From 47a7d24a1af71bf38c3c81d25d080b387e57b67e Mon Sep 17 00:00:00 2001 From: Dave Bartolomeo Date: Fri, 25 Oct 2024 17:44:46 -0400 Subject: [PATCH 1/7] Implement Actions extractor --- actions/extractor/codeql-extractor.yml | 44 ++++++++++++++++++++++ actions/extractor/tools/autobuild-impl.ps1 | 40 ++++++++++++++++++++ actions/extractor/tools/autobuild.cmd | 3 ++ actions/extractor/tools/autobuild.sh | 39 +++++++++++++++++++ 4 files changed, 126 insertions(+) create mode 100644 actions/extractor/codeql-extractor.yml create mode 100644 actions/extractor/tools/autobuild-impl.ps1 create mode 100644 actions/extractor/tools/autobuild.cmd create mode 100755 actions/extractor/tools/autobuild.sh diff --git a/actions/extractor/codeql-extractor.yml b/actions/extractor/codeql-extractor.yml new file mode 100644 index 000000000000..ab7374910054 --- /dev/null +++ b/actions/extractor/codeql-extractor.yml @@ -0,0 +1,44 @@ +name: "actions" +aliases: [] +display_name: "GitHub Actions" +version: 0.0.1 +column_kind: "utf16" +unicode_newlines: true +build_modes: + - none +file_coverage_languages: [] +github_api_languages: [] +scc_languages: [] +file_types: + - name: workflow + display_name: GitHub Actions workflow files + extensions: + - .yml + - .yaml +forwarded_extractor_name: javascript +options: + trap: + title: TRAP options + description: Options about how the extractor handles TRAP files + type: object + visibility: 3 + properties: + cache: + title: TRAP cache options + description: Options about how the extractor handles its TRAP cache + type: object + properties: + dir: + title: TRAP cache directory + description: The directory of the TRAP cache to use + type: string + bound: + title: TRAP cache bound + description: A soft limit (in MB) on the size of the TRAP cache + type: string + pattern: "[0-9]+" + write: + title: TRAP cache writeable + description: Whether to write to the TRAP cache as well as reading it + type: string + pattern: "(true|TRUE|false|FALSE)" diff --git a/actions/extractor/tools/autobuild-impl.ps1 b/actions/extractor/tools/autobuild-impl.ps1 new file mode 100644 index 000000000000..6ae433f2599c --- /dev/null +++ b/actions/extractor/tools/autobuild-impl.ps1 @@ -0,0 +1,40 @@ +if (($null -ne $env:LGTM_INDEX_INCLUDE) -or ($null -ne $env:LGTM_INDEX_EXCLUDE) -or ($null -ne $env:LGTM_INDEX_FILTERS)) { + Write-Output 'Path filters set. Passing them through to the JavaScript extractor.' +} else { + Write-Output 'No path filters set. Using the default filters.' + $DefaultPathFilters = @( + 'exclude:**/*', + 'include:.github/workflows/**/*.yml', + 'include:.github/workflows/**/*.yaml', + 'include:**/action.yml', + 'include:**/action.yaml' + ) + + $env:LGTM_INDEX_FILTERS = $DefaultPathFilters -join "`n" +} + +# Find the JavaScript extractor directory via `codeql resolve extractor`. +$CodeQL = Join-Path $env:CODEQL_DIST 'codeql.exe' +$env:CODEQL_EXTRACTOR_JAVASCRIPT_ROOT = &$CodeQL resolve extractor --language javascript +if ($LASTEXITCODE -ne 0) { + throw 'Failed to resolve JavaScript extractor.' +} + +Write-Output "Found JavaScript extractor at '${env:CODEQL_EXTRACTOR_JAVASCRIPT_ROOT}'." + +# Run the JavaScript autobuilder. +$JavaScriptAutoBuild = Join-Path $env:CODEQL_EXTRACTOR_JAVASCRIPT_ROOT 'tools\autobuild.cmd' +Write-Output "Running JavaScript autobuilder at '${JavaScriptAutoBuild}'." + +# Copy the values of the Actions extractor environment variables to the JavaScript extractor environment variables. +$env:CODEQL_EXTRACTOR_JAVASCRIPT_DIAGNOSTIC_DIR = $env:CODEQL_EXTRACTOR_ACTIONS_DIAGNOSTIC_DIR +$env:CODEQL_EXTRACTOR_JAVASCRIPT_LOG_DIR = $env:CODEQL_EXTRACTOR_ACTIONS_LOG_DIR +$env:CODEQL_EXTRACTOR_JAVASCRIPT_SCRATCH_DIR = $env:CODEQL_EXTRACTOR_ACTIONS_SCRATCH_DIR +$env:CODEQL_EXTRACTOR_JAVASCRIPT_SOURCE_ARCHIVE_DIR = $env:CODEQL_EXTRACTOR_ACTIONS_SOURCE_ARCHIVE_DIR +$env:CODEQL_EXTRACTOR_JAVASCRIPT_TRAP_DIR = $env:CODEQL_EXTRACTOR_ACTIONS_TRAP_DIR +$env:CODEQL_EXTRACTOR_JAVASCRIPT_WIP_DATABASE = $env:CODEQL_EXTRACTOR_ACTIONS_WIP_DATABASE + +&$JavaScriptAutoBuild +if ($LASTEXITCODE -ne 0) { + throw "JavaScript autobuilder failed." +} diff --git a/actions/extractor/tools/autobuild.cmd b/actions/extractor/tools/autobuild.cmd new file mode 100644 index 000000000000..ff5ca89d94a4 --- /dev/null +++ b/actions/extractor/tools/autobuild.cmd @@ -0,0 +1,3 @@ +@echo off +rem All of the work is done in the PowerShell script +powershell.exe %~dp0autobuild-impl.ps1 diff --git a/actions/extractor/tools/autobuild.sh b/actions/extractor/tools/autobuild.sh new file mode 100755 index 000000000000..57adbf96279d --- /dev/null +++ b/actions/extractor/tools/autobuild.sh @@ -0,0 +1,39 @@ +#!/bin/sh + +set -eu + +DEFAULT_PATH_FILTERS=$(cat << END +exclude:**/* +include:.github/workflows/**/*.yml +include:.github/workflows/**/*.yaml +include:**/action.yml +include:**/action.yaml +END +) + +if [ -n "${LGTM_INDEX_INCLUDE:-}" ] || [ -n "${LGTM_INDEX_EXCLUDE:-}" ] || [ -n "${LGTM_INDEX_FILTERS:-}" ] ; then + echo "Path filters set. Passing them through to the JavaScript extractor." +else + echo "No path filters set. Using the default filters." + LGTM_INDEX_FILTERS="${DEFAULT_PATH_FILTERS}" + export LGTM_INDEX_FILTERS +fi + +# Find the JavaScript extractor directory via `codeql resolve extractor`. +CODEQL_EXTRACTOR_JAVASCRIPT_ROOT="$($CODEQL_DIST/codeql resolve extractor --language javascript)" +export CODEQL_EXTRACTOR_JAVASCRIPT_ROOT + +echo "Found JavaScript extractor at '${CODEQL_EXTRACTOR_JAVASCRIPT_ROOT}'." + +# Run the JavaScript autobuilder +JAVASCRIPT_AUTO_BUILD="${CODEQL_EXTRACTOR_JAVASCRIPT_ROOT}/tools/autobuild.sh" +echo "Running JavaScript autobuilder at '${JAVASCRIPT_AUTO_BUILD}'." + +# Copy the values of the Actions extractor environment variables to the JavaScript extractor environment variables. +env CODEQL_EXTRACTOR_JAVASCRIPT_DIAGNOSTIC_DIR="${CODEQL_EXTRACTOR_ACTIONS_DIAGNOSTIC_DIR}" \ + CODEQL_EXTRACTOR_JAVASCRIPT_LOG_DIR="${CODEQL_EXTRACTOR_ACTIONS_LOG_DIR}" \ + CODEQL_EXTRACTOR_JAVASCRIPT_SCRATCH_DIR="${CODEQL_EXTRACTOR_ACTIONS_SCRATCH_DIR}" \ + CODEQL_EXTRACTOR_JAVASCRIPT_SOURCE_ARCHIVE_DIR="${CODEQL_EXTRACTOR_ACTIONS_SOURCE_ARCHIVE_DIR}" \ + CODEQL_EXTRACTOR_JAVASCRIPT_TRAP_DIR="${CODEQL_EXTRACTOR_ACTIONS_TRAP_DIR}" \ + CODEQL_EXTRACTOR_JAVASCRIPT_WIP_DATABASE="${CODEQL_EXTRACTOR_ACTIONS_WIP_DATABASE}" \ + ${JAVASCRIPT_AUTO_BUILD} From dffc9e2e3113824d5af800afa8e61f9deeb6697e Mon Sep 17 00:00:00 2001 From: Dave Bartolomeo Date: Fri, 25 Oct 2024 17:45:05 -0400 Subject: [PATCH 2/7] Create placeholder Actions QL packs --- actions/ql/lib/actions.qll | 1 + actions/ql/lib/qlpack.yml | 12 ++++++++++ actions/ql/src/Placeholder.ql | 16 +++++++++++++ actions/ql/src/qlpack.yml | 8 +++++++ .../library-tests/.github/workflows/shell.yml | 23 +++++++++++++++++++ .../test/library-tests/Placeholder.expected | 1 + actions/ql/test/library-tests/Placeholder.ql | 1 + actions/ql/test/qlpack.yml | 8 +++++++ .../Placeholder/.github/workflows/shell.yml | 23 +++++++++++++++++++ .../Placeholder/Placeholder.expected | 1 + .../query-tests/Placeholder/Placeholder.qlref | 1 + 11 files changed, 95 insertions(+) create mode 100644 actions/ql/lib/actions.qll create mode 100644 actions/ql/lib/qlpack.yml create mode 100644 actions/ql/src/Placeholder.ql create mode 100644 actions/ql/src/qlpack.yml create mode 100644 actions/ql/test/library-tests/.github/workflows/shell.yml create mode 100644 actions/ql/test/library-tests/Placeholder.expected create mode 100644 actions/ql/test/library-tests/Placeholder.ql create mode 100644 actions/ql/test/qlpack.yml create mode 100644 actions/ql/test/query-tests/Placeholder/.github/workflows/shell.yml create mode 100644 actions/ql/test/query-tests/Placeholder/Placeholder.expected create mode 100644 actions/ql/test/query-tests/Placeholder/Placeholder.qlref diff --git a/actions/ql/lib/actions.qll b/actions/ql/lib/actions.qll new file mode 100644 index 000000000000..10051c768058 --- /dev/null +++ b/actions/ql/lib/actions.qll @@ -0,0 +1 @@ +// Placeholder diff --git a/actions/ql/lib/qlpack.yml b/actions/ql/lib/qlpack.yml new file mode 100644 index 000000000000..4f674220c885 --- /dev/null +++ b/actions/ql/lib/qlpack.yml @@ -0,0 +1,12 @@ +name: codeql/actions-all +version: 0.0.1-dev +library: true +warnOnImplicitThis: true +dependencies: + codeql/util: ${workspace} + codeql/yaml: ${workspace} + codeql/controlflow: ${workspace} + codeql/dataflow: ${workspace} + codeql/javascript-all: ${workspace} +extractor: actions +groups: actions diff --git a/actions/ql/src/Placeholder.ql b/actions/ql/src/Placeholder.ql new file mode 100644 index 000000000000..ef102ad7870d --- /dev/null +++ b/actions/ql/src/Placeholder.ql @@ -0,0 +1,16 @@ +/** + * @name Placeholder Query + * @description Placeholder + * @kind problem + * @problem.severity warning + * @security-severity 9.3 + * @precision high + * @id actions/placeholder + * @tags actions + */ + +import actions +import javascript + +from File f +select f, "File" diff --git a/actions/ql/src/qlpack.yml b/actions/ql/src/qlpack.yml new file mode 100644 index 000000000000..0cede827207b --- /dev/null +++ b/actions/ql/src/qlpack.yml @@ -0,0 +1,8 @@ +name: