-
Notifications
You must be signed in to change notification settings - Fork 1.5k
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Merge branch 'main' into atorralba/promote-log-injection
- Loading branch information
Showing
2,629 changed files
with
163,497 additions
and
41,472 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,11 +1,28 @@ | ||
{ "provide": [ "ruby/.codeqlmanifest.json", | ||
"*/ql/src/qlpack.yml", | ||
"*/ql/lib/qlpack.yml", | ||
"*/ql/test/qlpack.yml", | ||
"cpp/ql/test/query-tests/Security/CWE/CWE-190/semmle/tainted/qlpack.yml", | ||
"*/ql/examples/qlpack.yml", | ||
"*/upgrades/qlpack.yml", | ||
"javascript/ql/experimental/adaptivethreatmodeling/lib/qlpack.yml", | ||
"javascript/ql/experimental/adaptivethreatmodeling/src/qlpack.yml", | ||
"misc/legacy-support/*/qlpack.yml", | ||
"misc/suite-helpers/qlpack.yml" ] } | ||
{ | ||
"provide": [ | ||
"*/ql/src/qlpack.yml", | ||
"*/ql/lib/qlpack.yml", | ||
"*/ql/test/qlpack.yml", | ||
"*/ql/examples/qlpack.yml", | ||
"*/upgrades/qlpack.yml", | ||
"cpp/ql/test/query-tests/Security/CWE/CWE-190/semmle/tainted/qlpack.yml", | ||
"javascript/ql/experimental/adaptivethreatmodeling/lib/qlpack.yml", | ||
"javascript/ql/experimental/adaptivethreatmodeling/src/qlpack.yml", | ||
"csharp/ql/campaigns/Solorigate/lib/qlpack.yml", | ||
"csharp/ql/campaigns/Solorigate/src/qlpack.yml", | ||
"csharp/ql/campaigns/Solorigate/test/qlpack.yml", | ||
"misc/legacy-support/*/qlpack.yml", | ||
"misc/suite-helpers/qlpack.yml", | ||
"ruby/extractor-pack/codeql-extractor.yml", | ||
"ruby/ql/consistency-queries/qlpack.yml", | ||
"ql/ql/consistency-queries/qlpack.yml", | ||
"ql/extractor-pack/codeql-extractor.yml" | ||
], | ||
"versionPolicies": { | ||
"default": { | ||
"requireChangeNotes": true, | ||
"committedPrereleaseSuffix": "dev", | ||
"committedVersion": "nextPatchRelease" | ||
} | ||
} | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -26,3 +26,6 @@ documentation: | |
- "**/*.qhelp" | ||
- "**/*.md" | ||
- docs/**/* | ||
|
||
"QL-for-QL": | ||
- ql/**/* |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,31 @@ | ||
name: Post pull-request comment | ||
on: | ||
workflow_run: | ||
workflows: ["Query help preview"] | ||
types: | ||
- completed | ||
|
||
permissions: | ||
pull-requests: write | ||
|
||
jobs: | ||
post_comment: | ||
runs-on: ubuntu-latest | ||
steps: | ||
- name: Download artifact | ||
run: gh run download "${WORKFLOW_RUN_ID}" --repo "${GITHUB_REPOSITORY}" --name "comment" | ||
env: | ||
GITHUB_TOKEN: ${{ github.token }} | ||
WORKFLOW_RUN_ID: ${{ github.event.workflow_run.id }} | ||
- run: | | ||
PR="$(grep -o '^[0-9]\+$' pr.txt)" | ||
PR_HEAD_SHA="$(gh api "/repos/${GITHUB_REPOSITORY}/pulls/${PR}" --jq .head.sha)" | ||
# Check that the pull-request head SHA matches the head SHA of the workflow run | ||
if [ "${WORKFLOW_RUN_HEAD_SHA}" != "${PR_HEAD_SHA}" ]; then | ||
