├── .github └── workflows │ └── test-create-bundle.yml ├── CODEOWNERS ├── CODE_OF_CONDUCT.md ├── CONTRIBUTING.md ├── LICENSE ├── README.md ├── create-bundle └── action.yml ├── download-bundle └── action.yml └── tests ├── code-scanning-config.yml ├── codeql-workspace.yml ├── cpp-queries ├── codeql-pack.lock.yml └── qlpack.yml ├── go-customizations ├── codeql-pack.lock.yml ├── qlpack.yml └── test │ └── go_customizations │ └── Customizations.qll ├── go-queries ├── codeql-pack.lock.yml └── qlpack.yml ├── java-queries ├── codeql-pack.lock.yml └── qlpack.yml ├── javascript-queries ├── codeql-pack.lock.yml └── qlpack.yml └── run-locally.sh /.github/workflows/test-create-bundle.yml: -------------------------------------------------------------------------------- 1 | name: "Test CodeQL Bundle: Create bundle" 2 | on: 3 | workflow_dispatch: 4 | 5 | jobs: 6 | test: 7 | name: "Create custom bundle" 8 | runs-on: ubuntu-latest 9 | steps: 10 | - uses: advanced-security/codeql-bundle-action/download-bundle@v2 11 | id: download-bundle 12 | with: 13 | tag: "latest" 14 | platforms: "osx64,linux64,win64" 15 | - uses: actions/checkout@v4 16 | - uses: advanced-security/codeql-bundle-action/create-bundle@v2 17 | id: create-bundle 18 | with: 19 | bundle-path: ${{ steps.download-bundle.outputs.bundle-path }} 20 | packs: "test/go-queries,test/go-customizations,test/java-queries,test/cpp-queries,test/javascript-queries" 21 | workspace: "${{ github.workspace }}/tests/codeql-workspace.yml" 22 | default-code-scanning-config: "${{ github.workspace }}/tests/code-scanning-config.yml" 23 | platforms: "osx64,linux64,win64" 24 | debug: "true" 25 | - uses: actions/upload-artifact@v4 26 | with: 27 | name: codeql-bundles 28 | path: ${{ steps.create-bundle.outputs.output-path }} -------------------------------------------------------------------------------- /CODEOWNERS: -------------------------------------------------------------------------------- 1 | # This project is maintained with love by: @rvermeulen 2 | 3 | * @rvermeulen 4 | -------------------------------------------------------------------------------- /CODE_OF_CONDUCT.md: -------------------------------------------------------------------------------- 1 | # Contributor Covenant Code of Conduct 2 | 3 | ## Our Pledge 4 | 5 | We as members, contributors, and leaders pledge to make participation in our 6 | community a harassment-free experience for everyone, regardless of age, body 7 | size, visible or invisible disability, ethnicity, sex characteristics, gender 8 | identity and expression, level of experience, education, socio-economic status, 9 | nationality, personal appearance, race, religion, or sexual identity 10 | and orientation. 11 | 12 | We pledge to act and interact in ways that contribute to an open, welcoming, 13 | diverse, inclusive, and healthy community. 14 | 15 | ## Our Standards 16 | 17 | Examples of behavior that contributes to a positive environment for our 18 | community include: 19 | 20 | * Demonstrating empathy and kindness toward other people 21 | * Being respectful of differing opinions, viewpoints, and experiences 22 | * Giving and gracefully accepting constructive feedback 23 | * Accepting responsibility and apologizing to those affected by our mistakes, 24 | and learning from the experience 25 | * Focusing on what is best not just for us as individuals, but for the 26 | overall community 27 | 28 | Examples of unacceptable behavior include: 29 | 30 | * The use of sexualized language or imagery, and sexual attention or 31 | advances of any kind 32 | * Trolling, insulting or derogatory comments, and personal or political attacks 33 | * Public or private harassment 34 | * Publishing others' private information, such as a physical or email 35 | address, without their explicit permission 36 | * Other conduct which could reasonably be considered inappropriate in a 37 | professional setting 38 | 39 | ## Enforcement Responsibilities 40 | 41 | Community leaders are responsible for clarifying and enforcing our standards of 42 | acceptable behavior and will take appropriate and fair corrective action in 43 | response to any behavior that they deem inappropriate, threatening, offensive, 44 | or harmful. 