codeql/actions-queries +version: 0.0.1-dev +library: false +groups: [actions, queries] +extractor: actions +dependencies: + codeql/actions-all: ${workspace} +warnOnImplicitThis: true diff --git a/actions/ql/test/library-tests/.github/workflows/shell.yml b/actions/ql/test/library-tests/.github/workflows/shell.yml new file mode 100644 index 000000000000..9392b81c6ab2 --- /dev/null +++ b/actions/ql/test/library-tests/.github/workflows/shell.yml @@ -0,0 +1,23 @@ +on: push + +jobs: + job1: + runs-on: ubuntu-latest + steps: + - shell: pwsh + run: Write-Output "foo" + job2: + runs-on: ubuntu-latest + steps: + - run: echo "foo" + + job3: + runs-on: windows-latest + steps: + - shell: bash + run: echo "foo" + job4: + runs-on: windows-latest + steps: + - run: Write-Output "foo" + diff --git a/actions/ql/test/library-tests/Placeholder.expected b/actions/ql/test/library-tests/Placeholder.expected new file mode 100644 index 000000000000..2a4f078a25fc --- /dev/null +++ b/actions/ql/test/library-tests/Placeholder.expected @@ -0,0 +1 @@ +| 1 | diff --git a/actions/ql/test/library-tests/Placeholder.ql b/actions/ql/test/library-tests/Placeholder.ql new file mode 100644 index 000000000000..82198eaf87be --- /dev/null +++ b/actions/ql/test/library-tests/Placeholder.ql @@ -0,0 +1 @@ +select 1 diff --git a/actions/ql/test/qlpack.yml b/actions/ql/test/qlpack.yml new file mode 100644 index 000000000000..12711bee904b --- /dev/null +++ b/actions/ql/test/qlpack.yml @@ -0,0 +1,8 @@ +name: codeql/actions-tests +groups: [codeql, test] +dependencies: + codeql/actions-all: ${workspace} + codeql/actions-queries: ${workspace} +extractor: actions +tests: . +warnOnImplicitThis: true diff --git a/actions/ql/test/query-tests/Placeholder/.github/workflows/shell.yml b/actions/ql/test/query-tests/Placeholder/.github/workflows/shell.yml new file mode 100644 index 000000000000..9392b81c6ab2 --- /dev/null +++ b/actions/ql/test/query-tests/Placeholder/.github/workflows/shell.yml @@ -0,0 +1,23 @@ +on: push + +jobs: + job1: + runs-on: ubuntu-latest + steps: + - shell: pwsh + run: Write-Output "foo" + job2: + runs-on: ubuntu-latest + steps: + - run: echo "foo" + + job3: + runs-on: windows-latest + steps: + - shell: bash + run: echo "foo" + job4: + runs-on: windows-latest + steps: + - run: Write-Output "foo" + diff --git a/actions/ql/test/query-tests/Placeholder/Placeholder.expected b/actions/ql/test/query-tests/Placeholder/Placeholder.expected new file mode 100644 index 000000000000..46bd70296bd9 --- /dev/null +++ b/actions/ql/test/query-tests/Placeholder/Placeholder.expected @@ -0,0 +1 @@ +| .github/workflows/shell.yml:0:0:0:0 | .github/workflows/shell.yml | File | diff --git a/actions/ql/test/query-tests/Placeholder/Placeholder.qlref b/actions/ql/test/query-tests/Placeholder/Placeholder.qlref new file mode 100644 index 000000000000..2ad15e688e23 --- /dev/null +++ b/actions/ql/test/query-tests/Placeholder/Placeholder.qlref @@ -0,0 +1 @@ +Placeholder.ql From 4a567344f5b860303dafc07092cab6c421031e41 Mon Sep 17 00:00:00 2001 From: Dave Bartolomeo Date: Fri, 25 Oct 2024 17:59:49 -0400 Subject: [PATCH 3/7] Fix style alerts --- actions/ql/src/Placeholder.ql | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/actions/ql/src/Placeholder.ql b/actions/ql/src/Placeholder.ql index ef102ad7870d..63e32f04dfb3 100644 --- a/actions/ql/src/Placeholder.ql +++ b/actions/ql/src/Placeholder.ql @@ -6,11 +6,11 @@ * @security-severity 9.3 * @precision high * @id actions/placeholder - * @tags actions + * @tags actions security */ import actions import javascript from File f -select f, "File" +select f, "Analyzed a file." From 8840f91503e8ad536082f95c1c5161fc24ce2255 Mon Sep 17 00:00:00 2001 From: Dave Bartolomeo Date: Fri, 25 Oct 2024 20:32:01 -0400 Subject: [PATCH 4/7] Fix formatting --- actions/ql/lib/actions.qll | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/actions/ql/lib/actions.qll b/actions/ql/lib/actions.qll index 10051c768058..fbbb3285e631 100644 --- a/actions/ql/lib/actions.qll +++ b/actions/ql/lib/actions.qll @@ -1 +1,3 @@ -// Placeholder +predicate placeholder(int x) { + x = 0 +} From 01fa95f98ab86e8f8a02ee4162b872d69cafb194 Mon Sep 17 00:00:00 2001 From: Rasmus Wriedt Larsen Date: Mon, 28 Oct 2024 10:43:46 +0100 Subject: [PATCH 5/7] Actions: autoformat --- actions/ql/lib/actions.qll | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/actions/ql/lib/actions.qll b/actions/ql/lib/actions.qll index fbbb3285e631..073277dcace0 100644 --- a/actions/ql/lib/actions.qll +++ b/actions/ql/lib/actions.qll @@ -1,3 +1 @@ -predicate placeholder(int x) { - x = 0 -} +predicate placeholder(int x) { x = 0 } From e3c400b0c8d618de4dc54de44c97907097cb2844 Mon Sep 17 00:00:00 2001 From: Rasmus Wriedt Larsen Date: Mon, 28 Oct 2024 10:46:05 +0100 Subject: [PATCH 6/7] Add auto labeler support for 'Actions' --- .github/labeler.yml | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/.github/labeler.yml b/.github/labeler.yml index 0e43646c7ba2..65f820799716 100644 --- a/.github/labeler.yml +++ b/.github/labeler.yml @@ -38,6 +38,10 @@ Swift: - swift/**/* - change-notes/**/*swift* +Actions: + - actions/**/* + - change-notes/**/*actions* + documentation: - "**/*.qhelp" - "**/*.md" From 3228447544a52e56da4ae7890fd17d0bc844cbeb Mon Sep 17 00:00:00 2001 From: Dave Bartolomeo Date: Mon, 28 Oct 2024 09:58:11 -0400 Subject: [PATCH 7/7] Fix bash nit Co-authored-by: Rasmus Wriedt Larsen --- actions/extractor/tools/autobuild.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/actions/extractor/tools/autobuild.sh b/actions/extractor/tools/autobuild.sh index 57adbf96279d..656e0f356352 100755 --- a/actions/extractor/tools/autobuild.sh +++ b/actions/extractor/tools/autobuild.sh @@ -11,7 +11,7 @@ include:**/action.yaml END ) -if [ -n "${LGTM_INDEX_INCLUDE:-}" ] || [ -n "${LGTM_INDEX_EXCLUDE:-}" ] || [ -n "${LGTM_INDEX_FILTERS:-}" ] ; then +if [ -n "${LGTM_INDEX_INCLUDE}" ] || [ -n "${LGTM_INDEX_EXCLUDE}" ] || [ -n "${LGTM_INDEX_FILTERS}" ] ; then echo "Path filters set. Passing them through to the JavaScript extractor." else echo "No path filters set. Using the default filters."