Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Repo sync #34091

Merged
merged 11 commits into from
Jul 25, 2024
4 changes: 2 additions & 2 deletions .github/workflows/azure-preview-env-deploy-public.yml
Original file line number Diff line number Diff line change
Expand Up @@ -66,7 +66,7 @@ jobs:
password: ${{ secrets.NONPROD_REGISTRY_PASSWORD }}

- name: Set up Docker Buildx
uses: docker/setup-buildx-action@4fd812986e6c8c2a69e18311145f9371337f27d4
uses: docker/setup-buildx-action@aa33708b10e362ff993539393ff100fa93ed6a27

- name: Check out main branch
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
Expand Down Expand Up @@ -112,7 +112,7 @@ jobs:
run: src/workflows/prune-for-preview-env.sh

- name: 'Build and push image'
uses: docker/build-push-action@1a162644f9a7e87d8f4b053101d1d9a712edc18c
uses: docker/build-push-action@5176d81f87c23d6fc96624dfdbcd9f3830bbe445
with:
context: .
push: true
Expand Down
4 changes: 2 additions & 2 deletions .github/workflows/azure-preview-env-deploy.yml
Original file line number Diff line number Diff line change
Expand Up @@ -79,7 +79,7 @@ jobs:
password: ${{ secrets.NONPROD_REGISTRY_PASSWORD }}

- name: Set up Docker Buildx
uses: docker/setup-buildx-action@4fd812986e6c8c2a69e18311145f9371337f27d4
uses: docker/setup-buildx-action@aa33708b10e362ff993539393ff100fa93ed6a27

- name: Check out PR code
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
Expand Down Expand Up @@ -171,7 +171,7 @@ jobs:
run: src/workflows/prune-for-preview-env.sh

- name: 'Build and push image'
uses: docker/build-push-action@1a162644f9a7e87d8f4b053101d1d9a712edc18c
uses: docker/build-push-action@5176d81f87c23d6fc96624dfdbcd9f3830bbe445
with:
context: .
push: true
Expand Down
4 changes: 2 additions & 2 deletions .github/workflows/azure-prod-build-deploy.yml
Original file line number Diff line number Diff line change
Expand Up @@ -49,7 +49,7 @@ jobs:
password: ${{ secrets.PROD_REGISTRY_PASSWORD }}

- name: Set up Docker Buildx
uses: docker/setup-buildx-action@4fd812986e6c8c2a69e18311145f9371337f27d4
uses: docker/setup-buildx-action@aa33708b10e362ff993539393ff100fa93ed6a27

- name: Check out repo
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
Expand Down Expand Up @@ -92,7 +92,7 @@ jobs:
token: ${{ secrets.DOCS_BOT_PAT_READPUBLICKEY }}

- name: 'Build and push image'
uses: docker/build-push-action@1a162644f9a7e87d8f4b053101d1d9a712edc18c
uses: docker/build-push-action@5176d81f87c23d6fc96624dfdbcd9f3830bbe445
with:
context: .
push: true
Expand Down
4 changes: 2 additions & 2 deletions .github/workflows/azure-staging-build-deploy.yml
Original file line number Diff line number Diff line change
Expand Up @@ -57,7 +57,7 @@ jobs:
password: ${{ secrets.NONPROD_REGISTRY_PASSWORD }}

- name: Set up Docker Buildx
uses: docker/setup-buildx-action@4fd812986e6c8c2a69e18311145f9371337f27d4
uses: docker/setup-buildx-action@aa33708b10e362ff993539393ff100fa93ed6a27

- name: Check out repo
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
Expand Down Expand Up @@ -91,7 +91,7 @@ jobs:
run: src/early-access/scripts/merge-early-access.sh

- name: 'Build and push image'
uses: docker/build-push-action@1a162644f9a7e87d8f4b053101d1d9a712edc18c
uses: docker/build-push-action@5176d81f87c23d6fc96624dfdbcd9f3830bbe445
with:
context: .
push: true
Expand Down
4 changes: 2 additions & 2 deletions .github/workflows/main-preview-docker-cache.yml
Original file line number Diff line number Diff line change
Expand Up @@ -42,7 +42,7 @@ jobs:
password: ${{ secrets.NONPROD_REGISTRY_PASSWORD }}

