debug": "^4.4.3"
},
"engines": {
@@ -2669,14 +2669,14 @@
}
},
"node_modules/@typescript-eslint/scope-manager": {
"version": "8.56.1",
"resolved": "https://registry.npmjs.org/@typescript-eslint/scope-manager/-/scope-manager-8.56.1.tgz",
"integrity": "sha512-YAi4VDKcIZp0O4tz/haYKhmIDZFEUPOreKbfdAN3SzUDMcPhJ8QI99xQXqX+HoUVq8cs85eRKnD+rne2UAnj2w==",
"version": "8.57.0",
"resolved": "https://registry.npmjs.org/@typescript-eslint/scope-manager/-/scope-manager-8.57.0.tgz",
"integrity": "sha512-nvExQqAHF01lUM66MskSaZulpPL5pgy5hI5RfrxviLgzZVffB5yYzw27uK/ft8QnKXI2X0LBrHJFr1TaZtAibw==",
"dev": true,
"license": "MIT",
"dependencies": {
"@typescript-eslint/types": "8.56.1",
"@typescript-eslint/visitor-keys": "8.56.1"
"@typescript-eslint/types": "8.57.0",
"@typescript-eslint/visitor-keys": "8.57.0"
},
"engines": {
"node": "^18.18.0 || ^20.9.0 || >=21.1.0"
@@ -2687,9 +2687,9 @@
}
},
"node_modules/@typescript-eslint/tsconfig-utils": {
"version": "8.56.1",
"resolved": "https://registry.npmjs.org/@typescript-eslint/tsconfig-utils/-/tsconfig-utils-8.56.1.tgz",
"integrity": "sha512-qOtCYzKEeyr3aR9f28mPJqBty7+DBqsdd63eO0yyDwc6vgThj2UjWfJIcsFeSucYydqcuudMOprZ+x1SpF3ZuQ==",
"version": "8.57.0",
"resolved": "https://registry.npmjs.org/@typescript-eslint/tsconfig-utils/-/tsconfig-utils-8.57.0.tgz",
"integrity": "sha512-LtXRihc5ytjJIQEH+xqjB0+YgsV4/tW35XKX3GTZHpWtcC8SPkT/d4tqdf1cKtesryHm2bgp6l555NYcT2NLvA==",
"dev": true,
"license": "MIT",
"engines": {
@@ -2704,15 +2704,15 @@
}
},
"node_modules/@typescript-eslint/type-utils": {
"version": "8.56.1",
"resolved": "https://registry.npmjs.org/@typescript-eslint/type-utils/-/type-utils-8.56.1.tgz",
"integrity": "sha512-yB/7dxi7MgTtGhZdaHCemf7PuwrHMenHjmzgUW1aJpO+bBU43OycnM3Wn+DdvDO/8zzA9HlhaJ0AUGuvri4oGg==",
"version": "8.57.0",
"resolved": "https://registry.npmjs.org/@typescript-eslint/type-utils/-/type-utils-8.57.0.tgz",
"integrity": "sha512-yjgh7gmDcJ1+TcEg8x3uWQmn8ifvSupnPfjP21twPKrDP/pTHlEQgmKcitzF/rzPSmv7QjJ90vRpN4U+zoUjwQ==",
"dev": true,
"license": "MIT",
"dependencies": {
"@typescript-eslint/types": "8.56.1",
"@typescript-eslint/typescript-estree": "8.56.1",
"@typescript-eslint/utils": "8.56.1",
"@typescript-eslint/types": "8.57.0",
"@typescript-eslint/typescript-estree": "8.57.0",
"@typescript-eslint/utils": "8.57.0",
"debug": "^4.4.3",
"ts-api-utils": "^2.4.0"
},
@@ -2747,9 +2747,9 @@
}
},
"node_modules/@typescript-eslint/types": {
"version": "8.56.1",
"resolved": "https://registry.npmjs.org/@typescript-eslint/types/-/types-8.56.1.tgz",
"integrity": "sha512-dbMkdIUkIkchgGDIv7KLUpa0Mda4IYjo4IAMJUZ+3xNoUXxMsk9YtKpTHSChRS85o+H9ftm51gsK1dZReY9CVw==",
"version": "8.57.0",
"resolved": "https://registry.npmjs.org/@typescript-eslint/types/-/types-8.57.0.tgz",
"integrity": "sha512-dTLI8PEXhjUC7B9Kre+u0XznO696BhXcTlOn0/6kf1fHaQW8+VjJAVHJ3eTI14ZapTxdkOmc80HblPQLaEeJdg==",
"dev": true,
"license": "MIT",
"engines": {
@@ -2761,16 +2761,16 @@
}
},
"node_modules/@typescript-eslint/typescript-estree": {
"version": "8.56.1",
"resolved": "https://registry.npmjs.org/@typescript-eslint/typescript-estree/-/typescript-estree-8.56.1.tgz",
"integrity": "sha512-qzUL1qgalIvKWAf9C1HpvBjif+Vm6rcT5wZd4VoMb9+Km3iS3Cv9DY6dMRMDtPnwRAFyAi7YXJpTIEXLvdfPxg==",
"version": "8.57.0",
"resolved": "https://registry.npmjs.org/@typescript-eslint/typescript-estree/-/typescript-estree-8.57.0.tgz",
"integrity": "sha512-m7faHcyVg0BT3VdYTlX8GdJEM7COexXxS6KqGopxdtkQRvBanK377QDHr4W/vIPAR+ah9+B/RclSW5ldVniO1Q==",
"dev": true,
"license": "MIT",
"dependencies": {
"@typescript-eslint/project-service": "8.56.1",
"@typescript-eslint/tsconfig-utils": "8.56.1",
"@typescript-eslint/types": "8.56.1",
"@typescript-eslint/visitor-keys": "8.56.1",
"@typescript-eslint/project-service": "8.57.0",
"@typescript-eslint/tsconfig-utils": "8.57.0",
"@typescript-eslint/types": "8.57.0",
"@typescript-eslint/visitor-keys": "8.57.0",
"debug": "^4.4.3",
"minimatch": "^10.2.2",
"semver": "^7.7.3",
@@ -2846,16 +2846,16 @@
}
},
"node_modules/@typescript-eslint/utils": {
"version": "8.56.1",
"resolved": "https://registry.npmjs.org/@typescript-eslint/utils/-/utils-8.56.1.tgz",
"integrity": "sha512-HPAVNIME3tABJ61siYlHzSWCGtOoeP2RTIaHXFMPqjrQKCGB9OgUVdiNgH7TJS2JNIQ5qQ4RsAUDuGaGme/KOA==",
"version": "8.57.0",
"resolved": "https://registry.npmjs.org/@typescript-eslint/utils/-/utils-8.57.0.tgz",
"integrity": "sha512-5iIHvpD3CZe06riAsbNxxreP+MuYgVUsV0n4bwLH//VJmgtt54sQeY2GszntJ4BjYCpMzrfVh2SBnUQTtys2lQ==",
"dev": true,
"license": "MIT",
"dependencies": {
"@eslint-community/eslint-utils": "^4.9.1",
"@typescript-eslint/scope-manager": "8.56.1",
"@typescript-eslint/types": "8.56.1",
"@typescript-eslint/typescript-estree": "8.56.1"
"@typescript-eslint/scope-manager": "8.57.0",
"@typescript-eslint/types": "8.57.0",
"@typescript-eslint/typescript-estree": "8.57.0"
},
"engines": {
"node": "^18.18.0 || ^20.9.0 || >=21.1.0"
@@ -2870,13 +2870,13 @@
}
},
"node_modules/@typescript-eslint/visitor-keys": {
"version": "8.56.1",
"resolved": "https://registry.npmjs.org/@typescript-eslint/visitor-keys/-/visitor-keys-8.56.1.tgz",
"integrity": "sha512-KiROIzYdEV85YygXw6BI/Dx4fnBlFQu6Mq4QE4MOH9fFnhohw6wX/OAvDY2/C+ut0I3RSPKenvZJIVYqJNkhEw==",
"version": "8.57.0",
"resolved": "https://registry.npmjs.org/@typescript-eslint/visitor-keys/-/visitor-keys-8.57.0.tgz",
"integrity": "sha512-zm6xx8UT/Xy2oSr2ZXD0pZo7Jx2XsCoID2IUh9YSTFRu7z+WdwYTRk6LhUftm1crwqbuoF6I8zAFeCMw0YjwDg==",
"dev": true,
"license": "MIT",
"dependencies": {
"@typescript-eslint/types": "8.56.1",
"@typescript-eslint/types": "8.57.0",
"eslint-visitor-keys": "^5.0.0"
},
"engines": {
@@ -5683,21 +5683,9 @@
"license": "MIT"
},
"node_modules/fast-xml-builder": {
"version": "1.0.0",
"resolved": "https://registry.npmjs.org/fast-xml-builder/-/fast-xml-builder-1.0.0.tgz",
"integrity": "sha512-fpZuDogrAgnyt9oDDz+5DBz0zgPdPZz6D4IR7iESxRXElrlGTRkHJ9eEt+SACRJwT0FNFrt71DFQIUFBJfX/uQ==",
"funding": [
{
"type": "github",
"url": "https://github.com/sponsors/NaturalIntelligence"
}
],
"license": "MIT"
