Mergeback v2.21.6 refs/heads/releases/v2 into main #2679
Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# Warning: This file is generated automatically, and should not be modified. | |
# Instead, please modify the template in the pr-checks directory and run: | |
# (cd pr-checks; pip install ruamel.yaml@0.17.31 && python3 sync.py) | |
# to regenerate this file. | |
name: PR Check - ML-powered queries | |
env: | |
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
GO111MODULE: auto | |
CODEQL_EXTRACTOR_JAVA_AGENT_DISABLE_KOTLIN: 'true' | |
on: | |
push: | |
branches: | |
- main | |
- releases/v2 | |
pull_request: | |
types: | |
- opened | |
- synchronize | |
- reopened | |
- ready_for_review | |
workflow_dispatch: {} | |
jobs: | |
ml-powered-queries: | |
strategy: | |
matrix: | |
include: | |
- os: ubuntu-latest | |
version: stable-20220615 | |
- os: macos-latest | |
version: stable-20220615 | |
- os: windows-latest | |
version: stable-20220615 | |
- os: ubuntu-latest | |
version: stable-20220908 | |
- os: macos-latest | |
version: stable-20220908 | |
- os: windows-latest | |
version: stable-20220908 | |
- os: ubuntu-latest | |
version: stable-20221211 | |
- os: macos-latest | |
version: stable-20221211 | |
- os: windows-latest | |
version: stable-20221211 | |
- os: ubuntu-latest | |
version: stable-20230418 | |
- os: macos-latest | |
version: stable-20230418 | |
- os: windows-latest | |
version: stable-20230418 | |
- os: ubuntu-latest | |
version: default | |
- os: macos-latest | |
version: default | |
- os: windows-latest | |
version: default | |
- os: ubuntu-latest | |
version: latest | |
- os: macos-latest | |
version: latest | |
- os: windows-latest | |
version: latest | |
- os: ubuntu-latest | |
version: nightly-latest | |
- os: macos-latest | |
version: nightly-latest | |
- os: windows-latest | |
version: nightly-latest | |
name: ML-powered queries | |
permissions: | |
contents: read | |
security-events: write | |
timeout-minutes: 45 | |
runs-on: ${{ matrix.os }} | |
steps: | |
- name: Check out repository | |
uses: actions/checkout@v4 | |
- name: Prepare test | |
id: prepare-test | |
uses: ./.github/actions/prepare-test | |
with: | |
version: ${{ matrix.version }} | |
use-all-platform-bundle: 'false' | |
- name: Set environment variable for Swift enablement | |
if: >- | |
runner.os != 'Windows' && ( | |
matrix.version == '20220908' || | |
matrix.version == '20221211' | |
) | |
shell: bash | |
run: echo "CODEQL_ENABLE_EXPERIMENTAL_FEATURES_SWIFT=true" >> $GITHUB_ENV | |
- uses: ./../action/init | |
with: | |
languages: javascript | |
queries: security-extended | |
source-root: ./../action/tests/ml-powered-queries-repo | |
tools: ${{ steps.prepare-test.outputs.tools-url }} | |
- uses: ./../action/analyze | |
with: | |
output: ${{ runner.temp }}/results | |
upload-database: false | |
- name: Upload SARIF | |
uses: actions/upload-artifact@v3 | |
with: | |
name: ml-powered-queries-${{ matrix.os }}-${{ matrix.version }}.sarif.json | |
path: ${{ runner.temp }}/results/javascript.sarif | |
retention-days: 7 | |
- name: Check sarif | |
uses: ./../action/.github/actions/check-sarif | |
with: | |
sarif-file: ${{ runner.temp }}/results/javascript.sarif | |
queries-run: | |
js/ml-powered/nosql-injection,js/ml-powered/path-injection,js/ml-powered/sql-injection,js/ml-powered/xss | |
queries-not-run: foo,bar | |
- name: Check results | |
shell: bash | |
run: | | |
cd "$RUNNER_TEMP/results" | |
# We should run at least the ML-powered queries in `expected_rules`. | |
expected_rules="js/ml-powered/nosql-injection js/ml-powered/path-injection js/ml-powered/sql-injection js/ml-powered/xss" | |
for rule in ${expected_rules}; do | |
found_rule=$(jq --arg rule "${rule}" '[.runs[0].tool.extensions[].rules | select(. != null) | | |
flatten | .[].id] | any(. == $rule)' javascript.sarif) | |
echo "Did find rule '${rule}': ${found_rule}" | |
if [[ "${found_rule}" != "true" ]]; then | |
echo "Expected SARIF output to contain rule '${rule}', but found no such rule." | |
exit 1 | |
fi | |
done | |
# We should have at least one alert from an ML-powered query. | |
num_alerts=$(jq '[.runs[0].results[] | | |
select(.properties.score != null and (.rule.id | startswith("js/ml-powered/")))] | length' \ | |
javascript.sarif) | |
echo "Found ${num_alerts} alerts from ML-powered queries."; | |
if [[ "${num_alerts}" -eq 0 ]]; then | |
echo "Expected to find at least one alert from an ML-powered query but found ${num_alerts}." | |
exit 1 | |
fi | |
env: | |
CODEQL_ACTION_TEST_MODE: true |