45 | 46 | Community leaders have the right and responsibility to remove, edit, or reject 47 | comments, commits, code, wiki edits, issues, and other contributions that are 48 | not aligned to this Code of Conduct, and will communicate reasons for moderation 49 | decisions when appropriate. 50 | 51 | ## Scope 52 | 53 | This Code of Conduct applies within all community spaces, and also applies when 54 | an individual is officially representing the community in public spaces. 55 | Examples of representing our community include using an official e-mail address, 56 | posting via an official social media account, or acting as an appointed 57 | representative at an online or offline event. 58 | 59 | ## Enforcement 60 | 61 | Instances of abusive, harassing, or otherwise unacceptable behavior may be 62 | reported to the community leaders responsible for enforcement at 63 | opensource@github.com. 64 | All complaints will be reviewed and investigated promptly and fairly. 65 | 66 | All community leaders are obligated to respect the privacy and security of the 67 | reporter of any incident. 68 | 69 | ## Enforcement Guidelines 70 | 71 | Community leaders will follow these Community Impact Guidelines in determining 72 | the consequences for any action they deem in violation of this Code of Conduct: 73 | 74 | ### 1. Correction 75 | 76 | **Community Impact**: Use of inappropriate language or other behavior deemed 77 | unprofessional or unwelcome in the community. 78 | 79 | **Consequence**: A private, written warning from community leaders, providing 80 | clarity around the nature of the violation and an explanation of why the 81 | behavior was inappropriate. A public apology may be requested. 82 | 83 | ### 2. Warning 84 | 85 | **Community Impact**: A violation through a single incident or series 86 | of actions. 87 | 88 | **Consequence**: A warning with consequences for continued behavior. No 89 | interaction with the people involved, including unsolicited interaction with 90 | those enforcing the Code of Conduct, for a specified period of time. This 91 | includes avoiding interactions in community spaces as well as external channels 92 | like social media. Violating these terms may lead to a temporary or 93 | permanent ban. 94 | 95 | ### 3. Temporary Ban 96 | 97 | **Community Impact**: A serious violation of community standards, including 98 | sustained inappropriate behavior. 99 | 100 | **Consequence**: A temporary ban from any sort of interaction or public 101 | communication with the community for a specified period of time. No public or 102 | private interaction with the people involved, including unsolicited interaction 103 | with those enforcing the Code of Conduct, is allowed during this period. 104 | Violating these terms may lead to a permanent ban. 105 | 106 | ### 4. Permanent Ban 107 | 108 | **Community Impact**: Demonstrating a pattern of violation of community 109 | standards, including sustained inappropriate behavior, harassment of an 110 | individual, or aggression toward or disparagement of classes of individuals. 111 | 112 | **Consequence**: A permanent ban from any sort of public interaction within 113 | the community. 114 | 115 | ## Attribution 116 | 117 | This Code of Conduct is adapted from the [Contributor Covenant][homepage], 118 | version 2.0, available at 119 | https://www.contributor-covenant.org/version/2/0/code_of_conduct.html. 120 | 121 | Community Impact Guidelines were inspired by [Mozilla's code of conduct 122 | enforcement ladder](https://github.com/mozilla/diversity). 