Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add capability to filter queries #1098

Merged
merged 9 commits into from
Jun 16, 2022
2 changes: 0 additions & 2 deletions .github/workflows/expected-queries-runs.yml
Original file line number Diff line number Diff line change
@@ -1,6 +1,4 @@
name: Expected queries runs
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

on:
push:
Expand Down
97 changes: 97 additions & 0 deletions .github/workflows/query-filters.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,97 @@
name: Query filters tests

on:
push:
branches:
- main
- releases/v1
- releases/v2
pull_request:
types:
- opened
- synchronize
- reopened
- ready_for_review
workflow_dispatch: {}

jobs:
expected-queries:
timeout-minutes: 45
runs-on: ubuntu-latest
steps:
- name: Check out repository
uses: actions/checkout@v3
- name: Prepare test
id: prepare-test
uses: ./.github/prepare-test
with:
version: latest

# Test 1
- uses: ./../action/init
with:
languages: javascript
config-file: ./.github/codeql/codeql-config-query-filters1.yml
tools: ${{ steps.prepare-test.outputs.tools-url }}
db-location: ${{ runner.temp }}/test1
- uses: ./../action/analyze
with:
output: ${{ runner.temp }}/results
upload-database: false
upload: false
env:
TEST_MODE: true
- name: Check Sarif
uses: ./../action/.github/check-sarif
with:
sarif-file: ${{ runner.temp }}/results/javascript.sarif
queries-run: js/zipslip
queries-not-run: js/path-injection
- name: Cleanup after test
run: rm -rf "$RUNNER_TEMP/results"
henrymercer marked this conversation as resolved.
Show resolved Hide resolved

# Test 2
- uses: ./../action/init
with:
languages: javascript
config-file: ./.github/codeql/codeql-config-query-filters2.yml
tools: ${{ steps.prepare-test.outputs.tools-url }}
db-location: ${{ runner.temp }}/test2
- uses: ./../action/analyze
with:
output: ${{ runner.temp }}/results
upload-database: false
upload: false
env:
TEST_MODE: true
- name: Check Sarif
uses: ./../action/.github/check-sarif
with:
sarif-file: ${{ runner.temp }}/results/javascript.sarif
queries-run: js/zipslip,javascript/example/empty-or-one-block
queries-not-run: js/path-injection
- name: Cleanup after test
run: rm -rf "$RUNNER_TEMP/results"

# Test 3
- uses: ./../action/init
with:
languages: javascript
config-file: ./.github/codeql/codeql-config-query-filters3.yml
tools: ${{ steps.prepare-test.outputs.tools-url }}
db-location: ${{ runner.temp }}/test3
- uses: ./../action/analyze
with:
output: ${{ runner.temp }}/results
upload-database: false
upload: false
env:
TEST_MODE: true
- name: Check Sarif
uses: ./../action/.github/check-sarif
with:
sarif-file: ${{ runner.temp }}/results/javascript.sarif
queries-run: js/zipslip,javascript/example/empty-or-one-block,inrepo-javascript-querypack/show-ifs
queries-not-run: js/path-injection,complex-python-querypack/show-ifs,complex-python-querypack/foo/bar/show-ifs
- name: Cleanup after test
run: rm -rf "$RUNNER_TEMP/results"
Original file line number Diff line number Diff line change
@@ -0,0 +1,10 @@
name: "CodeQL config 1"
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for naming the tests in the workflow file. We could potentially add those names here too.


query-filters:
# This should run js/path-injection and js/zipslip
- include:
tags contain: external/cwe/cwe-022

# Removes out js/path-injection
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
# Removes out js/path-injection
# Removes js/path-injection

- exclude:
id: js/path-injection
Original file line number Diff line number Diff line change
@@ -0,0 +1,21 @@
name: "CodeQL config 2"

disable-default-queries: true

packs:
javascript:
- codeql/javascript-queries
- dsp-testing/codeql-pack1@1.0.0

query-filters:
# This should run js/path-injection and js/zipslip
- include:
tags contain: external/cwe/cwe-022

# Removes out js/path-injection
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
# Removes out js/path-injection
# Removes js/path-injection

- exclude:
id: js/path-injection

# Query from extra pack
- include:
id: javascript/example/empty-or-one-block
Original file line number Diff line number Diff line change
@@ -0,0 +1,35 @@
name: "CodeQL config 3"

disable-default-queries: true

queries:
# Local query
- name: Run an extra local query
uses: ./codeql-qlpacks/javascript-qlpack/show_ifs.ql

# These queries are ignored
- name: Ignored queries
uses: ./codeql-qlpacks/complex-python-qlpack/rootAndBar.qls


packs:
javascript:
- codeql/javascript-queries
- dsp-testing/codeql-pack1@1.0.0

query-filters:
# This should run js/path-injection and js/zipslip
- include:
tags contain: external/cwe/cwe-022

# Removes out js/path-injection
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
# Removes out js/path-injection
# Removes js/path-injection

- exclude:
id: js/path-injection

# Query from extra pack
- include:
id: javascript/example/empty-or-one-block

# Local query
- include:
id: inrepo-javascript-querypack/show-ifs