},
"node_modules/fast-xml-parser": {
"version": "5.4.1",
"resolved": "https://registry.npmjs.org/fast-xml-parser/-/fast-xml-parser-5.4.1.tgz",
"integrity": "sha512-BQ30U1mKkvXQXXkAGcuyUA/GA26oEB7NzOtsxCDtyu62sjGw5QraKFhx2Em3WQNjPw9PG6MQ9yuIIgkSDfGu5A==",
"version": "1.1.4",
"resolved": "https://registry.npmjs.org/fast-xml-builder/-/fast-xml-builder-1.1.4.tgz",
"integrity": "sha512-f2jhpN4Eccy0/Uz9csxh3Nu6q4ErKxf0XIsasomfOihuSUa3/xw6w8dnOtCDgEItQFJG8KyXPzQXzcODDrrbOg==",
"funding": [
{
"type": "github",
@@ -5706,8 +5694,24 @@
],
"license": "MIT",
"dependencies": {
"fast-xml-builder": "^1.0.0",
"strnum": "^2.1.2"
"path-expression-matcher": "^1.1.3"
}
},
"node_modules/fast-xml-parser": {
"version": "5.5.7",
"resolved": "https://registry.npmjs.org/fast-xml-parser/-/fast-xml-parser-5.5.7.tgz",
"integrity": "sha512-LteOsISQ2GEiDHZch6L9hB0+MLoYVLToR7xotrzU0opCICBkxOPgHAy1HxAvtxfJNXDJpgAsQN30mkrfpO2Prg==",
"funding": [
{
"type": "github",
"url": "https://github.com/sponsors/NaturalIntelligence"
}
],
"license": "MIT",
"dependencies": {
"fast-xml-builder": "^1.1.4",
"path-expression-matcher": "^1.1.3",
"strnum": "^2.2.0"
},
"bin": {
"fxparser": "src/cli/cli.js"
@@ -7836,6 +7840,21 @@
"node": ">=8"
}
},
"node_modules/path-expression-matcher": {
"version": "1.1.3",
"resolved": "https://registry.npmjs.org/path-expression-matcher/-/path-expression-matcher-1.1.3.tgz",
"integrity": "sha512-qdVgY8KXmVdJZRSS1JdEPOKPdTiEK/pi0RkcT2sw1RhXxohdujUlJFPuS1TSkevZ9vzd3ZlL7ULl1MHGTApKzQ==",
"funding": [
{
"type": "github",
"url": "https://github.com/sponsors/NaturalIntelligence"
}
],
"license": "MIT",
"engines": {
"node": ">=14.0.0"
}
},
"node_modules/path-key": {
"version": "3.1.1",
"license": "MIT",
@@ -8825,9 +8844,9 @@
}
},
"node_modules/strnum": {
"version": "2.1.2",
"resolved": "https://registry.npmjs.org/strnum/-/strnum-2.1.2.tgz",
"integrity": "sha512-l63NF9y/cLROq/yqKXSLtcMeeyOfnSQlfMSlzFt/K73oIaD8DGaQWd7Z34X9GPiKqP5rbSh84Hl4bOlLcjiSrQ==",
"version": "2.2.1",
"resolved": "https://registry.npmjs.org/strnum/-/strnum-2.2.1.tgz",
"integrity": "sha512-BwRvNd5/QoAtyW1na1y1LsJGQNvRlkde6Q/ipqqEaivoMdV+B1OMOTVdwR+N/cwVUcIt9PYyHmV8HyexCZSupg==",
"funding": [
{
"type": "github",
@@ -9303,16 +9322,16 @@
}
},
"node_modules/typescript-eslint": {
"version": "8.56.1",
"resolved": "https://registry.npmjs.org/typescript-eslint/-/typescript-eslint-8.56.1.tgz",
"integrity": "sha512-U4lM6pjmBX7J5wk4szltF7I1cGBHXZopnAXCMXb3+fZ3B/0Z3hq3wS/CCUB2NZBNAExK92mCU2tEohWuwVMsDQ==",
"version": "8.57.0",
"resolved": "https://registry.npmjs.org/typescript-eslint/-/typescript-eslint-8.57.0.tgz",
"integrity": "sha512-W8GcigEMEeB07xEZol8oJ26rigm3+bfPHxHvwbYUlu1fUDsGuQ7Hiskx5xGW/xM4USc9Ephe3jtv7ZYPQntHeA==",
"dev": true,
"license": "MIT",
"dependencies": {
"@typescript-eslint/eslint-plugin": "8.56.1",
"@typescript-eslint/parser": "8.56.1",
"@typescript-eslint/typescript-estree": "8.56.1",
"@typescript-eslint/utils": "8.56.1"
"@typescript-eslint/eslint-plugin": "8.57.0",
"@typescript-eslint/parser": "8.57.0",
"@typescript-eslint/typescript-estree": "8.57.0",
"@typescript-eslint/utils": "8.57.0"
},
"engines": {
"node": "^18.18.0 || ^20.9.0 || >=21.1.0"
package.json
+3 -3
View File
@@ -1,6 +1,6 @@
{
"name": "codeql",
"version": "4.32.7",
"version": "4.34.2",
"private": true,
"description": "CodeQL action",
"scripts": {
@@ -45,7 +45,7 @@
},
"devDependencies": {
"@ava/typescript": "6.0.0",
"@eslint/compat": "^2.0.2",
"@eslint/compat": "^2.0.3",
"@microsoft/eslint-formatter-sarif": "^3.1.0",
"@octokit/types": "^16.0.0",
"@types/archiver": "^7.0.0",
@@ -69,7 +69,7 @@
"nock": "^14.0.11",
"sinon": "^21.0.2",
"typescript": "^5.9.3",
"typescript-eslint": "^8.56.1"
"typescript-eslint": "^8.57.0"
},
"overrides": {
"@actions/tool-cache": {
src/analyze.test.ts
+20
View File
@@ -10,6 +10,7 @@ import {
defaultSuites,
resolveQuerySuiteAlias,
addSarifExtension,
diffRangeExtensionPackContents,
} from "./analyze";
import { createStubCodeQL } from "./codeql";
import { Feature } from "./feature-flags";
@@ -158,3 +159,22 @@ test("addSarifExtension", (t) => {
t.is(addSarifExtension(RiskAssessment, language), `${language}.csra.sarif`);
}
});
test("diffRangeExtensionPackContents", (t) => {
const output = diffRangeExtensionPackContents(
[
{
path: "main.js",
startLine: 10,
endLine: 20,
},
],
"/checkout/path",
);
const expected = fs.readFileSync(
`${__dirname}/../src/testdata/pr-diff-range.yml`,
"utf8",
);
t.deepEqual(output, expected);
});
src/analyze.ts
+57 -28
View File
@@ -5,7 +5,11 @@ import { performance } from "perf_hooks";
import * as io from "@actions/io";
import * as yaml from "js-yaml";
import { getTemporaryDirectory, PullRequestBranches } from "./actions-util";
import {
getTemporaryDirectory,
getRequiredInput,
PullRequestBranches,
} from "./actions-util";
import * as analyses from "./analyses";
import { setupCppAutobuild } from "./autobuild";
import { type CodeQL } from "./codeql";
@@ -243,7 +247,12 @@ export async function setupDiffInformedQueryRun(
`Calculating diff ranges for ${branches.base}...${branches.head}`,
);
const diffRanges = await getPullRequestEditedDiffRanges(branches, logger);
const packDir = writeDiffRangeDataExtensionPack(logger, diffRanges);
const checkoutPath = getRequiredInput("checkout_path");
const packDir = writeDiffRangeDataExtensionPack(
logger,
diffRanges,
checkoutPath,
);
if (packDir === undefined) {
logger.warning(
"Cannot create diff range extension pack for diff-informed queries; " +
@@ -259,6 +268,46 @@ export async function setupDiffInformedQueryRun(
);
}
export function diffRangeExtensionPackContents(
ranges: DiffThunkRange[],
checkoutPath: string,
): string {
const header = `
extensions:
- addsTo:
pack: codeql/util
extensible: restrictAlertsTo
checkPresence: false
data:
`;
let data = ranges
.map((range) => {
// Diff-informed queries expect the file path to be absolute. CodeQL always
// uses forward slashes as the path separator, so on Windows we need to
// replace any backslashes with forward slashes.
