Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add capability to filter queries #1098

Merged
merged 9 commits into from
Jun 16, 2022
20 changes: 20 additions & 0 deletions .github/check-sarif/action.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,20 @@
name: Check SARIF
description: Checks a SARIF file to see if certain queries were run and others were not run.
inputs:
sarif-file:
required: true
description: The sarif file to check

queries-run:
required: true
description: |
Comma separated list of query ids that should be included in this SARIF file.

queries-not-run:
required: true
description: |
Comma separated list of query ids that should NOT be included in this SARIF file.

runs:
using: node12
main: index.js
52 changes: 52 additions & 0 deletions .github/check-sarif/index.js
Original file line number Diff line number Diff line change
@@ -0,0 +1,52 @@
'use strict'

const core = require('@actions/core');
const fs = require('fs')

const sarif = JSON.parse(fs.readFileSync(core.getInput('sarif-file'), 'utf8'))
const rules = sarif.runs[0].tool.extensions.flatMap(ext => ext.rules || [])

// Expected Queries
const expectedQueriesRun = getInput('queries-run')
const queriesThatShouldHaveRunButDidnt = expectedQueriesRun.reduce((acc, queryId) => {
if (!rules.some(rule => rule.id === queryId)) {
acc.push(queryId)
}
return acc
}, []);

if (queriesThatShouldHaveRunButDidnt.length > 0) {
core.setFailed(`The following queries were expected to run but did not: ${queriesThatShouldHaveRunButDidnt.join(', ')}`)
}

// Unexpected Queries
const expectedQueriesNotRun = getInput('queries-not-run')

const queriesThatShouldNotHaveRunButDid = expectedQueriesNotRun.reduce((acc, queryId) => {
if (rules.some(rule => rule.id === queryId)) {
acc.push(queryId)
}
return acc
}, []);

if (queriesThatShouldNotHaveRunButDid.length > 0) {
core.setFailed(`The following queries were NOT expected to have run but did: ${queriesThatShouldNotHaveRunButDid.join(', ')}`)
}


core.startGroup('All queries run')
rules.forEach(rule => {
core.info(`${rule.id}: ${(rule.properties && rule.properties.name) || rule.name}`)
})
core.endGroup()

core.startGroup('Full SARIF')
core.info(JSON.stringify(sarif, null, 2))
core.endGroup()

function getInput(name) {
return core.getInput(name)
.split(',')
.map(q => q.trim())
.filter(q => q.length > 0)
}
46 changes: 46 additions & 0 deletions .github/workflows/expected-queries-runs.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,46 @@
name: Expected queries runs

on:
push:
branches:
- main
- releases/v1
- releases/v2
pull_request:
types:
- opened
- synchronize
- reopened
- ready_for_review
workflow_dispatch: {}

jobs:
expected-queries:
timeout-minutes: 45
runs-on: ubuntu-latest
steps:
- name: Check out repository
uses: actions/checkout@v3
- name: Prepare test
id: prepare-test
uses: ./.github/prepare-test
with:
version: latest
- uses: ./../action/init
with:
languages: javascript
tools: ${{ steps.prepare-test.outputs.tools-url }}
- uses: ./../action/analyze
with:
output: ${{ runner.temp }}/results
upload-database: false
upload: false
env:
TEST_MODE: true

- name: Check Sarif
uses: ./../action/.github/check-sarif
with:
sarif-file: ${{ runner.temp }}/results/javascript.sarif
queries-run: js/incomplete-hostname-regexp,js/path-injection
queries-not-run: foo,bar
97 changes: 97 additions & 0 deletions .github/workflows/query-filters.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,97 @@
name: Query filters tests

on:
push:
branches:
- main
- releases/v1
- releases/v2
pull_request:
types:
- opened
- synchronize
- reopened
- ready_for_review
workflow_dispatch: {}

jobs:
expected-queries:
timeout-minutes: 45
runs-on: ubuntu-latest
steps:
- name: Check out repository
uses: actions/checkout@v3
- name: Prepare test
id: prepare-test
uses: ./.github/prepare-test
with:
version: latest

# Test 1
- uses: ./../action/init
with:
languages: javascript
config-file: ./.github/codeql/codeql-config-query-filters1.yml
tools: ${{ steps.prepare-test.outputs.tools-url }}
db-location: ${{ runner.temp }}/test1
- uses: ./../action/analyze
with:
output: ${{ runner.temp }}/results
upload-database: false
upload: false
env:
TEST_MODE: true
- name: Check Sarif
uses: ./../action/.github/check-sarif
with:
sarif-file: ${{ runner.temp }}/results/javascript.sarif
queries-run: js/zipslip
queries-not-run: js/path-injection
- name: Cleanup after test
run: rm -rf "$RUNNER_TEMP/results"
henrymercer marked this conversation as resolved.
Show resolved Hide resolved

# Test 2
- uses: ./../action/init
with:
languages: javascript
config-file: ./.github/codeql/codeql-config-query-filters2.yml
tools: ${{ steps.prepare-test.outputs.tools-url }}
db-location: ${{ runner.temp }}/test2
- uses: ./../action/analyze
with:
output: ${{ runner.temp }}/results
upload-database: false
upload: false
env:
TEST_MODE: true
- name: Check Sarif
uses: ./../action/.github/check-sarif
with:
sarif-file: ${{ runner.temp }}/results/javascript.sarif
queries-run: js/zipslip,javascript/example/empty-or-one-block
queries-not-run: js/path-injection
- name: Cleanup after test
run: rm -rf "$RUNNER_TEMP/results"

# Test 3
- uses: ./../action/init
with:
languages: javascript
config-file: ./.github/codeql/codeql-config-query-filters3.yml
tools: ${{ steps.prepare-test.outputs.tools-url }}
db-location: ${{ runner.temp }}/test3
- uses: ./../action/analyze
with:
output: ${{ runner.temp }}/results
upload-database: false
upload: false
env:
TEST_MODE: true
- name: Check Sarif
uses: ./../action/.github/check-sarif
with:
sarif-file: ${{ runner.temp }}/results/javascript.sarif
queries-run: js/zipslip,javascript/example/empty-or-one-block,inrepo-javascript-querypack/show-ifs
queries-not-run: js/path-injection,complex-python-querypack/show-ifs,complex-python-querypack/foo/bar/show-ifs
- name: Cleanup after test
run: rm -rf "$RUNNER_TEMP/results"
2 changes: 1 addition & 1 deletion CHANGELOG.md
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,7 @@

## [UNRELEASED]

No user facing changes.
- Add the ability to filter queries from a code scanning run by using the `query-filters` option in the code scanning configuration file.[#1098](https://github.com/github/codeql-action/pull/1098)
aeisenberg marked this conversation as resolved.
Show resolved Hide resolved

## 2.1.12 - 01 Jun 2022

Expand Down
69 changes: 56 additions & 13 deletions lib/analyze.js

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

Loading