123 | 124 | [homepage]: https://www.contributor-covenant.org 125 | 126 | For answers to common questions about this code of conduct, see the FAQ at 127 | https://www.contributor-covenant.org/faq. Translations are available at 128 | https://www.contributor-covenant.org/translations. -------------------------------------------------------------------------------- /CONTRIBUTING.md: -------------------------------------------------------------------------------- 1 | # Contributing 2 | 3 | [fork]: https://github.com/github/REPO/fork 4 | [pr]: https://github.com/github/REPO/compare 5 | [code-of-conduct]: CODE_OF_CONDUCT.md 6 | 7 | Hi there! We're thrilled that you'd like to contribute to this project. Your help is essential for keeping it great. 8 | 9 | Contributions to this project are [released](https://help.github.com/articles/github-terms-of-service/#6-contributions-under-repository-license) to the public under the [project's open source license](LICENSE.md). 10 | 11 | Please note that this project is released with a [Contributor Code of Conduct][code-of-conduct]. By participating in this project you agree to abide by its terms. 12 | 13 | ## Submitting a pull request 14 | 15 | 0. [Fork][fork] and clone the repository. 16 | 1. Create a new branch: `git checkout -b my-branch-name`. 17 | 2. Make your change, add tests, and make sure the tests pass. 18 | 3. Push to your fork and [submit a pull request][pr]. 19 | 4. Ensure the required checks pass. 20 | 21 | Here are a few things you can do that will increase the likelihood of your pull request being accepted: 22 | 23 | - Write tests. 24 | - Keep your change as focused as possible. If there are multiple changes you would like to make that are not dependent upon each other, consider submitting them as separate pull requests. 25 | - Write a [good commit message](http://tbaggery.com/2008/04/19/a-note-about-git-commit-messages.html). 26 | 27 | ## Resources 28 | 29 | - [How to Contribute to Open Source](https://opensource.guide/how-to-contribute/) 30 | - [Using Pull Requests](https://help.github.com/articles/about-pull-requests/) 31 | - [GitHub Help](https://help.github.com) 32 | -------------------------------------------------------------------------------- /LICENSE: -------------------------------------------------------------------------------- 1 | MIT License 2 | 3 | Copyright (c) 2023 GitHub 4 | 5 | Permission is hereby granted, free of charge, to any person obtaining a copy 6 | of this software and associated documentation files (the "Software"), to deal 7 | in the Software without restriction, including without limitation the rights 8 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell 9 | copies of the Software, and to permit persons to whom the Software is 10 | furnished to do so, subject to the following conditions: 11 | 12 | The above copyright notice and this permission notice shall be included in all 13 | copies or substantial portions of the Software. 14 | 15 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR 16 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 17 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 18 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER 19 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, 20 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE 21 | SOFTWARE. -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # CodeQL bundle action 2 | 3 | This action retrofits an existing [CodeQL bundle](https://github.com/github/codeql-action/releases) with additional [CodeQL packs](https://codeql.github.com/docs/codeql-cli/creating-and-working-with-codeql-packs/) using the [CodeQL bundle CLI](https://github.com/rvermeulen/codeql-bundle) 4 | The bundle will be a single deployable artifact containing the CodeQL standard library, the CodeQL standard queries, and any other libraries or queries that are relevant. 