const filename = path
.join(checkoutPath, range.path)
.replaceAll(path.sep, "/");
// Using yaml.dump() with `forceQuotes: true` ensures that all special
// characters are escaped, and that the path is always rendered as a
// quoted string on a single line.
return (
` - [${yaml.dump(filename, { forceQuotes: true }).trim()}, ` +
`${range.startLine}, ${range.endLine}]\n`
);
})
.join("");
if (!data) {
// Ensure that the data extension is not empty, so that a pull request with
// no edited lines would exclude (instead of accepting) all alerts.
data = ' - ["", 0, 0]\n';
}
return header + data;
}
/**
* Create an extension pack in the temporary directory that contains the file
* line ranges that were added or modified in the pull request.
@@ -266,12 +315,14 @@ export async function setupDiffInformedQueryRun(
* @param logger
* @param ranges The file line ranges, as returned by
* `getPullRequestEditedDiffRanges`.
* @param checkoutPath The path at which the repository was checked out.
* @returns The absolute path of the directory containing the extension pack, or
* `undefined` if no extension pack was created.
*/
function writeDiffRangeDataExtensionPack(
logger: Logger,
ranges: DiffThunkRange[] | undefined,
checkoutPath: string,
): string | undefined {
if (ranges === undefined) {
return undefined;
@@ -307,32 +358,10 @@ dataExtensions:
`,
);
const header = `
extensions:
- addsTo:
pack: codeql/util
extensible: restrictAlertsTo
checkPresence: false
data:
`;
let data = ranges
.map(
(range) =>
// Using yaml.dump() with `forceQuotes: true` ensures that all special
// characters are escaped, and that the path is always rendered as a
// quoted string on a single line.
` - [${yaml.dump(range.path, { forceQuotes: true }).trim()}, ` +
`${range.startLine}, ${range.endLine}]\n`,
)
.join("");
if (!data) {
// Ensure that the data extension is not empty, so that a pull request with
// no edited lines would exclude (instead of accepting) all alerts.
data = ' - ["", 0, 0]\n';
}
const extensionContents = header + data;
const extensionContents = diffRangeExtensionPackContents(
ranges,
checkoutPath,
);
const extensionFilePath = path.join(diffRangeDir, "pr-diff-range.yml");
fs.writeFileSync(extensionFilePath, extensionContents);
logger.debug(
src/codeql.ts
+1 -20
View File
@@ -300,19 +300,6 @@ const GHES_MOST_RECENT_DEPRECATION_DATE = "2025-06-19";
/** The CLI verbosity level to use for extraction in debug mode. */
const EXTRACTION_DEBUG_MODE_VERBOSITY = "progress++";
/*
* Deprecated in favor of ToolsFeature.
*
* Versions of CodeQL that version-flag certain functionality in the Action.
* For convenience, please keep these in descending order. Once a version
* flag is older than the oldest supported version above, it may be removed.
*/
/**
* Versions 2.17.1+ of the CodeQL CLI support the `--cache-cleanup` option.
*/
const CODEQL_VERSION_CACHE_CLEANUP = "2.17.1";
/**
* Set up CodeQL CLI access.
*
@@ -891,19 +878,13 @@ async function getCodeQLForCmd(
config: Config,
cleanupLevel: CleanupLevel,
): Promise<void> {
const cacheCleanupFlag = (await util.codeQlVersionAtLeast(
this,
CODEQL_VERSION_CACHE_CLEANUP,
))
? "--cache-cleanup"
: "--mode";
for (const language of config.languages) {
const databasePath = util.getCodeQLDatabasePath(config, language);
const codeqlArgs = [
"database",
"cleanup",
databasePath,
`${cacheCleanupFlag}=${cleanupLevel}`,
`--cache-cleanup=${cleanupLevel}`,
...getExtraOptionsFromEnv(["database", "cleanup"]),
];
await runCli(cmd, codeqlArgs);
src/config-utils.test.ts
+131 -5
View File
@@ -26,6 +26,7 @@ import * as overlayStatus from "./overlay/status";
import { parseRepositoryNwo } from "./repository";
import {
setupTests,
setupActionsVars,
mockLanguagesInRepo as mockLanguagesInRepo,
createFeatures,
getRecordingLogger,
@@ -64,7 +65,6 @@ function createTestInitConfigInputs(
configInput: undefined,
buildModeInput: undefined,
ramInput: undefined,
trapCachingEnabled: false,
dependencyCachingEnabled: CachingKind.None,
debugMode: false,
debugArtifactName: "",
@@ -144,6 +144,8 @@ test.serial("load empty config", async (t) => {
const logger = getRunnerLogger(true);
const languages = "javascript,python";
setupActionsVars(tempDir, tempDir);
const codeql = createStubCodeQL({
async betterResolveLanguages() {
return {
@@ -185,6 +187,8 @@ test.serial("load code quality config", async (t) => {
const logger = getRunnerLogger(true);
const languages = "actions";
setupActionsVars(tempDir, tempDir);
const codeql = createStubCodeQL({
async betterResolveLanguages() {
return {
@@ -237,6 +241,8 @@ test.serial(
const logger = getRunnerLogger(true);
const languages = "javascript";
setupActionsVars(tempDir, tempDir);
const codeql = createStubCodeQL({
async betterResolveLanguages() {
return {
@@ -475,6 +481,8 @@ test.serial("load non-existent input", async (t) => {
test.serial("load non-empty input", async (t) => {
return await withTmpDir(async (tempDir) => {
setupActionsVars(tempDir, tempDir);
const codeql = createStubCodeQL({
async betterResolveLanguages() {
return {
@@ -1928,7 +1936,7 @@ test.serial(
"Fallback due to old git version",
{
overlayDatabaseEnvVar: "overlay",
gitVersion: new GitVersionInfo("2.30.0", "2.30.0"), // Version below required 2.38.0
gitVersion: new GitVersionInfo("2.10.0", "2.10.0"), // Version below required 2.11.0
},
{
disabledReason: OverlayDisabledReason.IncompatibleGit,
@@ -2013,13 +2021,13 @@ for (const language in KnownLanguage) {
// Verify that a language without a per-language overlay feature flag cannot have
// overlay analysis enabled, even when the base overlay feature flag is on.
