Skip to content

Merge releases/v2 into releases/v1 #1080

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
edoardopirovano merged 35 commits into from
May 17, 2022
Merged

Merge releases/v2 into releases/v1 #1080

Show file tree
Hide file tree
Changes from 6 commits
Commits
Show all changes
35 commits
Select commit Hold shift + click to select a range
8a64627
python-setup: Check if `pip` is already installed for Python2
RasmusWL Apr 22, 2022
d9e30cb
Run ML-powered queries on Windows with CodeQL CLI 2.9.0+
henrymercer Apr 28, 2022
193cfa5
Update PR checks for Windows and CodeQL CLI 2.9.0+
henrymercer Apr 28, 2022
ed0abc6
Log the expected outcome of the tests for clarity
henrymercer Apr 28, 2022
395afb1
Fix unit test assertion on Windows
henrymercer Apr 29, 2022
b651a67
Merge branch 'main' into rasmuswl/pip-python2-fix
RasmusWL May 10, 2022
878b64e
Merge branch 'main' into rasmuswl/pip-python2-fix
henrymercer May 10, 2022
7c55012
Merge pull request #1039 from github/rasmuswl/pip-python2-fix
RasmusWL May 10, 2022
d468c94
Update contributing.md
aeisenberg May 10, 2022
ef73e3b
Update changelog and version after v2.1.10
invalid-email-address May 10, 2022
8dbd965
Merge pull request #1063 from github/aeisenberg/contrib
aeisenberg May 10, 2022
ca6773e
Update checked-in dependencies
invalid-email-address May 10, 2022
a82d691
Merge branch 'main' into mergeback/v2.1.10-to-main-75b4f1c4
henrymercer May 10, 2022
38fc5eb
Merge pull request #1064 from github/mergeback/v2.1.10-to-main-75b4f1c4
May 10, 2022
daf6560
Update changelog and version after v2.1.10
invalid-email-address May 11, 2022
4f87830
Merge branch 'main' into mergeback/v2.1.10-to-main-03e2e3c4
henrymercer May 11, 2022
c4fdf5f
Merge pull request #1067 from github/mergeback/v2.1.10-to-main-03e2e3c4
henrymercer May 11, 2022
f8c88ab
Update changelog and version after v2.1.10
invalid-email-address May 11, 2022
97847a4
Merge branch 'main' into mergeback/v2.1.10-to-main-2f58583a
henrymercer May 11, 2022
ace076b
Merge pull request #1070 from github/mergeback/v2.1.10-to-main-2f58583a
henrymercer May 11, 2022
533ce91
Merge remote-tracking branch 'origin/main' into henrymercer/run-atm-o…
henrymercer May 11, 2022
1fae5bf
Merge pull request #1051 from github/henrymercer/run-atm-on-windows
henrymercer May 11, 2022
54b4854
Bump @actions/tool-cache to 2.0.0
henrymercer May 13, 2022
0658e4b
Merge pull request #1075 from github/henrymercer/update-actions-tool-…
henrymercer May 13, 2022
c38e41c
Fix a typo in the CHANGELOG
henrymercer May 13, 2022
e655565
Merge pull request #1076 from github/henrymercer/fix-changelog-typo
henrymercer May 13, 2022
1725087
Update default CodeQL to 2.9.2
edoardopirovano May 12, 2022
657c2f3
Merge pull request #1074 from github/edoardo/2.9.2-update
edoardopirovano May 16, 2022
657581e
Update changelog for v2.1.11
invalid-email-address May 17, 2022
a3a6c12
Merge pull request #1078 from github/update-v2.1.11-657c2f3f
edoardopirovano May 17, 2022
d28ac78
Revert "Update version and changelog for v1.1.10"
invalid-email-address May 17, 2022
c6fc792
Revert "Update checked-in dependencies"
invalid-email-address May 17, 2022
d25b8ac
Merge remote-tracking branch 'origin/releases/v2' into update-v1.1.11…
invalid-email-address May 17, 2022
acc7a4b
Update version and changelog for v1.1.11
invalid-email-address May 17, 2022
459cf02
Update checked-in dependencies
invalid-email-address May 17, 2022
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
20 changes: 15 additions & 5 deletions .github/workflows/__ml-powered-queries.yml
View file
Open in desktop

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

8 changes: 7 additions & 1 deletion lib/codeql.js
View file
Open in desktop

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

2 changes: 1 addition & 1 deletion lib/codeql.js.map
View file
Open in desktop

Large diffs are not rendered by default.

