Create separate automodel pack

[starcke]

This is a first attempt at making a separate automodel pack. This was done together with @kaeluka.

We were not super sure if this was the exact right thing to do, but it seems a starting point.

In VS code we are seeing a bunch of red lines:

However if we change the dependency to

codeql/java-all: '*'

then we still have the red lines but the queries are able to run just fine.

[aeisenberg]

I think you need to add this pack to the codeql-workspace.yml file in the root of the repo. I'm not sure if that's all that's going on. I can try this out later today.

[starcke]

I think you need to add this pack to the codeql-workspace.yml file in the root of the repo. I'm not sure if that's all that's going on. I can try this out later today.

Great! that fixed VS Code for me 🎉

[kaeluka]

Can confirm: no squiggles over here either! Thank you, @aeisenberg <3

[aeisenberg]

Fantastic. 😄 Are you seeing any other problems?

[aeisenberg]

You probably want to add a groups property to this file. Maybe this:

groups: 
  - java
  - automodel

This property controls how and when to run pack commands on slices of workspace packs. This way, when you add automodel packs for other languages, you can publish all of them by using the command codeql pack publish --groups automodel,-test (This will publish all non-test automodel packs.)

So, you will want to add a similar group to the test pack (and add test as one of its groups.

Check out the other packs for inspiration.

[aeisenberg]

Oh...I see. The tests are included in the same pack. They should probably be split into its own pack. This way you can publish the queries without including the tests.

[starcke]

You probably want to add a groups property to this file.

I saw that but couldnt find what it actually did in the documentation. I'll add it.

Oh...I see. The tests are included in the same pack.

Yeah we discussed this, my feeling was that having two separate packs was a bit too much process for such a small pack. But if the standard is to always split then I'll make that change as well.

[aeisenberg]

If you wanted to be extra fancy, you could commit and push directly from this script.

[starcke]

Hmm... I kind of like it not committing for me, then there is less that suddenly happens. But we can also tweak this afterwards. It almost seems like there should be a generic publish script we could have for all the separate packs, but I am not sure how frequent these separate packs are?

[aeisenberg]

If this script is going to be run in CI, then something will have to commit and push the change, but maybe that is a longer term goal.

Eventually, all of our core packs will be publishable separately. But, that won't happen for a while. I still would hope that something like this script would become the default way of publishing.

[aeisenberg]

Trying this locally. Looks like the qlref files are no longer correct. You need to remove the Telemetry/ path segment.

Also, looks like I need a newer codeql version installed. I'm in a place with slow internet, so downloading and will try again when it's ready.

[aeisenberg]

(Optional)...you could also check if gh codeql is available and use that if CODEQL_DIST is unset.

[starcke]

Lets defer that in case we want to make changes to the solorigate pack as well.

[aeisenberg]

Suggested change

	WORKSPACE_ROOT="$AUTOMODEL_ROOT/../../../.."
	WORKSPACE_ROOT="$(realpath "$AUTOMODEL_ROOT/../../..")"

[starcke]

I have always been using readlink -f do you know if realpath is ok on all the places this could be thought to run?

[aeisenberg]

I'm not sure. I've usually just used realpath in situations like this. If readlnk works, too then that's probably fine.

[aeisenberg]

Upgraded to v2.14.1 and most tests are passing now. The AutomodelFrameworkModeExtractCandidates test is still failing.

Publishing and pre/post release process is working. I published and deleted the pack right after. Don't forget that after you publish, you need to manually change the visibility of that pack from internal to public.

[aeisenberg]

I know that the original script has this same line (which I wrote a couple of years ago), but not sure if it's the best. This script is only running successfully from the codeql/java/ql/automodel directory. Running in the repo root is failing for some reason.

[aeisenberg]

Ah...I think the path in line 5 needs to be normalized. Running from the repo root will make WORKSPACE_ROOT=java/ql/automodel/../../.., but it really needs to be WORKSPACE_ROOT=..

Suggested change

	AUTOMODEL_ROOT="$(dirname $0)"
	AUTOMODEL_ROOT="$(realpath "$(dirname $0)")"

[starcke]

I have changed this to do:

AUTOMODEL_ROOT="$(readlink -f "$(dirname $0)")"
WORKSPACE_ROOT="$AUTOMODEL_ROOT/../../../.."

Happy to switch to realpath as well if that is better.

[starcke]

Also updated the solorigate script with this change.

[starcke]

Merged in master after merging #13852. Moved the MaD file to the new directory and updated it.

[kaeluka]

Do you think this is ready to be merged, @aeisenberg?

[aeisenberg]

I think this looks good. We can make more changes in the future if we are going to fully automate the script. Nice job!

[aeisenberg]

I'm not sure. I've usually just used realpath in situations like this. If readlnk works, too then that's probably fine.

[aeisenberg]

If this script is going to be run in CI, then something will have to commit and push the change, but maybe that is a longer term goal.