// Using cpp here as it doesn't currently have overlay support — update this if
// cpp gains overlay support.
// Using swift here as it doesn't currently have overlay support — update this if
// swift gains overlay support.
test.serial(
checkOverlayEnablementMacro,
"No overlay analysis for language without per-language overlay feature flag",
{
languages: [KnownLanguage.cpp],
languages: [KnownLanguage.swift],
features: [Feature.OverlayAnalysis],
isPullRequest: true,
},
@@ -2055,3 +2063,121 @@ test.serial("getPrimaryAnalysisConfig - Code Scanning + Code Quality", (t) => {
AnalysisKind.CodeScanning,
);
});
test.serial(
"isTrapCachingEnabled: explicit input true is respected",
async (t) => {
return await withTmpDir(async (tmpDir) => {
setupActionsVars(tmpDir, tmpDir);
sinon
.stub(actionsUtil, "getOptionalInput")
.withArgs("trap-caching")
.returns("true");
t.true(
await configUtils.isTrapCachingEnabled(
createFeatures([]),
OverlayDatabaseMode.None,
),
);
});
},
);
test.serial(
"isTrapCachingEnabled: disabled on self-hosted runner by default",
async (t) => {
return await withTmpDir(async (tmpDir) => {
setupActionsVars(tmpDir, tmpDir);
sinon
.stub(actionsUtil, "getOptionalInput")
.withArgs("trap-caching")
.returns(undefined);
t.false(
await configUtils.isTrapCachingEnabled(
createFeatures([]),
OverlayDatabaseMode.None,
),
);
});
},
);
test.serial(
"isTrapCachingEnabled: enabled on hosted runner by default",
async (t) => {
return await withTmpDir(async (tmpDir) => {
const hostedToolCache = path.join(tmpDir, "hostedtoolcache");
setupActionsVars(tmpDir, hostedToolCache);
sinon
.stub(actionsUtil, "getOptionalInput")
.withArgs("trap-caching")
.returns(undefined);
t.true(
await configUtils.isTrapCachingEnabled(
createFeatures([]),
OverlayDatabaseMode.None,
),
);
});
},
);
test.serial(
"isTrapCachingEnabled: enabled on hosted runner when overlay enabled but feature flag off",
async (t) => {
return await withTmpDir(async (tmpDir) => {
const hostedToolCache = path.join(tmpDir, "hostedtoolcache");
setupActionsVars(tmpDir, hostedToolCache);
sinon
.stub(actionsUtil, "getOptionalInput")
.withArgs("trap-caching")
.returns(undefined);
t.true(
await configUtils.isTrapCachingEnabled(
createFeatures([]),
OverlayDatabaseMode.Overlay,
),
);
});
},
);
test.serial(
"isTrapCachingEnabled: disabled on hosted runner when overlay enabled and feature flag on",
async (t) => {
return await withTmpDir(async (tmpDir) => {
const hostedToolCache = path.join(tmpDir, "hostedtoolcache");
setupActionsVars(tmpDir, hostedToolCache);
sinon
.stub(actionsUtil, "getOptionalInput")
.withArgs("trap-caching")
.returns(undefined);
t.false(
await configUtils.isTrapCachingEnabled(
createFeatures([Feature.OverlayAnalysisDisableTrapCaching]),
OverlayDatabaseMode.Overlay,
),
);
});
},
);
test.serial(
"isTrapCachingEnabled: enabled on hosted runner when overlay is None even with feature flag on",
async (t) => {
return await withTmpDir(async (tmpDir) => {
const hostedToolCache = path.join(tmpDir, "hostedtoolcache");
setupActionsVars(tmpDir, hostedToolCache);
sinon
.stub(actionsUtil, "getOptionalInput")
.withArgs("trap-caching")
.returns(undefined);
t.true(
await configUtils.isTrapCachingEnabled(
createFeatures([Feature.OverlayAnalysisDisableTrapCaching]),
OverlayDatabaseMode.None,
),
);
});
},
);
src/config-utils.ts
+67 -19
View File
@@ -2,10 +2,12 @@ import * as fs from "fs";
import * as path from "path";
import { performance } from "perf_hooks";
import * as core from "@actions/core";
import * as yaml from "js-yaml";
import {
getActionVersion,
getOptionalInput,
isAnalyzingPullRequest,
isDynamicWorkflow,
} from "./actions-util";
@@ -72,6 +74,7 @@ import {
Result,
Success,
Failure,
isHostedRunner,
} from "./util";
/**
@@ -452,7 +455,6 @@ export interface InitConfigInputs {
configInput: string | undefined;
buildModeInput: string | undefined;
ramInput: string | undefined;
trapCachingEnabled: boolean;
dependencyCachingEnabled: string | undefined;
debugMode: boolean;
debugArtifactName: string;
@@ -482,7 +484,6 @@ export async function initActionState(
packsInput,
buildModeInput,
dbLocation,
trapCachingEnabled,
dependencyCachingEnabled,
debugMode,
debugArtifactName,
@@ -540,13 +541,6 @@ export async function initActionState(
};
}
const { trapCaches, trapCacheDownloadTime } = await downloadCacheWithTime(
trapCachingEnabled,
codeql,
languages,
logger,
);
// Compute the full Code Scanning configuration that combines the configuration from the
// configuration file / `config` input with other inputs, such as `queries`.
const computedConfig = generateCodeScanningConfig(
@@ -569,8 +563,8 @@ export async function initActionState(
debugMode,
debugArtifactName,
debugDatabaseName,
trapCaches,
trapCacheDownloadTime,
trapCaches: {},
trapCacheDownloadTime: 0,
dependencyCachingEnabled: getCachingKind(dependencyCachingEnabled),
dependencyCachingRestoredKeys: [],
extraQueryExclusions: [],
@@ -582,7 +576,6 @@ export async function initActionState(
}
async function downloadCacheWithTime(
trapCachingEnabled: boolean,
codeQL: CodeQL,
languages: Language[],
logger: Logger,
@@ -590,13 +583,9 @@ async function downloadCacheWithTime(
trapCaches: { [language: string]: string };
trapCacheDownloadTime: number;
}> {
let trapCaches: { [language: string]: string } = {};
let trapCacheDownloadTime = 0;
if (trapCachingEnabled) {
const start = performance.now();
trapCaches = await downloadTrapCaches(codeQL, languages, logger);
trapCacheDownloadTime = performance.now() - start;
}
const start = performance.now();
const trapCaches = await downloadTrapCaches(codeQL, languages, logger);
const trapCacheDownloadTime = performance.now() - start;
return { trapCaches, trapCacheDownloadTime };
}
@@ -636,6 +625,7 @@ async function loadUserConfig(
* without an entry will have overlay analysis disabled.