5 | Additionally, the CodeQL standard library and standard queries can be customized to consider additional sources, sinks, data-flow/taint steps, sanitizers and barriers. 6 | 7 | A custom codeql bundle has the following benefits: 8 | 9 | - A single artifact containing the standard queries and other queries of interest. 10 | - A compilation cache for all the included queries resulting in a faster analysis. 11 | - All the included queries can benefit from customizations that improve the coverage of the analysis. 12 | 13 | ## Usage 14 | 15 | The following Action workflow is a minimal example showing how to use this action to create a bundle containing the CodeQL packs listed in `packs` and how to upload it as an artifact. 16 | 17 | ```yaml 18 | name: "Build custom bundle" 19 | on: 20 | push: 21 | branches: 22 | - main 23 | pull_request: 24 | branches: 25 | - main 26 | workflow_dispatch: 27 | 28 | jobs: 29 | test: 30 | name: "Create custom bundle" 31 | runs-on: ubuntu-latest 32 | steps: 33 | - uses: actions/checkout@v3 34 | - uses: advanced-security/codeql-bundle-action/download-bundle@v2 35 | id: download-bundle 36 | with: 37 | tag: "latest" 38 | - uses: advanced-security/codeql-bundle-action/create-bundle@v2 39 | id: create-bundle 40 | with: 41 | bundle-path: ${{ steps.download-bundle.outputs.bundle-path }} 42 | packs: "octo/cpp-queries,octo/cpp-all,octo/cpp-customizations" 43 | - uses: actions/upload-artifact@v3 44 | with: 45 | name: codeql-bundle.tar.gz 46 | path: ${{ steps.create-bundle.outputs.output-path }} 47 | ``` 48 | 49 | The following Action workflow excerpt shows how a custom bundle can be used in a CodeQL analysis workflow. 50 | It assumes the custom bundle is available as a release, but any other location works as long as it is made 51 | available before the `github/codeql-action/init` step and its path is made available to the `tools` input. 52 | 53 | ```yaml 54 | - name: Download benchmark bundle 55 | env: 56 | GH_TOKEN: ${{ github.token }} 57 | run: | 58 | gh release download -R octo-org/codeql-bundle --pattern 'codeql-bundle.tar.gz' 59 | 60 | - name: CodeQL Initialize 61 | uses: github/codeql-action/init@v2 62 | with: 63 | tools: codeql-bundle.tar.gz 64 | ``` 65 | 66 | ## Locating your CodeQL packs 67 | 68 | The action relies on a CodeQL Workspace to resolve the location of the specified CodeQL packs. 69 | A CodeQL Workspace can be defined using a `codeql-workspace.yml` file that should contain a key `provide` with an array of locations to your CodeQL packs (i.e., the location of the `qlpack.yml` files). 70 | 71 | For an example you can consult the test [CodeQL Workspace](tests/codeql-workspace.yml) 72 | 73 | By default the action looks at the root of the repository. If the CodeQL Workspace specification is located in a subfolder then you can use the `workspace` input to specify its location. 74 | 75 | ## Customizations 76 | 77 | The CodeQL standard library can be customized by adding implementations of available extension points to a special CodeQL library called `Customizations.qll` that is available for most of the languages (this is not available for C++). 78 | This action uses that mechanism to inject customizations defined in a so called CodeQL customization pack. 79 | 80 | A CodeQL customization pack is a concept that doesn't exists outside this action and consists of a CodeQL library pack with extra meta information and structure. 