Eventually, all of our core packs will be publishable separately. But, that won't happen for a while. I still would hope that something like this script would become the default way of publishing.

[starcke]

There were some conflicts with #13886 but command-line git resolved them directly.

[starcke]

When trying to publish the automodel pack I ran into a single test failure:

Executing 6 tests in 2 directories.                                                                   
Extracting test database in /home/starcke/github/vcs/codeql/java/ql/automodel/test/AutomodelFrameworkModeExtraction.
Compiling queries in /home/starcke/github/vcs/codeql/java/ql/automodel/test/AutomodelFrameworkModeExtraction.
Compiled /home/starcke/github/vcs/codeql/java/ql/automodel/test/AutomodelFrameworkModeExtraction/AutomodelFrameworkModeExtractCandidates.qlref (908ms).
Compiled /home/starcke/github/vcs/codeql/java/ql/automodel/test/AutomodelFrameworkModeExtraction/AutomodelFrameworkModeExtractPositiveExamples.qlref (280ms).
Compiled /home/starcke/github/vcs/codeql/java/ql/automodel/test/AutomodelFrameworkModeExtraction/AutomodelFrameworkModeExtractNegativeExamples.qlref (200ms).
Executing tests in /home/starcke/github/vcs/codeql/java/ql/automodel/test/AutomodelFrameworkModeExtraction.
--- expected                                                                                          
+++ actual                                                                                            
@@ -1,7 +1,1 @@                                                                                       
-| com/github/codeql/test/PublicClass.java:4:15:4:19 | stuff | command-injection, path-injection, request-forgery, sql-injection\nrelated locations: $@, $@.\nmetadata: $@, $@, $@, $@, $@, $@, $@. | com/gi
thub/codeql/test/PublicClass.java:4:15:4:19 | stuff | MethodDoc | com/github/codeql/test/PublicClass.java:4:15:4:19 | stuff | ClassDoc | file://com.github.codeql.test:1:1:1:1 | com.github.codeql.test | pa
ckage | file://PublicClass:1:1:1:1 | PublicClass | type | file://true:1:1:1:1 | true | subtypes | file://stuff:1:1:1:1 | stuff | name | file://(String):1:1:1:1 | (String) | signature | file://Argument[thi
s]:1:1:1:1 | Argument[this] | input | file://this:1:1:1:1 | this | parameterName |                    
-| com/github/codeql/test/PublicClass.java:4:21:4:30 | arg | command-injection, path-injection, request-forgery, sql-injection\nrelated locations: $@, $@.\nmetadata: $@, $@, $@, $@, $@, $@, $@. | com/gith
ub/codeql/test/PublicClass.java:4:21:4:30 | arg | MethodDoc | com/github/codeql/test/PublicClass.java:4:21:4:30 | arg | ClassDoc | file://com.github.codeql.test:1:1:1:1 | com.github.codeql.test | package 
| file://PublicClass:1:1:1:1 | PublicClass | type | file://true:1:1:1:1 | true | subtypes | file://stuff:1:1:1:1 | stuff | name | file://(String):1:1:1:1 | (String) | signature | file://Argument[0]:1:1:1:
1 | Argument[0] | input | file://arg:1:1:1:1 | arg | parameterName |                                                                                                                                        
-| com/github/codeql/test/PublicClass.java:8:34:8:43 | arg | command-injection, path-injection, request-forgery, sql-injection\nrelated locations: $@, $@.\nmetadata: $@, $@, $@, $@, $@, $@, $@. | com/gith
ub/codeql/test/PublicClass.java:8:34:8:43 | arg | MethodDoc | com/github/codeql/test/PublicClass.java:8:34:8:43 | arg | ClassDoc | file://com.github.codeql.test:1:1:1:1 | com.github.codeql.test | package 
| file://PublicClass:1:1:1:1 | PublicClass | type | file://false:1:1:1:1 | false | subtypes | file://staticStuff:1:1:1:1 | staticStuff | name | file://(String):1:1:1:1 | (String) | signature | file://Argu
ment[0]:1:1:1:1 | Argument[0] | input | file://arg:1:1:1:1 | arg | parameterName |
-| com/github/codeql/test/PublicInterface.java:4:17:4:21 | stuff | command-injection, path-injection, request-forgery, sql-injection\nrelated locations: $@, $@.\nmetadata: $@, $@, $@, $@, $@, $@, $@. | co
m/github/codeql/test/PublicInterface.java:4:17:4:21 | stuff | MethodDoc | com/github/codeql/test/PublicInterface.java:4:17:4:21 | stuff | ClassDoc | file://com.github.codeql.test:1:1:1:1 | com.github.code
ql.test | package | file://PublicInterface:1:1:1:1 | PublicInterface | type | file://true:1:1:1:1 | true | subtypes | file://stuff:1:1:1:1 | stuff | name | file://(String):1:1:1:1 | (String) | signature |
 file://Argument[this]:1:1:1:1 | Argument[this] | input | file://this:1:1:1:1 | this | parameterName | 
-| com/github/codeql/test/PublicInterface.java:4:23:4:32 | arg | command-injection, path-injection, request-forgery, sql-injection\nrelated locations: $@, $@.\nmetadata: $@, $@, $@, $@, $@, $@, $@. | com/
github/codeql/test/PublicInterface.java:4:23:4:32 | arg | MethodDoc | com/github/codeql/test/PublicInterface.java:4:23:4:32 | arg | ClassDoc | file://com.github.codeql.test:1:1:1:1 | com.github.codeql.tes
t | package | file://PublicInterface:1:1:1:1 | PublicInterface | type | file://true:1:1:1:1 | true | subtypes | file://stuff:1:1:1:1 | stuff | name | file://(String):1:1:1:1 | (String) | signature | file:
//Argument[0]:1:1:1:1 | Argument[0] | input | file://arg:1:1:1:1 | arg | parameterName |
-| com/github/codeql/test/PublicInterface.java:6:36:6:45 | arg | command-injection, path-injection, request-forgery, sql-injection\nrelated locations: $@, $@.\nmetadata: $@, $@, $@, $@, $@, $@, $@. | com/
github/codeql/test/PublicInterface.java:6:36:6:45 | arg | MethodDoc | com/github/codeql/test/PublicInterface.java:6:36:6:45 | arg | ClassDoc | file://com.github.codeql.test:1:1:1:1 | com.github.codeql.tes
t | package | file://PublicInterface:1:1:1:1 | PublicInterface | type | file://false:1:1:1:1 | false | subtypes | file://staticStuff:1:1:1:1 | staticStuff | name | file://(String):1:1:1:1 | (String) | sig
nature | file://Argument[0]:1:1:1:1 | Argument[0] | input | file://arg:1:1:1:1 | arg | parameterName |                                                                                                      
-| java/nio/file/Files.java:10:9:10:24 | out | command-injection, path-injection, request-forgery, sql-injection\nrelated locations: $@, $@.\nmetadata: $@, $@, $@, $@, $@, $@, $@. | java/nio/file/Files.ja
va:10:9:10:24 | out | MethodDoc | java/nio/file/Files.java:10:9:10:24 | out | ClassDoc | file://java.nio.file:1:1:1:1 | java.nio.file | package | file://Files:1:1:1:1 | Files | type | file://false:1:1:1:1
 | false | subtypes | file://copy:1:1:1:1 | copy | name | file://(Path,OutputStream):1:1:1:1 | (Path,OutputStream) | signature | file://Argument[1]:1:1:1:1 | Argument[1] | input | file://out:1:1:1:1 | out
 | parameterName |                                                                                    
+                                                                                                     
[1/6 comp 908ms eval 1.8s] FAILED(RESULT) /home/starcke/github/vcs/codeql/java/ql/automodel/test/AutomodelFrameworkModeExtraction/AutomodelFrameworkModeExtractCandidates.qlref
Location is outside of test directory: file://java.nio.file:1:1:1:1
Location is outside of test directory: file://Files:1:1:1:1     
Location is outside of test directory: file://false:1:1:1:1                
Location is outside of test directory: file://copy:1:1:1:1
Location is outside of test directory: file://(Path,OutputStream):1:1:1:1                                                                                                                                   
Location is outside of test directory: file://Argument[0]:1:1:1:1  
Location is outside of test directory: file://source:1:1:1:1
Locations outside the test directory do not work well for regression tests.