*/
const OVERLAY_ANALYSIS_FEATURES: Partial<Record<Language, Feature>> = {
cpp: Feature.OverlayAnalysisCpp,
csharp: Feature.OverlayAnalysisCsharp,
go: Feature.OverlayAnalysisGo,
java: Feature.OverlayAnalysisJava,
@@ -647,6 +637,7 @@ const OVERLAY_ANALYSIS_FEATURES: Partial<Record<Language, Feature>> = {
const OVERLAY_ANALYSIS_CODE_SCANNING_FEATURES: Partial<
Record<Language, Feature>
> = {
cpp: Feature.OverlayAnalysisCodeScanningCpp,
csharp: Feature.OverlayAnalysisCodeScanningCsharp,
go: Feature.OverlayAnalysisCodeScanningGo,
java: Feature.OverlayAnalysisCodeScanningJava,
@@ -1009,6 +1000,50 @@ async function validateOverlayDatabaseMode(
});
}
export async function isTrapCachingEnabled(
features: FeatureEnablement,
overlayDatabaseMode: OverlayDatabaseMode,
): Promise<boolean> {
// If the workflow specified something, always respect that.
const trapCaching = getOptionalInput("trap-caching");
if (trapCaching !== undefined) return trapCaching === "true";
// On self-hosted runners which may have slow network access, disable TRAP caching by default.
if (!isHostedRunner()) return false;
// If overlay analysis is enabled, then disable TRAP caching since overlay analysis supersedes it.
// This change is gated behind a feature flag.
if (
overlayDatabaseMode !== OverlayDatabaseMode.None &&
(await features.getValue(Feature.OverlayAnalysisDisableTrapCaching))
) {
return false;
}
// Otherwise, enable TRAP caching.
return true;
}
async function setCppTrapCachingEnvironmentVariables(
config: Config,
logger: Logger,
): Promise<void> {
if (config.languages.includes(KnownLanguage.cpp)) {
const envVar = "CODEQL_EXTRACTOR_CPP_TRAP_CACHING";
if (process.env[envVar]) {
logger.info(
`Environment variable ${envVar} already set, leaving it unchanged.`,
);
} else if (config.trapCaches[KnownLanguage.cpp]) {
logger.info("Enabling TRAP caching for C/C++.");
core.exportVariable(envVar, "true");
} else {
logger.debug(`Disabling TRAP caching for C/C++.`);
core.exportVariable(envVar, "false");
}
}
}
function dbLocationOrDefault(
dbLocation: string | undefined,
tempDir: string,
@@ -1199,6 +1234,19 @@ export async function initConfig(
exclude: { tags: "exclude-from-incremental" },
});
}
if (await isTrapCachingEnabled(features, config.overlayDatabaseMode)) {
const { trapCaches, trapCacheDownloadTime } = await downloadCacheWithTime(
inputs.codeql,
config.languages,
logger,
);
config.trapCaches = trapCaches;
config.trapCacheDownloadTime = trapCacheDownloadTime;
}
await setCppTrapCachingEnvironmentVariables(config, logger);
return config;
}
src/diff-informed-analysis-utils.test.ts
+10 -14
View File
@@ -188,10 +188,6 @@ test.serial(
);
function runGetDiffRanges(changes: number, patch: string[] | undefined): any {
sinon
.stub(actionsUtil, "getRequiredInput")
.withArgs("checkout_path")
.returns("/checkout/path");
return exportedForTesting.getDiffRanges(
{
filename: "test.txt",
@@ -211,7 +207,7 @@ test.serial("getDiffRanges: file diff too large", async (t) => {
const diffRanges = runGetDiffRanges(1000000, undefined);
t.deepEqual(diffRanges, [
{
path: "/checkout/path/test.txt",
path: "test.txt",
startLine: 0,
endLine: 0,
},
@@ -234,7 +230,7 @@ test.serial(
]);
t.deepEqual(diffRanges, [
{
path: "/checkout/path/test.txt",
path: "test.txt",
startLine: 53,
endLine: 54,
},
@@ -274,7 +270,7 @@ test.serial("getDiffRanges: diff thunk with single update range", async (t) => {
]);
t.deepEqual(diffRanges, [
{
path: "/checkout/path/test.txt",
path: "test.txt",
startLine: 53,
endLine: 53,
},
@@ -296,12 +292,12 @@ test.serial("getDiffRanges: diff thunk with addition ranges", async (t) => {
]);
t.deepEqual(diffRanges, [
{
path: "/checkout/path/test.txt",
path: "test.txt",
startLine: 53,
endLine: 53,
},
{
path: "/checkout/path/test.txt",
path: "test.txt",
startLine: 55,
endLine: 55,
},
@@ -328,12 +324,12 @@ test.serial("getDiffRanges: diff thunk with mixed ranges", async (t) => {
]);
t.deepEqual(diffRanges, [
{
path: "/checkout/path/test.txt",
path: "test.txt",
startLine: 54,
endLine: 54,
},
{
path: "/checkout/path/test.txt",
path: "test.txt",
startLine: 57,
endLine: 58,
},
@@ -363,12 +359,12 @@ test.serial("getDiffRanges: multiple diff thunks", async (t) => {
]);
t.deepEqual(diffRanges, [
{
path: "/checkout/path/test.txt",
path: "test.txt",
startLine: 53,
endLine: 54,
},
{
path: "/checkout/path/test.txt",
path: "test.txt",
startLine: 153,
endLine: 154,
},
@@ -379,7 +375,7 @@ test.serial("getDiffRanges: no diff context lines", async (t) => {
const diffRanges = runGetDiffRanges(2, ["@@ -30 +50,2 @@", "+1", "+2"]);
t.deepEqual(diffRanges, [
{
path: "/checkout/path/test.txt",
path: "test.txt",
startLine: 50,
endLine: 51,
},
src/diff-informed-analysis-utils.ts
+6 -11
View File
@@ -71,6 +71,7 @@ export async function getDiffInformedAnalysisBranches(
}
export interface DiffThunkRange {
/** Relative path from the repository root, using forward slashes as separators. */
path: string;
startLine: number;
endLine: number;
@@ -112,8 +113,9 @@ export function readDiffRangesJsonFile(
*
* @param branches The base and head branches of the pull request.
* @param logger
* @returns An array of tuples, where each tuple contains the absolute path of a
* file, the start line and the end line (both 1-based and inclusive) of an
* @returns An array of tuples, where each tuple contains the relative path of a
* file (relative to the repository root, as returned by the GitHub compare API),
* the start line and the end line (both 1-based and inclusive) of an
* added or modified range in that file. Returns `undefined` if the action was
* not triggered by a pull request or if there was an error.
*/
@@ -191,13 +193,6 @@ function getDiffRanges(
fileDiff: FileDiff,
logger: Logger,
): DiffThunkRange[] | undefined {
// Diff-informed queries expect the file path to be absolute. CodeQL always
// uses forward slashes as the path separator, so on Windows we need to
// replace any backslashes with forward slashes.
const filename = path
.join(actionsUtil.getRequiredInput("checkout_path"), fileDiff.filename)
.replaceAll(path.sep, "/");
if (fileDiff.patch === undefined) {
if (fileDiff.changes === 0) {
// There are situations where a changed file legitimately has no diff.