echo "PR head SHA ${PR_HEAD_SHA} does not match workflow_run event SHA ${WORKFLOW_RUN_HEAD_SHA}. Stopping." 1>&2 | ||
exit 1 | ||
fi | ||
gh pr comment "${PR}" --repo "${GITHUB_REPOSITORY}" -F comment.txt | ||
env: | ||
GITHUB_TOKEN: ${{ github.token }} | ||
WORKFLOW_RUN_HEAD_SHA: ${{ github.event.workflow_run.head_commit.id }} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,39 +1,63 @@ | ||
name: Query help preview | ||
|
||
permissions: | ||
contents: read | ||
|
||
on: | ||
pull_request: | ||
branches: | ||
- main | ||
- 'rc/*' | ||
- "rc/*" | ||
paths: | ||
- "ruby/**/*.qhelp" | ||
|
||
jobs: | ||
qhelp: | ||
runs-on: ubuntu-latest | ||
steps: | ||
- run: echo "${{ github.event.number }}" > pr.txt | ||
- uses: actions/upload-artifact@v2 | ||
with: | ||
name: comment | ||
path: pr.txt | ||
retention-days: 1 | ||
- uses: actions/checkout@v2 | ||
with: | ||
fetch-depth: 2 | ||
persist-credentials: false | ||
- uses: ./.github/actions/fetch-codeql | ||
- name: Determine changed files | ||
id: changes | ||
run: | | ||
echo -n "::set-output name=qhelp_files::" | ||
(git diff --name-only --diff-filter=ACMRT HEAD~1 HEAD | grep .qhelp$ | grep -v .inc.qhelp; | ||
git diff --name-only --diff-filter=ACMRT HEAD~1 HEAD | grep .inc.qhelp$ | xargs -d '\n' -rn1 basename | xargs -d '\n' -rn1 git grep -l) | | ||
sort -u | xargs -d '\n' -n1 printf "'%s' " | ||
- uses: ./.github/actions/fetch-codeql | ||
(git diff -z --name-only --diff-filter=ACMRT HEAD~1 HEAD | grep -z '.qhelp$' | grep -z -v '.inc.qhelp'; | ||
git diff -z --name-only --diff-filter=ACMRT HEAD~1 HEAD | grep -z '.inc.qhelp$' | xargs --null -rn1 basename | xargs --null -rn1 git grep -z -l) | | ||
grep -z '.qhelp$' | grep -z -v '^-' | sort -z -u > "${RUNNER_TEMP}/paths.txt" | ||
- name: QHelp preview | ||
if: ${{ steps.changes.outputs.qhelp_files }} | ||
run: | | ||
( echo "QHelp previews:"; | ||
for path in ${{ steps.changes.outputs.qhelp_files }} ; do | ||
EXIT_CODE=0 | ||
echo "QHelp previews:" > comment.txt | ||
while read -r -d $'\0' path; do | ||
if [ ! -f "${path}" ]; then | ||
exit 1 | ||
fi | ||
echo "<details> <summary>${path}</summary>" | ||
echo | ||
codeql generate query-help --format=markdown ${path} | ||
codeql generate query-help --format=markdown -- "./${path}" 2> errors.txt || EXIT_CODE="$?" | ||
if [ -s errors.txt ]; then | ||
echo "# errors/warnings:" | ||
echo '```' | ||
cat errors.txt | ||
cat errors.txt 1>&2 | ||
echo '```' | ||
fi | ||
echo "</details>" | ||
done) | gh pr comment "${{ github.event.pull_request.number }}" -F - | ||
env: | ||
GITHUB_TOKEN: ${{ github.token }} | ||
done < "${RUNNER_TEMP}/paths.txt" >> comment.txt | ||
exit "${EXIT_CODE}" | ||
- if: always() | ||
uses: actions/upload-artifact@v2 | ||
with: | ||
name: comment | ||
path: comment.txt | ||
retention-days: 1 |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,192 @@ | ||
name: Run QL for QL | ||
|
||
on: | ||
push: | ||