@kaeluka does that also happen for you, and do you have any thoughts on why that would happen? I tried to reproduce it on main but the test seem to pass there, and there doesnt seem to be any real differences between the queries or the tests.

[kaeluka]

• These warnings Location is outside have been around since forever. They have to do with how we abuse the file location info to export data into the sarif format. May still be connected to the problem, though — who knows. Look up the DollarAtString class for details.

• The behaviour is freaky: when I run the tests locally, 5/6 pass, only candidate extraction in framework mode fails (it finds no candidates at all).

• This test fails locally, but the CI checks are green — does that mean that our new test suite is no longer executed by the CI checks? Or does it behave differently when run in the CI checks?

[kaeluka]

I'll take a look tomorrow to see if I can find any explanation for why only one query is broken.

[kaeluka]

I just fixed the issue — see my commit 480e3bf.

Tests pass locally 😄

[starcke]

I just fixed the issue — see my commit 480e3bf.

Woa, I would never have guessed that - thanks!

[aeisenberg]

This is good enough for now. We need to determine if we are going to do anything about the -dev dependencies. This can happen later.

[starcke]

I had to manually merge in master due to some changed files, but command-line git could do it automatically without having to resolve conflicts. The extension has also been updated to use this pack. So after this gets another stamp it should finally be good to merge.