@@ -212,7 +207,7 @@ function getDiffRanges(
// to a special diff range that covers the entire file.
return [
{
path: filename,
path: fileDiff.filename,
startLine: 0,
endLine: 0,
},
@@ -247,7 +242,7 @@ function getDiffRanges(
// Any line that does not start with a "+" or "-" terminates the current
// range of added lines.
diffRanges.push({
path: filename,
path: fileDiff.filename,
startLine: additionRangeStartLine,
endLine: currentLine - 1,
});
src/feature-flags.ts
+38 -17
View File
@@ -9,6 +9,7 @@ import * as defaults from "./defaults.json";
import { Logger } from "./logging";
import {
CODEQL_OVERLAY_MINIMUM_VERSION,
CODEQL_OVERLAY_MINIMUM_VERSION_CPP,
CODEQL_OVERLAY_MINIMUM_VERSION_CSHARP,
CODEQL_OVERLAY_MINIMUM_VERSION_GO,
CODEQL_OVERLAY_MINIMUM_VERSION_JAVA,
@@ -57,18 +58,18 @@ export enum Feature {
IgnoreGeneratedFiles = "ignore_generated_files",
JavaNetworkDebugging = "java_network_debugging",
OverlayAnalysis = "overlay_analysis",
OverlayAnalysisCodeScanningCpp = "overlay_analysis_code_scanning_cpp",
OverlayAnalysisCodeScanningCsharp = "overlay_analysis_code_scanning_csharp",
OverlayAnalysisCodeScanningGo = "overlay_analysis_code_scanning_go",
OverlayAnalysisCodeScanningJava = "overlay_analysis_code_scanning_java",
OverlayAnalysisCodeScanningJavascript = "overlay_analysis_code_scanning_javascript",
OverlayAnalysisCodeScanningPython = "overlay_analysis_code_scanning_python",
OverlayAnalysisCodeScanningRuby = "overlay_analysis_code_scanning_ruby",
OverlayAnalysisCpp = "overlay_analysis_cpp",
OverlayAnalysisCsharp = "overlay_analysis_csharp",
/** Disable TRAP caching when overlay analysis is enabled. */
OverlayAnalysisDisableTrapCaching = "overlay_analysis_disable_trap_caching",
OverlayAnalysisGo = "overlay_analysis_go",
/** Controls whether the Actions cache is checked for overlay build outcomes. */
OverlayAnalysisStatusCheck = "overlay_analysis_status_check",
/** Controls whether overlay build failures on are stored in the Actions cache. */
OverlayAnalysisStatusSave = "overlay_analysis_status_save",
OverlayAnalysisJava = "overlay_analysis_java",
OverlayAnalysisJavascript = "overlay_analysis_javascript",
OverlayAnalysisPython = "overlay_analysis_python",
@@ -80,6 +81,10 @@ export enum Feature {
OverlayAnalysisRuby = "overlay_analysis_ruby",
/** Controls whether hardware checks are skipped for overlay analysis. */
OverlayAnalysisSkipResourceChecks = "overlay_analysis_skip_resource_checks",
/** Controls whether the Actions cache is checked for overlay build outcomes. */
OverlayAnalysisStatusCheck = "overlay_analysis_status_check",
/** Controls whether overlay build failures on the default branch are stored in the Actions cache. */
OverlayAnalysisStatusSave = "overlay_analysis_status_save",
PythonDefaultIsToNotExtractStdlib = "python_default_is_to_not_extract_stdlib",
QaTelemetryEnabled = "qa_telemetry_enabled",
/** Note that this currently only disables baseline file coverage information. */
@@ -197,6 +202,11 @@ export const featureConfig = {
// Per-language overlay feature flags. Each has minimumVersion set to the
// minimum CLI version that supports overlay analysis for that language.
// Only languages that are GA or in staff-ship should have feature flags here.
[Feature.OverlayAnalysisCodeScanningCpp]: {
defaultValue: false,
envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_CODE_SCANNING_CPP",
minimumVersion: CODEQL_OVERLAY_MINIMUM_VERSION_CPP,
},
[Feature.OverlayAnalysisCodeScanningCsharp]: {
defaultValue: false,
envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_CODE_SCANNING_CSHARP",
@@ -227,6 +237,11 @@ export const featureConfig = {
envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_CODE_SCANNING_RUBY",
minimumVersion: CODEQL_OVERLAY_MINIMUM_VERSION_RUBY,
},
[Feature.OverlayAnalysisCpp]: {
defaultValue: false,
envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_CPP",
minimumVersion: CODEQL_OVERLAY_MINIMUM_VERSION_CPP,
},
[Feature.OverlayAnalysisCsharp]: {
defaultValue: false,
envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_CSHARP",
@@ -237,16 +252,6 @@ export const featureConfig = {
envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_GO",
minimumVersion: CODEQL_OVERLAY_MINIMUM_VERSION_GO,
},
[Feature.OverlayAnalysisStatusCheck]: {
defaultValue: false,
envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_STATUS_CHECK",
minimumVersion: undefined,
},
[Feature.OverlayAnalysisStatusSave]: {
defaultValue: false,
envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_STATUS_SAVE",
minimumVersion: undefined,
},
[Feature.OverlayAnalysisJava]: {
defaultValue: false,
envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_JAVA",
@@ -262,15 +267,31 @@ export const featureConfig = {
envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_PYTHON",
minimumVersion: CODEQL_OVERLAY_MINIMUM_VERSION_PYTHON,
},
[Feature.OverlayAnalysisRuby]: {
defaultValue: false,
envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_RUBY",
minimumVersion: CODEQL_OVERLAY_MINIMUM_VERSION_RUBY,
},
// Other overlay-related feature flags
[Feature.OverlayAnalysisDisableTrapCaching]: {
defaultValue: false,
envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_DISABLE_TRAP_CACHING",
minimumVersion: undefined,
},
[Feature.OverlayAnalysisResourceChecksV2]: {
defaultValue: false,
envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_RESOURCE_CHECKS_V2",
minimumVersion: undefined,
},
[Feature.OverlayAnalysisRuby]: {
[Feature.OverlayAnalysisStatusCheck]: {
defaultValue: false,
envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_RUBY",
minimumVersion: CODEQL_OVERLAY_MINIMUM_VERSION_RUBY,
envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_STATUS_CHECK",
minimumVersion: undefined,
},
[Feature.OverlayAnalysisStatusSave]: {
defaultValue: false,
envVar: "CODEQL_ACTION_OVERLAY_ANALYSIS_STATUS_SAVE",
minimumVersion: undefined,
},
[Feature.OverlayAnalysisSkipResourceChecks]: {
defaultValue: false,
src/git-utils.test.ts
+9 -9
View File
@@ -347,9 +347,9 @@ test.serial("getFileOidsUnderPath returns correct file mapping", async (t) => {
const runGitCommandStub = sinon
.stub(gitUtils as any, "runGitCommand")
.resolves(
"30d998ded095371488be3a729eb61d86ed721a18_lib/git-utils.js\n" +
"d89514599a9a99f22b4085766d40af7b99974827_lib/git-utils.js.map\n" +
"a47c11f5bfdca7661942d2c8f1b7209fb0dfdf96_src/git-utils.ts",
"100644 30d998ded095371488be3a729eb61d86ed721a18 0\tlib/git-utils.js\n" +
"100644 d89514599a9a99f22b4085766d40af7b99974827 0\tlib/git-utils.js.map\n" +
"100644 a47c11f5bfdca7661942d2c8f1b7209fb0dfdf96 0\tsrc/git-utils.ts",
);
const result = await gitUtils.getFileOidsUnderPath("/fake/path");
@@ -362,7 +362,7 @@ test.serial("getFileOidsUnderPath returns correct file mapping", async (t) => {
t.deepEqual(runGitCommandStub.firstCall.args, [
"/fake/path",
["ls-files", "--recurse-submodules", "--format=%(objectname)_%(path)"],
["ls-files", "--recurse-submodules", "--stage"],
"Cannot list Git OIDs of tracked files.",
]);
});
@@ -371,9 +371,9 @@ test.serial("getFileOidsUnderPath handles quoted paths", async (t) => {
sinon
.stub(gitUtils as any, "runGitCommand")
.resolves(
"30d998ded095371488be3a729eb61d86ed721a18_lib/normal-file.js\n" +
'd89514599a9a99f22b4085766d40af7b99974827_"lib/file with spaces.js"\n' +
'a47c11f5bfdca7661942d2c8f1b7209fb0dfdf96_"lib/file\\twith\\ttabs.js"',
"100644 30d998ded095371488be3a729eb61d86ed721a18 0\tlib/normal-file.js\n" +
'100644 d89514599a9a99f22b4085766d40af7b99974827 0\t"lib/file with spaces.js"\n' +
'100644 a47c11f5bfdca7661942d2c8f1b7209fb0dfdf96 0\t"lib/file\\twith\\ttabs.js"',
);
const result = await gitUtils.getFileOidsUnderPath("/fake/path");
@@ -398,9 +398,9 @@ test.serial(
sinon
.stub(gitUtils as any, "runGitCommand")
.resolves(
"30d998ded095371488be3a729eb61d86ed721a18_lib/git-utils.js\n" +
"100644 30d998ded095371488be3a729eb61d86ed721a18 0\tlib/git-utils.js\n" +
"invalid-line-format\n" +
"a47c11f5bfdca7661942d2c8f1b7209fb0dfdf96_src/git-utils.ts",
"100644 a47c11f5bfdca7661942d2c8f1b7209fb0dfdf96 0\tsrc/git-utils.ts",
);
await t.throwsAsync(
src/git-utils.ts
+14 -9
View File
@@ -14,10 +14,11 @@ import {
import { ConfigurationError, getRequiredEnvParam } from "./util";
/**
* Minimum Git version required for overlay analysis. The `git ls-files --format`
* option, which is used by `getFileOidsUnderPath`, was introduced in Git 2.38.0.