81 | To create a CodeQL customization pack follow these steps: 82 | 83 | 1. Initialize a new qlpack using the CodeQL CLI as follows (we use Java as an example target): `codeql pack init octo/java-customizations` 84 | 2. Change the value of `library` to `true` in the generated file `java-customizations/qlpack.yml` 85 | 3. Create the CodeQL module `java-customizations/octo/java_customizations/Customizations.qll` **Note: the directory structure contains the scope and name where the characters `-` are substituted with `_`!** 86 | 4. Add the Java standard library as a dependency for development of the customizations using the CodeQL CLI as follows: `codeql pack add --dir=java-customizations codeql/java-all` **Note: ensure the version is compatible with the CodeQL bundle being targeted!** 87 | 88 | You can now add your customizations directly in the `Customizations.qll` or other modules that are imported by the `Customizations.qll`. 89 | 90 | ## Creating platform specific bundles 91 | 92 | By default the `download-action` uses the platform agnostic CodeQL bundle that supports all the platforms supported by the CodeQL CLI. 93 | To reduce the size of the final artifact you can use a platform specific bundle by specifying the `platforms` input with one of `osx64`, `linux64`, or `win64`. 94 | Note that the runner **MUST** be compatible with the platform! 95 | 96 | The `create-bundle` is capable of building platform specific CodeQL bundles from the platform agnostic bundle. 97 | It will build a bundle for each of the platforms provided in the `platforms` input. 98 | 99 | This combination provides the flexibility to build bundles for platforms that are not supported by the Action runner. 100 | For example, the following workflow creates separate bundles for each platform. 101 | 102 | ```yaml 103 | name: "Build custom bundle" 104 | on: 105 | push: 106 | branches: 107 | - main 108 | pull_request: 109 | branches: 110 | - main 111 | workflow_dispatch: 112 | 113 | jobs: 114 | test: 115 | name: "Create custom bundle" 116 | runs-on: ubuntu-latest 117 | steps: 118 | - uses: actions/checkout@v3 119 | - uses: advanced-security/codeql-bundle-action/download-bundle@v2 120 | id: download-bundle 121 | with: 122 | tag: "latest" 123 | - uses: advanced-security/codeql-bundle-action/create-bundle@v2 124 | id: create-bundle 125 | with: 126 | bundle-path: ${{ steps.download-bundle.outputs.bundle-path }} 127 | packs: "octo/cpp-queries,octo/cpp-all,octo/cpp-customizations" 128 | platforms: osx64,win64,linux64 129 | - uses: actions/upload-artifact@v3 130 | with: 131 | name: codeql-bundles 132 | path: ${{ steps.create-bundle.outputs.output-path }} 133 | ``` 134 | 135 | When providing multiple platforms the `output-path` output is a directory containing the bundles, each named according to pattern `codeql-bundle-$PLATFORM.tar.gz`. 136 | 137 | ## Limitations 138 | 139 | This Action uses the [CodeQL bundle CLI](https://github.com/rvermeulen/codeql-bundle) and inherits its limitations. 140 | -------------------------------------------------------------------------------- /create-bundle/action.yml: -------------------------------------------------------------------------------- 1 | name: "CodeQL Bundle: Create bundle" 2 | description: "Action to build custom CodeQL bundles" 3 | inputs: 4 | bundle-path: 5 | description: Path to the bundle to customize 6 | required: true 7 | packs: 8 | description: A comma-separated list of CodeQL packs to include in the bundle 9 | required: true 10 | workspace: 11 | description: Root directory where the codeql-workspace.yml file is located 12 | required: false 13 | default: "." 14 | default-code-scanning-config: 15 | description: Path to the default code scanning configuration file 16 | required: false 17 | default: "" 18 | platforms: 19 | description: A comma-separated list of platforms to build the bundle for, if supported by the bundle. Typically used with the generic bundle to build a specific platform bundle on a different runner architecture. 