5 changes: 3 additions & 2 deletions lib/config-utils.js
View file
Open in desktop

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

2 changes: 1 addition & 1 deletion lib/config-utils.js.map
View file
Open in desktop

Large diffs are not rendered by default.

22 changes: 15 additions & 7 deletions lib/config-utils.test.js
View file
Open in desktop

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

2 changes: 1 addition & 1 deletion lib/config-utils.test.js.map
View file
Open in desktop

Large diffs are not rendered by default.

19 changes: 14 additions & 5 deletions pr-checks/checks/ml-powered-queries.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -32,10 +32,19 @@ steps:
retention-days: 7

- name: Check results
# Running ML-powered queries on Windows requires CodeQL CLI 2.9.0+. We don't run these checks
# against Windows and `cached` while CodeQL CLI 2.9.0 makes its way into `cached` to avoid the
# test starting to fail when the cached CodeQL Bundle gets updated. Once the CodeQL Bundle
# containing CodeQL CLI 2.9.0 has been fully released, we can drop this line and start running
# these checks on Windows and `cached`.
if: matrix.os != 'windows-latest' || matrix.version != 'cached'
env:
IS_WINDOWS: ${{ matrix.os == 'windows-latest' }}
# Running on Windows requires CodeQL CLI 2.9.0+, which has so far only made it to 'latest'.
SHOULD_RUN_ML_POWERED_QUERIES: ${{ matrix.os != 'windows-latest' || matrix.version == 'latest' || matrix.version == 'nightly-latest' }}
shell: bash
run: |
echo "Expecting ML-powered queries to be run: ${SHOULD_RUN_ML_POWERED_QUERIES}"

cd "$RUNNER_TEMP/results"
# We should run at least the ML-powered queries in `expected_rules`.
expected_rules="js/ml-powered/nosql-injection js/ml-powered/path-injection js/ml-powered/sql-injection js/ml-powered/xss"
Expand All @@ -44,10 +53,10 @@ steps:
found_rule=$(jq --arg rule "${rule}" '[.runs[0].tool.extensions[].rules | select(. != null) |
flatten | .[].id] | any(. == $rule)' javascript.sarif)
echo "Did find rule '${rule}': ${found_rule}"
if [[ "${found_rule}" != "true" && "${IS_WINDOWS}" != "true" ]]; then
if [[ "${found_rule}" != "true" && "${SHOULD_RUN_ML_POWERED_QUERIES}" == "true" ]]; then
echo "Expected SARIF output to contain rule '${rule}', but found no such rule."
exit 1
elif [[ "${found_rule}" == "true" && "${IS_WINDOWS}" == "true" ]]; then
elif [[ "${found_rule}" == "true" && "${SHOULD_RUN_ML_POWERED_QUERIES}" != "true" ]]; then
echo "Found rule '${rule}' in the SARIF output which shouldn't have been part of the analysis."
exit 1
fi
Expand All @@ -58,10 +67,10 @@ steps:
select(.properties.score != null and (.rule.id | startswith("js/ml-powered/")))] | length' \
javascript.sarif)
echo "Found ${num_alerts} alerts from ML-powered queries.";
if [[ "${num_alerts}" -eq 0 && "${IS_WINDOWS}" != "true" ]]; then
if [[ "${num_alerts}" -eq 0 && "${SHOULD_RUN_ML_POWERED_QUERIES}" == "true" ]]; then
echo "Expected to find at least one alert from an ML-powered query but found ${num_alerts}."
exit 1
elif [[ "${num_alerts}" -ne 0 && "${IS_WINDOWS}" == "true" ]]; then
elif [[ "${num_alerts}" -ne 0 && "${SHOULD_RUN_ML_POWERED_QUERIES}" != "true" ]]; then
echo "Expected not to find any alerts from an ML-powered query but found ${num_alerts}."
exit 1
fi
7 changes: 7 additions & 0 deletions src/codeql.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -232,6 +232,13 @@ export const CODEQL_VERSION_ML_POWERED_QUERIES = "2.7.5";
*/
export const CODEQL_VERSION_NEW_TRACING = "2.7.0";