* Minimum Git version required for overlay analysis. The
* `git ls-files --recurse-submodules` option, which is used by
* `getFileOidsUnderPath`, was introduced in Git 2.11.0.
*/
export const GIT_MINIMUM_VERSION_FOR_OVERLAY = "2.38.0";
export const GIT_MINIMUM_VERSION_FOR_OVERLAY = "2.11.0";
/**
* Git version information
@@ -252,24 +253,28 @@ export const getGitRoot = async function (
*
* @param basePath A path into the Git repository.
* @returns a map from file paths (relative to `basePath`) to Git OIDs.
* @throws {Error} if "git ls-tree" produces unexpected output.
* @throws {Error} if "git ls-files" produces unexpected output.
*/
export const getFileOidsUnderPath = async function (
basePath: string,
): Promise<{ [key: string]: string }> {
// Without the --full-name flag, the path is relative to the current working
// directory of the git command, which is basePath.
//
// We use --stage rather than --format here because --stage has been available since Git 2.11.0,
// while --format was only introduced in Git 2.38.0, which would limit overlay rollout.
const stdout = await runGitCommand(
basePath,
["ls-files", "--recurse-submodules", "--format=%(objectname)_%(path)"],
["ls-files", "--recurse-submodules", "--stage"],
"Cannot list Git OIDs of tracked files.",
);
const fileOidMap: { [key: string]: string } = {};
// With --format=%(objectname)_%(path), the output is a list of lines like:
// 30d998ded095371488be3a729eb61d86ed721a18_lib/git-utils.js
// d89514599a9a99f22b4085766d40af7b99974827_lib/git-utils.js.map
const regex = /^([0-9a-f]{40})_(.+)$/;
// With --stage, the output is a list of lines like:
// 100644 4c51bc1d9e86cd86e01b0f340cb8ce095c33b283 0\tsrc/git-utils.test.ts
// 100644 6b792ea543ce75d7a8a03df591e3c85311ecb64f 0\tsrc/git-utils.ts
// The fields are: <mode> <oid> <stage>\t<path>
const regex = /^[0-9]+ ([0-9a-f]{40}) [0-9]+\t(.+)$/;
for (const line of stdout.split("\n")) {
if (line) {
const match = line.match(regex);
src/init-action.ts
-43
View File
@@ -88,7 +88,6 @@ import {
getRequiredEnvParam,
getThreadsFlagValue,
initializeEnvironment,
isHostedRunner,
ConfigurationError,
wrapError,
checkActionVersion,
@@ -362,7 +361,6 @@ async function run(startedAt: Date) {
configFile,
dbLocation: getOptionalInput("db-location"),
configInput: getOptionalInput("config"),
trapCachingEnabled: getTrapCachingEnabled(),
dependencyCachingEnabled: getDependencyCachingEnabled(),
// Debug mode is enabled if:
// - The `init` Action is passed `debug: true`.
@@ -613,24 +611,6 @@ async function run(startedAt: Date) {
core.exportVariable(kotlinLimitVar, "2.1.20");
}
if (config.languages.includes(KnownLanguage.cpp)) {
const envVar = "CODEQL_EXTRACTOR_CPP_TRAP_CACHING";
if (process.env[envVar]) {
logger.info(
`Environment variable ${envVar} already set. Not en/disabling CodeQL C++ TRAP caching support`,
);
} else if (
getTrapCachingEnabled() &&
(await codeQlVersionAtLeast(codeql, "2.17.5"))
) {
logger.info("Enabling CodeQL C++ TRAP caching support");
core.exportVariable(envVar, "true");
} else {
logger.info("Disabling CodeQL C++ TRAP caching support");
core.exportVariable(envVar, "false");
}
}
// Restore dependency cache(s), if they exist.
if (shouldRestoreCache(config.dependencyCachingEnabled)) {
const dependencyCachingResult = await downloadDependencyCaches(
@@ -644,17 +624,6 @@ async function run(startedAt: Date) {
dependencyCachingResult.restoredKeys;
}
// Suppress warnings about disabled Python library extraction.
if (await codeQlVersionAtLeast(codeql, "2.17.1")) {
// disabled by default, no warning
} else {
// disabled by default, prints warning if environment variable is not set
core.exportVariable(
"CODEQL_EXTRACTOR_PYTHON_DISABLE_LIBRARY_EXTRACTION",
"true",
);
}
if (getOptionalInput("setup-python-dependencies") !== undefined) {
logger.warning(
"The setup-python-dependencies input is deprecated and no longer has any effect. We recommend removing any references from your workflows. See https://github.blog/changelog/2024-01-23-codeql-2-16-python-dependency-installation-disabled-new-queries-and-bug-fixes/ for more information.",
@@ -864,18 +833,6 @@ async function loadRepositoryProperties(
}
}
function getTrapCachingEnabled(): boolean {
// If the workflow specified something always respect that
const trapCaching = getOptionalInput("trap-caching");
if (trapCaching !== undefined) return trapCaching === "true";
// On self-hosted runners which may have slow network access, disable TRAP caching by default
if (!isHostedRunner()) return false;
// On hosted runners, enable TRAP caching by default
return true;
}
async function recordZstdAvailability(
config: configUtils.Config,
zstdAvailability: ZstdAvailability,
src/overlay/index.ts
+1
View File
@@ -35,6 +35,7 @@ export const CODEQL_OVERLAY_MINIMUM_VERSION = "2.23.8";
// Per-language minimum CLI versions for overlay analysis, based on release
// validation data.
export const CODEQL_OVERLAY_MINIMUM_VERSION_CPP = "2.25.0";
export const CODEQL_OVERLAY_MINIMUM_VERSION_CSHARP = "2.24.1";
export const CODEQL_OVERLAY_MINIMUM_VERSION_GO = "2.24.2";
export const CODEQL_OVERLAY_MINIMUM_VERSION_JAVA = "2.23.8";
src/testdata/pr-diff-range.yml
Vendored
+8
View File
@@ -0,0 +1,8 @@
extensions:
- addsTo:
pack: codeql/util
extensible: restrictAlertsTo
checkPresence: false
data:
- ['/checkout/path/main.js', 10, 20]
src/testdata/valid-sarif-diff-filtered.sarif
Vendored
+178
View File
@@ -0,0 +1,178 @@
{
"$schema": "https://raw.githubusercontent.com/oasis-tcs/sarif-spec/master/Schemata/sarif-schema-2.1.0.json",
"version": "2.1.0",
"runs": [{
"tool": {
"driver": {
"name": "LGTM.com",
"organization": "Semmle",
"version": "1.24.0-SNAPSHOT",
"rules": [{
"id": "js/unused-local-variable",
"name": "js/unused-local-variable",
"shortDescription": {
"text": "Unused variable, import, function or class"
},
"fullDescription": {
"text": "Unused variables, imports, functions or classes may be a symptom of a bug and should be examined carefully."