- name: Set up Docker Buildx
uses: docker/setup-buildx-action@4fd812986e6c8c2a69e18311145f9371337f27d4
uses: docker/setup-buildx-action@aa33708b10e362ff993539393ff100fa93ed6a27

- name: Check out repo
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
Expand All @@ -68,7 +68,7 @@ jobs:
run: src/workflows/prune-for-preview-env.sh

- name: 'Build and push image'
uses: docker/build-push-action@1a162644f9a7e87d8f4b053101d1d9a712edc18c
uses: docker/build-push-action@5176d81f87c23d6fc96624dfdbcd9f3830bbe445
with:
context: .
push: true
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -133,7 +133,7 @@ Creating a {% data variables.product.prodname_codeql %} database without a build

To use `autobuild` or manual build steps, you can use advanced setup.

>[!NOTE] For Java analysis, if `build-mode` is set to `none` and Kotlin code is found in the repository, the Kotlin code will not be analyzed and a warning will be produced. See {% ifversion codeql-kotlin-beta %}"[Building Java and Kotlin](#building-java--and-kotlin)"{% else %}"[Building Java](#building-java)"{% endif %}.
>[!NOTE] For Java analysis, if `build-mode` is set to `none` and Kotlin code is found in the repository, the Kotlin code will not be analyzed and a warning will be produced. See "[Building Java and Kotlin](#building-java-and-kotlin)."

{% endif %}

Expand Down Expand Up @@ -269,10 +269,9 @@ If you added manual build steps for compiled languages and {% data variables.pro

* [Building C/C++](#building-cc)
* [Building C#](#building-c){% ifversion codeql-go-autobuild %}
* [Building Go](#building-go){% endif %}{% ifversion codeql-kotlin-beta %}
* [Building Java and Kotlin](#building-java--and-kotlin){% else %}
* [Building Java](#building-java){% endif %}{% ifversion codeql-swift-beta %}
* [Building Swift](#building-swift){% endif %}
* [Building Go](#building-go){% endif %}
* [Building Java and Kotlin](#building-java-and-kotlin)
* [Building Swift](#building-swift)

{% note %}

Expand Down Expand Up @@ -433,7 +432,7 @@ The `autobuild` process attempts to autodetect a suitable way to install the dep

{% endif %}

## Building Java {% ifversion codeql-kotlin-beta %} and Kotlin {% endif %}
## Building Java and Kotlin

{% ifversion codeql-no-build %}{% data variables.product.prodname_codeql %} supports the following build modes.

Expand Down Expand Up @@ -488,8 +487,6 @@ You will also need to install the build system (for example `make`, `cmake`, `ba

Windows runners require `powershell.exe` to be on the `PATH`.

{% ifversion codeql-swift-beta %}

## Building Swift

{% ifversion codeql-no-build %}{% data variables.product.prodname_codeql %} supports build modes `autobuild` or `manual` for Swift code.
Expand All @@ -503,12 +500,6 @@ Windows runners require `powershell.exe` to be on the `PATH`.

The `autobuild` process tries to build the biggest target from an Xcode project or workspace.

{% endif %}

{% ifversion codeql-swift-beta %}

{% data reusables.code-scanning.beta-swift-support %}

Code scanning of Swift code uses macOS runners by default. {% ifversion fpt or ghec %}Since {% data variables.product.company_short %}-hosted macOS runners are more expensive than Linux and Windows runners, we recommend that you build only the code that you want to analyze. For more information about pricing for {% data variables.product.company_short %}-hosted runners, see "[AUTOTITLE](/billing/managing-billing-for-github-actions/about-billing-for-github-actions)."{% endif %}

{% data reusables.code-scanning.default-setup-swift-self-hosted-runners %}
Expand All @@ -520,5 +511,3 @@ Code scanning of Swift code uses macOS runners by default. {% ifversion fpt or g
You can pass the `archive` and `test` options to `xcodebuild`. However, the standard `xcodebuild` command is recommended as it should be the fastest, and should be all that {% data variables.product.prodname_codeql %} requires for a successful scan.

