Mergeback v2.20.4 refs/heads/releases/v2 into main #2415
Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# Warning: This file is generated automatically, and should not be modified. | |
# Instead, please modify the template in the pr-checks directory and run: | |
# (cd pr-checks; pip install ruamel.yaml && python3 sync.py) | |
# to regenerate this file. | |
name: PR Check - ML-powered queries | |
env: | |
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
GO111MODULE: auto | |
CODEQL_EXTRACTOR_JAVA_AGENT_DISABLE_KOTLIN: 'true' | |
on: | |
push: | |
branches: | |
- main | |
- releases/v2 | |
pull_request: | |
types: | |
- opened | |
- synchronize | |
- reopened | |
- ready_for_review | |
workflow_dispatch: {} | |
jobs: | |
ml-powered-queries: | |
strategy: | |
matrix: | |
include: | |
- os: ubuntu-latest | |
version: stable-20220401 | |
- os: macos-latest | |
version: stable-20220401 | |
- os: windows-latest | |
version: stable-20220401 | |
- os: ubuntu-latest | |
version: stable-20220615 | |
- os: macos-latest | |
version: stable-20220615 | |
- os: windows-latest | |
version: stable-20220615 | |
- os: ubuntu-latest | |
version: stable-20220908 | |
- os: macos-latest | |
version: stable-20220908 | |
- os: windows-latest | |
version: stable-20220908 | |
- os: ubuntu-latest | |
version: stable-20221211 | |
- os: macos-latest | |
version: stable-20221211 | |
- os: windows-latest | |
version: stable-20221211 | |
- os: ubuntu-latest | |
version: cached | |
- os: macos-latest | |
version: cached | |
- os: windows-latest | |
version: cached | |
- os: ubuntu-latest | |
version: latest | |
- os: macos-latest | |
version: latest | |
- os: windows-latest | |
version: latest | |
- os: ubuntu-latest | |
version: nightly-latest | |
- os: macos-latest | |
version: nightly-latest | |
- os: windows-latest | |
version: nightly-latest | |
name: ML-powered queries | |
permissions: | |
contents: read | |
security-events: write | |
timeout-minutes: 45 | |
runs-on: ${{ matrix.os }} | |
steps: | |
- name: Check out repository | |
uses: actions/checkout@v3 | |
- name: Prepare test | |
id: prepare-test | |
uses: ./.github/actions/prepare-test | |
with: | |
version: ${{ matrix.version }} | |
- name: Set environment variable for Swift enablement | |
if: >- | |
runner.os != 'Windows' && ( | |
matrix.version == '20220908' || | |
matrix.version == '20221211' | |
) | |
shell: bash | |
run: echo "CODEQL_ENABLE_EXPERIMENTAL_FEATURES_SWIFT=true" >> $GITHUB_ENV | |
- uses: ./../action/init | |
with: | |
languages: javascript | |
queries: security-extended | |
source-root: ./../action/tests/ml-powered-queries-repo | |
tools: ${{ steps.prepare-test.outputs.tools-url }} | |
- uses: ./../action/analyze | |
with: | |
output: ${{ runner.temp }}/results | |
upload-database: false | |
- name: Upload SARIF | |
uses: actions/upload-artifact@v3 | |
with: | |
name: ml-powered-queries-${{ matrix.os }}-${{ matrix.version }}.sarif.json | |
path: ${{ runner.temp }}/results/javascript.sarif | |
retention-days: 7 | |
- name: Check sarif | |
uses: ./../action/.github/actions/check-sarif | |
# Running on Windows requires CodeQL CLI 2.9.0+. | |
if: "!(matrix.version == 'stable-20220401' && runner.os == 'Windows')" | |
with: | |
sarif-file: ${{ runner.temp }}/results/javascript.sarif | |
queries-run: | |
js/ml-powered/nosql-injection,js/ml-powered/path-injection,js/ml-powered/sql-injection,js/ml-powered/xss | |
queries-not-run: foo,bar | |
- name: Check results | |
env: | |
# Running on Windows requires CodeQL CLI 2.9.0+. | |
SHOULD_RUN_ML_POWERED_QUERIES: ${{ !(matrix.version == 'stable-20220401' && | |
runner.os == 'Windows') }} | |
shell: bash | |
run: | | |
echo "Expecting ML-powered queries to be run: ${SHOULD_RUN_ML_POWERED_QUERIES}" | |
cd "$RUNNER_TEMP/results" | |
# We should run at least the ML-powered queries in `expected_rules`. | |
expected_rules="js/ml-powered/nosql-injection js/ml-powered/path-injection js/ml-powered/sql-injection js/ml-powered/xss" | |
for rule in ${expected_rules}; do | |
found_rule=$(jq --arg rule "${rule}" '[.runs[0].tool.extensions[].rules | select(. != null) | | |
flatten | .[].id] | any(. == $rule)' javascript.sarif) | |
echo "Did find rule '${rule}': ${found_rule}" | |
if [[ "${found_rule}" != "true" && "${SHOULD_RUN_ML_POWERED_QUERIES}" == "true" ]]; then | |
echo "Expected SARIF output to contain rule '${rule}', but found no such rule." | |
exit 1 | |
elif [[ "${found_rule}" == "true" && "${SHOULD_RUN_ML_POWERED_QUERIES}" != "true" ]]; then | |
echo "Found rule '${rule}' in the SARIF output which shouldn't have been part of the analysis." | |
exit 1 | |
fi | |
done | |
# We should have at least one alert from an ML-powered query. | |
num_alerts=$(jq '[.runs[0].results[] | | |
select(.properties.score != null and (.rule.id | startswith("js/ml-powered/")))] | length' \ | |
javascript.sarif) | |
echo "Found ${num_alerts} alerts from ML-powered queries."; | |
if [[ "${num_alerts}" -eq 0 && "${SHOULD_RUN_ML_POWERED_QUERIES}" == "true" ]]; then | |
echo "Expected to find at least one alert from an ML-powered query but found ${num_alerts}." | |
exit 1 | |
elif [[ "${num_alerts}" -ne 0 && "${SHOULD_RUN_ML_POWERED_QUERIES}" != "true" ]]; then | |
echo "Expected not to find any alerts from an ML-powered query but found ${num_alerts}." | |
exit 1 | |
fi | |
env: | |
CODEQL_ACTION_TEST_MODE: true |