},
"defaultConfiguration": {
"level": "note"
},
"properties": {
"tags": ["maintainability"],
"kind": "problem",
"precision": "very-high",
"name": "Unused variable, import, function or class",
"description": "Unused variables, imports, functions or classes may be a symptom of a bug\n and should be examined carefully.",
"id": "js/unused-local-variable",
"problem.severity": "recommendation"
}
}]
}
},
"results": [{
"ruleId": "js/unused-local-variable",
"ruleIndex": 0,
"message": {
"text": "Unused variable foo."
},
"locations": [{
"physicalLocation": {
"artifactLocation": {
"uri": "main.js",
"uriBaseId": "%SRCROOT%",
"index": 0
},
"region": {
"startLine": 2,
"startColumn": 7,
"endColumn": 10
}
}
}],
"partialFingerprints": {
"primaryLocationLineHash": "39fa2ee980eb94b0:1",
"primaryLocationStartColumnFingerprint": "4"
}
}],
"columnKind": "utf16CodeUnits",
"properties": {
"semmle.formatSpecifier": "2.1.0",
"semmle.sourceLanguage": "java"
}
},
{
"tool" : {
"driver" : {
"name" : "CodeQL command-line toolchain",
"organization" : "GitHub",
"semanticVersion" : "2.0.0",
"rules" : [ {
"id" : "js/unused-local-variable",
"name" : "js/unused-local-variable",
"shortDescription" : {
"text" : "Unused variable, import, function or class"
},
"fullDescription" : {
"text" : "Unused variables, imports, functions or classes may be a symptom of a bug and should be examined carefully."
},
"defaultConfiguration" : {
"level": "note"
},
"properties" : {
"tags" : [ "maintainability" ],
"kind" : "problem",
"precision" : "very-high",
"name" : "Unused variable, import, function or class",
"description" : "Unused variables, imports, functions or classes may be a symptom of a bug\n and should be examined carefully.",
"id" : "js/unused-local-variable",
"problem.severity" : "recommendation"
}
},
{
"id": "js/inconsistent-use-of-new",
"name": "js/inconsistent-use-of-new",
"shortDescription": {
"text": "Inconsistent use of 'new'"
},
"fullDescription": {
"text": "If a function is intended to be a constructor, it should always be invoked with 'new'. Otherwise, it should always be invoked as a normal function, that is, without 'new'."
},
"defaultConfiguration": {
"level": "note"
},
"properties": {
"tags": [
"reliability",
"correctness",
"language-features"
],
"kind": "problem",
"precision": "very-high",
"problem.severity": "warning"
}
} ]
}
},
"artifacts" : [ {
"location" : {
"uri" : "main.js",
"uriBaseId" : "%SRCROOT%",
"index" : 0
}
},
{
"location": {
"uri": "src/promiseUtils.js",
"uriBaseId": "%SRCROOT%",
"index": 1
}
},
{
"location": {
"uri": "src/LiveQueryClient.js",
"uriBaseId": "%SRCROOT%",
"index": 2
}
},
{
"location": {
"uri": "src/ParseObject.js",
"uriBaseId": "%SRCROOT%",
"index": 3
}
} ],
"results" : [ {
"ruleId" : "js/unused-local-variable",
"ruleIndex" : 0,
"message" : {
"text" : "Unused variable foo."
},
"locations" : [ {
"physicalLocation" : {
"artifactLocation" : {
"uri" : "main.js",
"uriBaseId" : "%SRCROOT%",
"index" : 0
},
"region" : {
"startLine" : 2,
"startColumn" : 7,
"endColumn" : 10
}
}
} ],
"partialFingerprints" : {
"primaryLocationLineHash" : "39fa2ee980eb94b0:1",
"primaryLocationStartColumnFingerprint" : "4"
}
}],
"newlineSequences" : [ "\r\n", "\n", "", "" ],
"columnKind" : "utf16CodeUnits",
"properties" : {
"semmle.formatSpecifier" : "sarif-latest"
}
}
]
}
src/testing-utils.ts
+1
View File
@@ -156,6 +156,7 @@ export const DEFAULT_ACTIONS_VARS = {
GITHUB_SERVER_URL: "https://github.com",
GITHUB_SHA: "0".repeat(40),
GITHUB_WORKFLOW: "test-workflow",
RUNNER_NAME: "my-runner",
RUNNER_OS: "Linux",
} as const satisfies Record<string, string>;
src/upload-lib.test.ts
+31
View File
@@ -9,6 +9,7 @@ import * as sinon from "sinon";
import * as analyses from "./analyses";
import { AnalysisKind, CodeQuality, CodeScanning } from "./analyses";
import * as api from "./api-client";
import * as diffUtils from "./diff-informed-analysis-utils";
import { getRunnerLogger, Logger } from "./logging";
import * as sarif from "./sarif";
import { setupTests } from "./testing-utils";
@@ -1012,3 +1013,33 @@ for (const analysisKind of analyses.supportedAnalysisKinds) {
},
);
}
function runFilterAlertsByDiffRange(
input: Partial<sarif.Log>,
diffRanges: diffUtils.DiffThunkRange[],
): Partial<sarif.Log> {
sinon.stub(diffUtils, "readDiffRangesJsonFile").returns(diffRanges);
return uploadLib.filterAlertsByDiffRange(getRunnerLogger(true), input);
}
test.serial(
"filterAlertsByDiffRange filters out alerts outside diff-range",
(t) => {
const input = sarif.readSarifFile(
`${__dirname}/../src/testdata/valid-sarif.sarif`,
);
const actualOutput = runFilterAlertsByDiffRange(input, [
{
path: "main.js",
startLine: 1,
endLine: 3,
},
]);
const expectedOutput = sarif.readSarifFile(
`${__dirname}/../src/testdata/valid-sarif-diff-filtered.sarif`,
);
t.deepEqual(actualOutput, expectedOutput);
},
);
src/upload-lib.ts
+2 -9
View File
@@ -1039,7 +1039,7 @@ function sanitize(str?: string) {
return (str ?? "_").replace(/[^a-zA-Z0-9_]/g, "_").toLocaleUpperCase();
}
function filterAlertsByDiffRange(
export function filterAlertsByDiffRange(
logger: Logger,
sarifLog: Partial<sarif.Log>,
): Partial<sarif.Log> {
@@ -1052,8 +1052,6 @@ function filterAlertsByDiffRange(
return sarifLog;
}
const checkoutPath = actionsUtil.getRequiredInput("checkout_path");
for (const run of sarifLog.runs) {
if (run.results) {
run.results = run.results.filter((result) => {
@@ -1068,11 +1066,6 @@ function filterAlertsByDiffRange(
if (!locationUri || locationStartLine === undefined) {
return false;
}
// CodeQL always uses forward slashes as the path separator, so on Windows we
// need to replace any backslashes with forward slashes.
const locationPath = path
.join(checkoutPath, locationUri)
.replaceAll(path.sep, "/");
// Alert filtering here replicates the same behavior as the restrictAlertsTo
// extensible predicate in CodeQL. See the restrictAlertsTo documentation
// https://codeql.github.com/codeql-standard-libraries/csharp/codeql/util/AlertFiltering.qll/predicate.AlertFiltering$restrictAlertsTo.3.html
@@ -1080,7 +1073,7 @@ function filterAlertsByDiffRange(
// of an alert location.
return diffRanges.some(
(range) =>
range.path === locationPath &&
range.path === locationUri &&
((range.startLine <= locationStartLine &&
range.endLine >= locationStartLine) ||
(range.startLine === 0 && range.endLine === 0)),