For Swift analysis, you must always explicitly install dependencies managed via CocoaPods or Carthage before generating the {% data variables.product.prodname_codeql %} database.

{% endif %}
Original file line number Diff line number Diff line change
Expand Up @@ -143,7 +143,6 @@ This workflow scans:

## Specifying an operating system

{% ifversion codeql-swift-beta %}
{% note %}

**Notes**:
Expand All @@ -154,8 +153,6 @@ This workflow scans:

{% endnote %}

{% endif %}

If your code requires a specific operating system to compile, you can configure the operating system in your {% data variables.code-scanning.codeql_workflow %}. Edit the value of `jobs.analyze.runs-on` to specify the operating system for the machine that runs your {% data variables.product.prodname_code_scanning %} actions. {% ifversion ghes %}You specify the operating system by using an appropriate label as the second element in a two-element array, after `self-hosted`.{% else %}

``` yaml copy
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -16,8 +16,6 @@ topics:

{% data variables.product.prodname_codeql %} includes many queries for analyzing Java and Kotlin code. {% data reusables.code-scanning.codeql-query-tables.query-suite-behavior %}

{% data reusables.code-scanning.beta-kotlin-support %}

## Built-in queries for Java and Kotlin analysis

{% data reusables.code-scanning.codeql-query-tables.codeql-version-info %}
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -16,8 +16,6 @@ topics:

{% data variables.product.prodname_codeql %} includes many queries for analyzing Swift code. {% data reusables.code-scanning.codeql-query-tables.query-suite-behavior %}

{% data reusables.code-scanning.beta-swift-support %}

## Built-in queries for Swift analysis

{% data reusables.code-scanning.codeql-query-tables.codeql-version-info %}
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -40,13 +40,13 @@ If you want to update the analysis to also include Kotlin files, then {% data va
1. Wait until the Kotlin code is merged into the default branch for the repository.
1. Disable and then re-enable default setup on the "Settings" page for your repository.

This will trigger a new analysis using automatic build detection. See "[AUTOTITLE](/code-security/code-scanning/enabling-code-scanning/configuring-default-setup-for-code-scanning)" and "[Building Java and Kotlin](/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/codeql-code-scanning-for-compiled-languages#building-java--and-kotlin)."
This will trigger a new analysis using automatic build detection. See "[AUTOTITLE](/code-security/code-scanning/enabling-code-scanning/configuring-default-setup-for-code-scanning)" and "[Building Java and Kotlin](/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/codeql-code-scanning-for-compiled-languages#building-java-and-kotlin)."

If the automatic build detection fails, you will need to use advanced setup with the correct build commands for the project to analyze both languages.

### {% data variables.product.prodname_code_scanning_caps %} advanced setup

If you already use advanced setup, you can edit the {% data variables.product.prodname_codeql %} workflow and change the build mode for `java-kotlin` from `none` to either `autobuild` to automatically build your project, or `manual` to specify your own build steps. "[Building Java and Kotlin](/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/codeql-code-scanning-for-compiled-languages#building-java--and-kotlin)."
If you already use advanced setup, you can edit the {% data variables.product.prodname_codeql %} workflow and change the build mode for `java-kotlin` from `none` to either `autobuild` to automatically build your project, or `manual` to specify your own build steps. "[Building Java and Kotlin](/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/codeql-code-scanning-for-compiled-languages#building-java-and-kotlin)."

If you need to convert from default setup to advanced setup, you need enable advanced setup on the on the "Settings" page for your repository and create a {% data variables.product.prodname_codeql %} workflow. Then you can define a `manual` build mode for `java-kotlin` and define the build commands for the project.

Expand All @@ -57,6 +57,6 @@ Update your calls to run the {% data variables.product.prodname_codeql_cli %} fo
## Further reading

* "[AUTOTITLE](/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning)"
* "[Building Java and Kotlin](/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/codeql-code-scanning-for-compiled-languages#building-java--and-kotlin){% ifversion codeql-no-build %}
* "[Building Java and Kotlin](/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/codeql-code-scanning-for-compiled-languages#building-java-and-kotlin){% ifversion codeql-no-build %}
* "[CodeQL build modes](/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/codeql-code-scanning-for-compiled-languages#codeql-build-modes)"{% elsif ghes %}
* "[Adding build steps for a compiled language](/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/codeql-code-scanning-for-compiled-languages#adding-build-steps-for-a-compiled-language)"{% endif %}
Original file line number Diff line number Diff line change
Expand Up @@ -121,6 +121,13 @@ This option has no effect when passed to [codeql bqrs interpret](/code-security/

Available since `v2.15.2`.

#### `--no-sarif-include-alert-provenance`

\[Advanced] \[SARIF formats only] Do not include alert provenance
information in the SARIF output.

Available since `v2.18.1`.

#### `--[no-]sarif-group-rules-by-pack`

\[SARIF formats only] Place the rule object for each query under its
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -167,6 +167,13 @@ This option has no effect when passed to [codeql bqrs interpret](/code-security/

Available since `v2.15.2`.

#### `--no-sarif-include-alert-provenance`

\[Advanced] \[SARIF formats only] Do not include alert provenance
information in the SARIF output.

Available since `v2.18.1`.

#### `--[no-]sarif-group-rules-by-pack`

\[SARIF formats only] Place the rule object for each query under its
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -129,6 +129,13 @@ This option has no effect when passed to [codeql bqrs interpret](/code-security/

Available since `v2.15.2`.

#### `--no-sarif-include-alert-provenance`

\[Advanced] \[SARIF formats only] Do not include alert provenance
information in the SARIF output.

Available since `v2.18.1`.

#### `--[no-]sarif-group-rules-by-pack`

\[SARIF formats only] Place the rule object for each query under its
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -38,8 +38,8 @@ The standard {% data variables.product.prodname_codeql %} packs for all supporte
* `codeql/java-queries`
* `codeql/javascript-queries`
* `codeql/python-queries`
* `codeql/ruby-queries` {% ifversion codeql-swift-beta %}
* `codeql/swift-queries` {% endif %}
* `codeql/ruby-queries`
* `codeql/swift-queries`

You can also use the {% data variables.product.prodname_codeql_cli %} to create your own {% data variables.product.prodname_codeql %} packs, add dependencies to packs, and install or update dependencies. For more information, see "[AUTOTITLE](/code-security/codeql-cli/using-the-advanced-functionality-of-the-codeql-cli/creating-and-working-with-codeql-packs#creating-and-working-with-codeql-packs)."

Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -56,8 +56,6 @@ You must specify:

{% data reusables.code-scanning.codeql-language-identifiers-table %}

{% data reusables.code-scanning.beta-kotlin-or-swift-support %}

If your codebase has a build command or script that invokes the build process, we recommend that you specify it as well:

```shell
Expand All @@ -75,7 +73,7 @@ You can specify additional options depending on the location of your source file
| {% ifversion codeql-language-identifiers-311 %} |
| <code><span style="white-space: nowrap;">--language</span></code> | {% octicon "check" aria-label="Required" %} | Specify the identifier for the language to create a database for, one of: {% data reusables.code-scanning.codeql-languages-keywords %}. When used with <code><span style="white-space: nowrap;">--db-cluster</span></code>, the option accepts a comma-separated list, or can be specified more than once. |
| {% else %} |
| <code><span style="white-space: nowrap;">--language</span></code> | {% octicon "check" aria-label="Required" %} | Specify the identifier for the language to create a database for, one of: {% data reusables.code-scanning.codeql-languages-keywords %} (use `javascript` to analyze TypeScript code {% ifversion codeql-kotlin-beta %} and `java` to analyze Kotlin code{% endif %}). When used with <code><span style="white-space: nowrap;">--db-cluster</span></code>, the option accepts a comma-separated list, or can be specified more than once. |
| <code><span style="white-space: nowrap;">--language</span></code> | {% octicon "check" aria-label="Required" %} | Specify the identifier for the language to create a database for, one of: {% data reusables.code-scanning.codeql-languages-keywords %} (use `javascript` to analyze TypeScript code and `java` to analyze Kotlin code). When used with <code><span style="white-space: nowrap;">--db-cluster</span></code>, the option accepts a comma-separated list, or can be specified more than once. |
| {% endif %} |
| <code><span style="white-space: nowrap;">--command</span></code> | {% octicon "x" aria-label="Optional" %} | **Recommended.** Use to specify the build command or script that invokes the build process for the codebase. Commands are run from the current folder or, where it is defined, from <code><span style="white-space: nowrap;">--source-root</span></code>. Not needed for Python and JavaScript/TypeScript analysis. |
| {% ifversion codeql-no-build %} |
Expand Down Expand Up @@ -286,7 +284,6 @@ The following examples are designed to give you an idea of some of the build com
codeql database create java-database --language={% ifversion codeql-language-identifiers-311 %}java-kotlin{% else %}java{% endif %} --command='ant -f build.xml'
```

{% ifversion codeql-swift-beta %}
* Swift project built from an Xcode project or workspace. By default, the largest Swift target is built:

It's a good idea to ensure that the project is in a clean state and that there are no build artefacts available.
Expand Down Expand Up @@ -316,8 +313,6 @@ The following examples are designed to give you an idea of some of the build com
codeql database create -l swift -c "./scripts/build.sh" swift-database
```