20 | required: false 21 | default: "" 22 | debug: 23 | description: Enable debug logging, by setting this value to "true" 24 | required: false 25 | default: "false" 26 | outputs: 27 | output-path: 28 | description: Path to the created bundle or directory if multiple platforms are specified 29 | value: ${{ steps.create-bundle.outputs.output-path }} 30 | runs: 31 | using: "composite" 32 | steps: 33 | - uses: actions/setup-python@v4 34 | with: 35 | python-version: "3.11" 36 | - run: | 37 | echo "::group::Installing dependencies" 38 | echo "Installing codeql-bundle v0.2.0" 39 | python -m pip install https://github.com/advanced-security/codeql-bundle/releases/download/v0.2.0/codeql_bundle-0.2.0-py3-none-any.whl 40 | echo "::endgroup::" 41 | shell: bash 42 | - id: create-bundle 43 | env: 44 | BUNDLE_PATH: ${{ inputs.bundle-path }} 45 | PACKS: ${{ inputs.packs }} 46 | WORKSPACE: ${{ inputs.workspace }} 47 | DEFAULT_CODE_SCANNING_CONFIG: ${{ inputs.default-code-scanning-config }} 48 | PLATFORMS: ${{ inputs.platforms }} 49 | RUNNER_TEMP: ${{ runner.temp }} 50 | DEBUG: ${{ inputs.debug }} 51 | shell: bash 52 | run: | 53 | #!/bin/bash 54 | 55 | set -e 56 | 57 | echo "::group::Creating CodeQL bundle." 58 | echo "Using bundle at ${BUNDLE_PATH}." 59 | echo "Using workspace at ${WORKSPACE}." 60 | output_path=${RUNNER_TEMP}/codeql-bundle.tar.gz 61 | opts=() 62 | opts+=("--bundle" "${BUNDLE_PATH}") 63 | opts+=("--workspace" "${WORKSPACE}") 64 | if [[ -n ${PLATFORMS} ]]; then 65 | echo "Targetting the platforms ${PLATFORMS}." 66 | for platform in $(echo $PLATFORMS | tr ',' ' '); do 67 | opts+=("--platform" "${platform}") 68 | done 69 | # When building multiple bundles, the output path is the directory containing the bundles 70 | output_path=${RUNNER_TEMP}/bundles 71 | mkdir -p ${output_path} 72 | fi 73 | opts+=("--output" "${output_path}") 74 | if [[ -n ${DEFAULT_CODE_SCANNING_CONFIG} ]]; then 75 | echo "Using code scanning config at ${DEFAULT_CODE_SCANNING_CONFIG} as the default config." 76 | opts+=("--code-scanning-config" "${DEFAULT_CODE_SCANNING_CONFIG}") 77 | fi 78 | 79 | if [[ ${DEBUG} -eq "true" ]]; then 80 | opts+=("--log DEBUG") 81 | fi 82 | 83 | 84 | codeql-bundle ${opts[@]} $(echo ${PACKS} | tr ',' ' ') 85 | echo "::endgroup::" 86 | 87 | echo "output-path=${output_path}" >> $GITHUB_OUTPUT 88 | -------------------------------------------------------------------------------- /download-bundle/action.yml: -------------------------------------------------------------------------------- 1 | name: "CodeQL Bundle: Download bundle" 2 | description: "Action to download a GitHub provided CodeQL bundle that can be customized" 3 | inputs: 4 | tag: 5 | description: "The tag of the bundle to download" 6 | required: true 7 | default: "latest" 8 | platforms: 9 | description: "A comma-separated list of platforms to download the bundle for, options are: osx64, linux64, win64" 10 | required: true 11 | default: "" 12 | token: 13 | description: "A GitHub token to use for downloading the bundle" 14 | required: true 15 | default: ${{ github.token }} 16 | outputs: 17 | bundle-path: 18 | description: Path to the downloaded bundle 19 | value: ${{ steps.download-bundle.outputs.bundle-path }} 20 | runs: 21 | using: "composite" 22 | steps: 23 | - id: download-bundle 24 | shell: bash 25 | env: 26 | TAG: ${{ inputs.tag }} 27 | PLATFORMS: ${{ inputs.platforms }} 28 | RUNNER_TEMP: ${{ runner.temp }} 29 | GH_TOKEN: ${{ inputs.token }} 30 | run: | 31 | #!