branches: [main] | ||
pull_request: | ||
branches: [main] | ||
|
||
env: | ||
CARGO_TERM_COLOR: always | ||
|
||
jobs: | ||
queries: | ||
runs-on: ubuntu-latest | ||
steps: | ||
- uses: actions/checkout@v2 | ||
- name: Find codeql | ||
id: find-codeql | ||
uses: github/codeql-action/init@erik-krogh/ql | ||
with: | ||
languages: javascript # does not matter | ||
- name: Get CodeQL version | ||
id: get-codeql-version | ||
run: | | ||
echo "::set-output name=version::$("${CODEQL}" --version | head -n 1 | rev | cut -d " " -f 1 | rev)" | ||
shell: bash | ||
env: | ||
CODEQL: ${{ steps.find-codeql.outputs.codeql-path }} | ||
- name: Cache queries | ||
id: cache-queries | ||
uses: actions/cache@v2 | ||
with: | ||
path: ${{ runner.temp }}/query-pack.zip | ||
key: queries-${{ hashFiles('ql/**/*.ql*') }}-${{ hashFiles('ql/ql/src/ql.dbscheme*') }}-${{ steps.get-codeql-version.outputs.version }} | ||
- name: Build query pack | ||
if: steps.cache-queries.outputs.cache-hit != 'true' | ||
run: | | ||
cd ql/ql/src | ||
"${CODEQL}" pack create | ||
cd .codeql/pack/codeql/ql-all/0.0.0 | ||
zip "${PACKZIP}" -r . | ||
env: | ||
CODEQL: ${{ steps.find-codeql.outputs.codeql-path }} | ||
PACKZIP: ${{ runner.temp }}/query-pack.zip | ||
- name: Upload query pack | ||
uses: actions/upload-artifact@v2 | ||
with: | ||
name: query-pack-zip | ||
path: ${{ runner.temp }}/query-pack.zip | ||
|
||
extractors: | ||
strategy: | ||
fail-fast: false | ||
|
||
runs-on: ubuntu-latest | ||
|
||
steps: | ||
- uses: actions/checkout@v2 | ||
- name: Cache entire extractor | ||
id: cache-extractor | ||
uses: actions/cache@v2 | ||
with: | ||
path: | | ||
ql/target/release/ql-autobuilder | ||
ql/target/release/ql-autobuilder.exe | ||
ql/target/release/ql-extractor | ||
ql/target/release/ql-extractor.exe | ||
key: ${{ runner.os }}-extractor-${{ hashFiles('ql/**/Cargo.lock') }}-${{ hashFiles('ql/**/*.rs') }} | ||
- name: Cache cargo | ||
if: steps.cache-extractor.outputs.cache-hit != 'true' | ||
uses: actions/cache@v2 | ||
with: | ||
path: | | ||
~/.cargo/registry | ||
~/.cargo/git | ||
ql/target | ||
key: ${{ runner.os }}-rust-cargo-${{ hashFiles('ql/**/Cargo.lock') }} | ||
- name: Check formatting | ||
if: steps.cache-extractor.outputs.cache-hit != 'true' | ||
run: cd ql; cargo fmt --all -- --check | ||
- name: Build | ||
if: steps.cache-extractor.outputs.cache-hit != 'true' | ||
run: cd ql; cargo build --verbose | ||
- name: Run tests | ||
if: steps.cache-extractor.outputs.cache-hit != 'true' | ||
run: cd ql; cargo test --verbose | ||
- name: Release build | ||
if: steps.cache-extractor.outputs.cache-hit != 'true' | ||
run: cd ql; cargo build --release | ||
- name: Generate dbscheme | ||
if: steps.cache-extractor.outputs.cache-hit != 'true' | ||
run: ql/target/release/ql-generator --dbscheme ql/ql/src/ql.dbscheme --library ql/ql/src/codeql_ql/ast/internal/TreeSitter.qll | ||