/**
* Versions 2.9.0+ of the CodeQL CLI run machine learning models from a temporary directory, which
* resolves an issue on Windows where TensorFlow models are not correctly loaded due to the path of
* some of their files being greater than MAX_PATH (260 characters).
*/
export const CODEQL_VERSION_ML_POWERED_QUERIES_WINDOWS = "2.9.0";

function getCodeQLBundleName(): string {
let platform: string;
if (process.platform === "win32") {
Expand Down
52 changes: 37 additions & 15 deletions src/config-utils.test.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -1804,42 +1804,64 @@ test(
"security-extended",
undefined
);
// Test that the ~0.1.0 version of ML-powered queries is run on v2.8.3 of the CLI.
test(
mlPoweredQueriesMacro,
"2.8.3",
true,
undefined,
"security-extended",
process.platform === "win32" ? undefined : "~0.1.0"
);
// Test that ML-powered queries aren't run when the user hasn't specified that we should run the
// `security-extended` or `security-and-quality` query suite.
test(mlPoweredQueriesMacro, "2.7.5", true, undefined, undefined, undefined);
// Test that ML-powered queries are run on non-Windows platforms running `security-extended`.
// Test that ML-powered queries are run on non-Windows platforms running `security-extended` on
// versions of the CodeQL CLI prior to 2.9.0.
test(
mlPoweredQueriesMacro,
"2.7.5",
"2.8.5",
true,
undefined,
"security-extended",
process.platform === "win32" ? undefined : "~0.1.0"
process.platform === "win32" ? undefined : "~0.2.0"
);
// Test that ML-powered queries are run on non-Windows platforms running `security-and-quality`.
// Test that ML-powered queries are run on non-Windows platforms running `security-and-quality` on
// versions of the CodeQL CLI prior to 2.9.0.
test(
mlPoweredQueriesMacro,
"2.7.5",
"2.8.5",
true,
undefined,
"security-and-quality",
process.platform === "win32" ? undefined : "~0.1.0"
process.platform === "win32" ? undefined : "~0.2.0"
);
// Test that we don't inject an ML-powered query pack if the user has already specified one.
// Test that ML-powered queries are run on all platforms running `security-extended` on CodeQL CLI
// 2.9.0+.
test(
mlPoweredQueriesMacro,
"2.7.5",
"2.9.0",
true,
"codeql/[email protected]",
"security-and-quality",
process.platform === "win32" ? undefined : "0.0.1"
undefined,
"security-extended",
"~0.2.0"
);
// Test that the ~0.2.0 version of ML-powered queries is run on v2.8.4 of the CLI.
// Test that ML-powered queries are run on all platforms running `security-and-quality` on CodeQL
// CLI 2.9.0+.
test(
mlPoweredQueriesMacro,
"2.8.4",
"2.9.0",
true,
undefined,
"security-extended",
process.platform === "win32" ? undefined : "~0.2.0"
"security-and-quality",
"~0.2.0"
);
// Test that we don't inject an ML-powered query pack if the user has already specified one.
test(
mlPoweredQueriesMacro,
"2.9.0",
true,
"codeql/[email protected]",
"security-and-quality",
"0.0.1"
);
9 changes: 7 additions & 2 deletions src/config-utils.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -8,6 +8,7 @@ import * as api from "./api-client";
import {
CodeQL,
CODEQL_VERSION_ML_POWERED_QUERIES,
CODEQL_VERSION_ML_POWERED_QUERIES_WINDOWS,
ResolveQueriesOutput,
} from "./codeql";
import * as externalQueries from "./external-queries";
Expand Down Expand Up @@ -293,8 +294,12 @@ async function addBuiltinSuiteQueries(
// opted into the ML-powered queries beta, and a user hasn't already added the ML-powered query
// pack, then add the ML-powered query pack so that we run ML-powered queries.
if (
// Disable ML-powered queries on Windows
process.platform !== "win32" &&
// Only run ML-powered queries on Windows if we have a CLI that supports it.
(process.platform !== "win32" ||
(await codeQlVersionAbove(
codeQL,
CODEQL_VERSION_ML_POWERED_QUERIES_WINDOWS
))) &&
languages.includes("javascript") &&
(found === "security-extended" || found === "security-and-quality") &&
!packs.javascript?.some(isMlPoweredJsQueriesPack) &&
Expand Down