/bin/bash 32 | 33 | set -e 34 | 35 | output_path=${RUNNER_TEMP}/codeql-bundle.tar.gz 36 | platforms=() 37 | if [[ -n ${PLATFORMS} ]]; then 38 | for platform in $(echo $PLATFORMS | tr ',' ' '); do 39 | platforms+=("${platform}") 40 | done 41 | fi 42 | 43 | if [[ ${TAG} -ne "latest" ]]; then 44 | opts+=("${TAG}") 45 | fi 46 | 47 | if [[ ${#platforms[@]} -eq 1 ]]; then 48 | opts+=("--pattern codeql-bundle-${platforms[0]}.tar.gz") 49 | else 50 | opts+=("--pattern codeql-bundle.tar.gz") 51 | fi 52 | 53 | opts+=("--output ${output_path}") 54 | 55 | echo "::group::Downloading CodeQL bundle" 56 | gh release download --repo github/codeql-action ${opts[@]} 57 | echo "::endgroup::" 58 | 59 | echo "bundle-path=${output_path}" >> $GITHUB_OUTPUT -------------------------------------------------------------------------------- /tests/code-scanning-config.yml: -------------------------------------------------------------------------------- 1 | name: "Code Scanning configuration" 2 | 3 | packs: 4 | go: 5 | - test/go-queries 6 | cpp: 7 | - test/cpp-queries 8 | javascript: 9 | - test/javascript-queries 10 | java: 11 | - test/java-queries -------------------------------------------------------------------------------- /tests/codeql-workspace.yml: -------------------------------------------------------------------------------- 1 | provide: 2 | - "**/qlpack.yml" -------------------------------------------------------------------------------- /tests/cpp-queries/codeql-pack.lock.yml: -------------------------------------------------------------------------------- 1 | --- 2 | lockVersion: 1.0.0 3 | dependencies: 4 | codeql/cpp-all: 5 | version: 0.8.0 6 | codeql/ssa: 7 | version: 0.1.0 8 | codeql/tutorial: 9 | version: 0.1.0 10 | codeql/util: 11 | version: 0.1.0 12 | compiled: false 13 | -------------------------------------------------------------------------------- /tests/cpp-queries/qlpack.yml: -------------------------------------------------------------------------------- 1 | --- 2 | library: false 3 | warnOnImplicitThis: false 4 | name: test/cpp-queries 5 | version: 0.0.1 6 | dependencies: 7 | codeql/cpp-all: "*" 8 | -------------------------------------------------------------------------------- /tests/go-customizations/codeql-pack.lock.yml: -------------------------------------------------------------------------------- 1 | --- 2 | lockVersion: 1.0.0 3 | dependencies: 4 | codeql/go-all: 5 | version: 0.6.0 6 | codeql/mad: 7 | version: 0.1.0 8 | codeql/tutorial: 9 | version: 0.1.0 10 | codeql/util: 11 | version: 0.1.0 12 | compiled: false 13 | -------------------------------------------------------------------------------- /tests/go-customizations/qlpack.yml: -------------------------------------------------------------------------------- 1 | --- 2 | library: true 3 | warnOnImplicitThis: false 4 | name: test/go-customizations 5 | version: 0.0.1 6 | dependencies: 7 | codeql/go-all: "*" 8 | -------------------------------------------------------------------------------- /tests/go-customizations/test/go_customizations/Customizations.qll: -------------------------------------------------------------------------------- 1 | private import go -------------------------------------------------------------------------------- /tests/go-queries/codeql-pack.lock.yml: -------------------------------------------------------------------------------- 1 | --- 2 | lockVersion: 1.0.0 3 | dependencies: 4 | codeql/go-all: 5 | version: 0.6.0 6 | codeql/mad: 7 | version: 0.1.0 8 | codeql/tutorial: 9 | version: 0.1.0 10 | codeql/util: 11 | version: 0.1.0 12 | compiled: false 13 | -------------------------------------------------------------------------------- /tests/go-queries/qlpack.yml: -------------------------------------------------------------------------------- 1 | --- 2 | library: false 3 | warnOnImplicitThis: false 4 | name: test/go-queries 5 | version: 0.0.1 6 | dependencies: 7 | codeql/go-all: "*" 8 | -------------------------------------------------------------------------------- /tests/java-queries/codeql-pack.lock.yml: -------------------------------------------------------------------------------- 1 | --- 2 | lockVersion: 1.0.0 3 | dependencies: 4 | codeql/java-all: 5 | version: 0.7.0 6 | codeql/mad: 7 | version: 0.1.0 8 | codeql/regex: 9 | version: 0.1.0 10 | codeql/tutorial: 11 | version: 0.1.0 12 | codeql/typetracking: 13 | version: 0.1.0 14 | codeql/util: 15 | version: 0.1.0 16 | compiled: false 17 | -------------------------------------------------------------------------------- /tests/java-queries/qlpack.yml: -------------------------------------------------------------------------------- 1 | --- 2 | library: false 3 | warnOnImplicitThis: false 4 | name: test/java-queries 5 | version: 0.0.1 6 | dependencies: 7 | codeql/java-all: "*" 8 | -------------------------------------------------------------------------------- /tests/javascript-queries/codeql-pack.lock.yml: -------------------------------------------------------------------------------- 1 | --- 2 | lockVersion: 1.0.0 3 | dependencies: 4 | codeql/javascript-all: 5 | version: 0.7.0 6 | codeql/mad: 7 | version: 0.1.0 8 | codeql/regex: 9 | version: 0.1.0 10 | codeql/tutorial: 11 | version: 0.1.0 12 | codeql/util: 13 | version: 0.1.0 14 | codeql/yaml: 15 | version: 0.1.0 16 | compiled: false 17 | -------------------------------------------------------------------------------- /tests/javascript-queries/qlpack.yml: -------------------------------------------------------------------------------- 1 | --- 2 | library: false 3 | warnOnImplicitThis: false 4 | name: test/javascript-queries 5 | version: 0.0.1 6 | dependencies: 7 | codeql/javascript-all: "*" 8 | -------------------------------------------------------------------------------- /tests/run-locally.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | set -e 4 | SCRIPT_DIR=$(cd -- "$( dirname -- "${BASH_SOURCE[0]}" )" &> /dev/null && pwd) 5 | export RUNNER_TEMP=$(mktemp -d) 6 | 7 | trap "{ rm -r "${RUNNER_TEMP}" ; exit 1; }" SIGINT SIGTERM ERR 8 | 9 | echo "Runner temp: $RUNNER_TEMP" 10 | export GITHUB_OUTPUT=${RUNNER_TEMP}/github_output 11 | echo "GitHub output: $GITHUB_OUTPUT" 12 | 13 | export PLATFORMS="osx64,linux64,win64" 14 | export TAG="latest" 15 | 16 | bash $SCRIPT_DIR/../download-bundle/download-bundle.sh 17 | 18 | bundle_path="" 19 | while IFS='=' read -r key value; do 20 | if [[ $key == "output-path" ]]; then 21 | # The output path is the second value 22 | bundle_path=$value 23 | fi 24 | done < $GITHUB_OUTPUT 25 | 26 | if [[ -z ${bundle_path} ]]; then 27 | echo "Failed to download bundle!" 28 | exit 1 29 | fi 30 | 31 | export BUNDLE_PATH=${bundle_path} 32 | export PACKS="test/go-queries,test/go-customizations,test/java-queries,test/cpp-queries,test/javascript-queries" 33 | export WORKSPACE="${SCRIPT_DIR}/codeql-workspace.yml" 34 | export DEFAULT_CODE_SCANNING_CONFIG="${SCRIPT_DIR}/code-scanning-config.yml" 35 | 36 | 37 | python3 -mvenv $RUNNER_TEMP/venv 38 | source $RUNNER_TEMP/venv/bin/activate 39 | 40 | pip install https://github.com/rvermeulen/codeql-bundle/releases/download/v0.2.0/codeql_bundle-0.2.0-py3-none-any.whl 41 | 42 | bash $SCRIPT_DIR/../create-bundle/create-bundle.sh 43 | 44 | # Read the output path from the GitHub output file and split each line by the '=' character 45 | output_path="" 46 | while IFS='=' read -r key value; do 47 | if [[ $key == "output-path" ]]; then 48 | # The output path is the second value 49 | output_path=$value 50 | fi 51 | done < $GITHUB_OUTPUT 52 | 53 | if [[ -n ${output_path} ]]; then 54 | tar cf ${SCRIPT_DIR}/codeql-bundles.tar.gz -C ${output_path} . 55 | else 56 | echo "Failed to find output path in GitHub output file" 57 | fi 58 | 59 | rm -r "${RUNNER_TEMP}" --------------------------------------------------------------------------------