- uses: actions/upload-artifact@v2 | ||
with: | ||
name: extractor-ubuntu-latest | ||
path: | | ||
ql/target/release/ql-autobuilder | ||
ql/target/release/ql-autobuilder.exe | ||
ql/target/release/ql-extractor | ||
ql/target/release/ql-extractor.exe | ||
retention-days: 1 | ||
package: | ||
runs-on: ubuntu-latest | ||
|
||
needs: | ||
- extractors | ||
- queries | ||
|
||
steps: | ||
- uses: actions/checkout@v2 | ||
- uses: actions/download-artifact@v2 | ||
with: | ||
name: query-pack-zip | ||
path: query-pack-zip | ||
- uses: actions/download-artifact@v2 | ||
with: | ||
name: extractor-ubuntu-latest | ||
path: linux64 | ||
- run: | | ||
unzip query-pack-zip/*.zip -d pack | ||
cp -r ql/codeql-extractor.yml ql/tools ql/ql/src/ql.dbscheme.stats pack/ | ||
mkdir -p pack/tools/linux64 | ||
if [[ -f linux64/ql-autobuilder ]]; then | ||
cp linux64/ql-autobuilder pack/tools/linux64/autobuilder | ||
chmod +x pack/tools/linux64/autobuilder | ||
fi | ||
if [[ -f linux64/ql-extractor ]]; then | ||
cp linux64/ql-extractor pack/tools/linux64/extractor | ||
chmod +x pack/tools/linux64/extractor | ||
fi | ||
cd pack | ||
zip -rq ../codeql-ql.zip . | ||
- uses: actions/upload-artifact@v2 | ||
with: | ||
name: codeql-ql-pack | ||
path: codeql-ql.zip | ||
retention-days: 1 | ||
analyze: | ||
runs-on: ubuntu-latest | ||
strategy: | ||
matrix: | ||
folder: [cpp, csharp, java, javascript, python, ql, ruby] | ||
|
||
needs: | ||
- package | ||
|
||
steps: | ||
- name: Download pack | ||
uses: actions/download-artifact@v2 | ||
with: | ||
name: codeql-ql-pack | ||
path: ${{ runner.temp }}/codeql-ql-pack-artifact | ||
|
||
- name: Prepare pack | ||
run: | | ||
unzip "${PACK_ARTIFACT}/*.zip" -d "${PACK}" | ||
env: | ||
PACK_ARTIFACT: ${{ runner.temp }}/codeql-ql-pack-artifact | ||
PACK: ${{ runner.temp }}/pack | ||
- name: Hack codeql-action options | ||
run: | | ||
JSON=$(jq -nc --arg pack "${PACK}" '.resolve.queries=["--search-path", $pack] | .resolve.extractor=["--search-path", $pack] | .database.init=["--search-path", $pack]') | ||
echo "CODEQL_ACTION_EXTRA_OPTIONS=${JSON}" >> ${GITHUB_ENV} | ||
env: | ||
PACK: ${{ runner.temp }}/pack | ||
|
||
- name: Checkout repository | ||
uses: actions/checkout@v2 | ||
- name: Create CodeQL config file | ||
run: | | ||
echo "paths:" > ${CONF} | ||
echo " - ${FOLDER}" >> ${CONF} | ||
echo "paths-ignore:" >> ${CONF} | ||
echo " - ql/ql/test" >> ${CONF} | ||
echo "Config file: " | ||
cat ${CONF} | ||
env: | ||
CONF: ./ql-for-ql-config.yml | ||
FOLDER: ${{ matrix.folder }} | ||
|
||
- name: Initialize CodeQL | ||
uses: github/codeql-action/init@erik-krogh/ql | ||
with: | ||
languages: ql | ||
db-location: ${{ runner.temp }}/db | ||
config-file: ./ql-for-ql-config.yml | ||
|
||
- name: Perform CodeQL Analysis | ||
uses: github/codeql-action/analyze@erik-krogh/ql | ||
with: | ||
category: "ql-for-ql-${{ matrix.folder }}" | ||
|
Oops, something went wrong.