{% endif %}

* Project built using Bazel:

```shell
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -37,9 +37,7 @@ Some features are supported for additional languages or package managers. If you
{% data reusables.supported-languages.ruby %}
{% data reusables.supported-languages.rust %}
{% data reusables.supported-languages.scala %}
{%- ifversion codeql-swift-beta or supply-chain-features-swift-support %}
{% data reusables.supported-languages.swift %}
{%- endif %}
{% data reusables.supported-languages.typescript %}

{% note %}
Expand Down
3 changes: 3 additions & 0 deletions data/features/codeql-kotlin-beta.yml
Original file line number Diff line number Diff line change
@@ -1,3 +1,6 @@
# Reference: #2703 and #15120
# 2024-07-17 GA

versions:
fpt: '*'
ghec: '*'
Expand Down
3 changes: 2 additions & 1 deletion data/features/codeql-swift-beta.yml
Original file line number Diff line number Diff line change
@@ -1,5 +1,6 @@
# Reference: #10251.
# Reference: #10251 and #15120
# [2023-06-01] Swift support for code scanning users (GitHub docs site) [Public beta]
# 2024-07-17 GA
versions:
fpt: '*'
ghec: '*'
Expand Down
Original file line number Diff line number Diff line change
@@ -1,3 +1,3 @@
For compiled languages like Java,{% ifversion codeql-kotlin-beta %} Kotlin, {% endif %}{% ifversion codeql-go-autobuild %} Go,{% endif %} C, C++, and C#, {% data variables.product.prodname_codeql %} analyzes all of the code which was built during the workflow run. To limit the amount of code being analyzed, build only the code which you wish to analyze by specifying your own build steps in a `run` block. You can combine specifying your own build steps with using the `paths` or `paths-ignore` filters on the `pull_request` and `push` events to ensure that your workflow only runs when specific code is changed. For more information, see "[AUTOTITLE](/actions/using-workflows/workflow-syntax-for-github-actions#onpushpull_requestpull_request_targetpathspaths-ignore)."
For compiled languages like Java, Kotlin, {% ifversion codeql-go-autobuild %} Go,{% endif %} C, C++, and C#, {% data variables.product.prodname_codeql %} analyzes all of the code which was built during the workflow run. To limit the amount of code being analyzed, build only the code which you wish to analyze by specifying your own build steps in a `run` block. You can combine specifying your own build steps with using the `paths` or `paths-ignore` filters on the `pull_request` and `push` events to ensure that your workflow only runs when specific code is changed. For more information, see "[AUTOTITLE](/actions/using-workflows/workflow-syntax-for-github-actions#onpushpull_requestpull_request_targetpathspaths-ignore)."

For languages like{% ifversion codeql-go-autobuild %}{% else %} Go,{% endif %} JavaScript, Python, and TypeScript, that {% data variables.product.prodname_codeql %} analyzes without compiling the source code, you can specify additional configuration options to limit the amount of code to analyze. For more information, see "[AUTOTITLE](/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/customizing-your-advanced-setup-for-code-scanning#specifying-directories-to-scan)."
Loading
Loading