Send version and mode to code scanning via user agent #516
Conversation
aeisenberg
force-pushed
the
aeisenberg/update-changelog-on-release
branch
12 times, most recently
from
1efbebf
to
800a951
Compare
aeisenberg
changed the title
isAction function
aeisenberg
force-pushed
the
aeisenberg/user-agent
branch
from
0606d50
to
e0c15c8
Compare
aeisenberg
changed the base branch from
aeisenberg/update-changelog-on-release
to
main
aeisenberg
force-pushed
the
aeisenberg/user-agent
branch
from
ac8ab32
to
a20890d
Compare
|
The conditional branching within the updated getCodeQLBundleDownloadURL function should be tested based on the new method of determining the mode. Every occurrence in which an explicit mode was passed in now implicitly relies upon the environment in which it is called. Should that implicit behavior be moved to a higher level of abstraction, e.g., into functions directly consumed by the end-user? There are some low-level functions that rely on the results of getCodeQLBundleDownloadURL. |
aeisenberg
force-pushed
the
aeisenberg/user-agent
branch
from
a20890d
to
e5734f0
Compare
|
Thanks for the comment @RA80533. I added a couple of more unit tests. I feel like the code is reasonably safe now. We are sure to set the mode at the beginning of every entry point. If there is a call to get the mode and it hasn't been set yet, then that will fail. In some ways, the logic is more complex because some low level functions now rely on a new environment variable, but the trade off is that we no longer need to pass the |
aeisenberg
force-pushed
the
aeisenberg/user-agent
branch
from
e5734f0
to
c824362
Compare
It is very much a case of deciding which to trade off. Environment variables become unwieldy in larger projects because they create a mathematical side effect in the flow of logic; for smaller projects, such as this one, the flow of data is easy enough to follow to the point that such dependent behavior is easy to track down. /lgtm |
aeisenberg
force-pushed
the
aeisenberg/user-agent
branch
from
c824362
to
af01d94
Compare
|
Ooooh...code scanning found a bug. Thank you code scanning. |
aeisenberg
force-pushed
the
aeisenberg/user-agent
branch
2 times, most recently
from
c646c93
to
026871f
Compare
| export function setMode(mode: Mode) { | ||
| // avoid accessing actions core when in runner mode | ||
| if (mode === Mode.actions) { | ||
| core.exportVariable(CODEQL_RUN_MODE_ENV_VAR, mode); |
There was a problem hiding this comment.
Note this is a code scanning error, but a false positive. We cannot have a code path accessible from the runner that will call into the core library. The if clause above prevents this from happening.
|
Updated ql queries that look for runner/actions access. Could I get another look at this? |
|
Without the guard, what would be available to non-Actions runners through the core library? EDIT: Oh, I see. The code library doesn’t support non-GitHub Actions environments. |
|
Yes, mostly right...there are some actions libraries that are ok to use for the runner. codeql-action/queries/unguarded-action-lib.ql Lines 16 to 21 in 3a474e8 |
aeisenberg
force-pushed
the
aeisenberg/user-agent
branch
from
3a474e8
to
8ade7ba
Compare
There was a problem hiding this comment.
Nice. Logic makes sense and neat adjustment to the query; a few minor suggestions there.
There's probably room to combine more of the logic in that query, and use some builtin features of the CodeQL JS libraries, but we can do that separately. No need to hold up this PR.
| @@ -149,7 +150,9 @@ program | |||
| "(Advanced, windows-only) Inject a windows tracer of this process into a parent process <number> levels up." | |||
| ) | |||
| .action(async (cmd: InitArgs) => { | |||
| setMode(Mode.runner); | |||
There was a problem hiding this comment.
Minor: I wonder if there's a prehook we can use to always set the mode to runner at the start of each action() call in this file. Or we can check it by query, as a follow up.
There was a problem hiding this comment.
Hmmm...it looks like there is an event mechanism for commander, but it's not quite what we need and it is internal, so I think we will need to create a query here.
queries/unguarded-action-lib.ql
Outdated
| /** | ||
| * Get an expr that is only executed on actions | ||
| */ | ||
| abstract Expr getAnActionsExpr(); |
There was a problem hiding this comment.
You could instead declare:
abstract Stmt getActionsBlock();
/**
* Gets an expr that is only executed on actions
*/
final Expr getAnActionsExpr() { getActionsBlock().getAChildStmt*().getAChildExpr*() = result }This way each subclass needs to describe what they consider an Actions-specific statement, and you don't need to repeat the logic for an Actions-specific expression.
There was a problem hiding this comment.
Yes. That's better. Thanks.
This commit changes the way the action determines if running in action or runner mode. There is now an environment variable that is set at the beginning of the process and elsewhere in the process, we can check to see if the variable is set.
Update the ql queries to account for change in how we look for runner Previously, we guarded blocks of code to be run by the runner or the action using if statements like this: ```js if (mode === "actions") ... ``` We are no longer doing this. And now, the `unguarded-action-lib.ql` query is out of date. This query checks that runner code does not unintentionally access actions-only methods in the libraries. With these changes, we now ensure that code scanning is happy.
aeisenberg
force-pushed
the
aeisenberg/user-agent
branch
from
8ade7ba
to
1a4cdd3
Compare
|
Wait...commander v8 is soon to be released with a |
The initial goal of this change is to send more complete information to code scanning via the user agent. This also opens the possibility of sending the action/runner version to the CLI.
This commit changes the way the action determines if running in action
or runner mode. There is now an environment variable that is set at the
beginning of the process and elsewhere in the process, we can check to
see if the variable is set.
Merge / deployment checklist