|
| 1 | +# Changelog |
| 2 | + |
| 3 | +All notable changes to the CodeQL Scanner VSCode extension will be documented in this file. |
| 4 | + |
| 5 | +The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/), |
| 6 | +and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html). |
| 7 | + |
| 8 | +## [0.1.0] - 2025-06-26 |
| 9 | + |
| 10 | +### Added |
| 11 | +- Initial release of CodeQL Scanner extension |
| 12 | +- **Local CodeQL CLI Integration**: |
| 13 | + - Support for local CodeQL CLI scanning using subprocess execution |
| 14 | + - Automatic database creation using `codeql database create` with build mode detection |
| 15 | + - Analysis execution using `codeql database analyze` with customizable query suites |
| 16 | + - SARIF result parsing and display with flow step tracking |
| 17 | + - Storage of databases and results in `$HOME/.codeql/databases/` and `$HOME/.codeql/results/` |
| 18 | + - CodeQL version detection and compatibility checking |
| 19 | + - Automatic query pack resolution and installation |
| 20 | + - Git SHA-based result file naming for version tracking |
| 21 | +- **GitHub API Integration**: |
| 22 | + - Connect to GitHub repositories using personal access tokens |
| 23 | + - Repository information retrieval with language detection |
| 24 | + - GitHub Actions workflow creation and management |
| 25 | + - Remote scanning via GitHub Actions with workflow dispatch |
| 26 | + - CodeQL alerts fetching from GitHub Security tab |
| 27 | + - GitHub Enterprise Server support with configurable base URL |
| 28 | + - Automatic repository owner/name detection from git remotes |
| 29 | +- **Dual Scanning Modes**: |
| 30 | + - Local CLI scanning (default and recommended) with offline capability |
| 31 | + - Remote GitHub Actions scanning with real-time status monitoring |
| 32 | + - Hybrid remote alert fetching for existing GitHub CodeQL results |
| 33 | +- **Advanced Configuration Management**: |
| 34 | + - Modern webview-based configuration panel with real-time updates |
| 35 | + - Auto-save functionality for configuration changes |
| 36 | + - Threat model selection (Remote/Local) for targeted analysis |
| 37 | + - Query suites selection (default, security-extended, security-and-quality) |
| 38 | + - Programming language auto-detection and manual selection |
| 39 | + - CodeQL CLI path configuration with validation |
| 40 | + - GitHub repository language auto-mapping to CodeQL languages |
| 41 | +- **Comprehensive Results Visualization**: |
| 42 | + - Tree view for scan results organized by severity levels |
| 43 | + - Click-to-navigate to exact source code locations with highlighting |
| 44 | + - Data flow visualization with step-by-step navigation |
| 45 | + - Real-time result updates during scanning |
| 46 | + - Security dashboard with vulnerability statistics |
| 47 | + - Top vulnerabilities and affected files summary |
| 48 | + - Severity-based color coding (Critical, High, Medium, Low) |
| 49 | + - Auto-loading of existing SARIF files on startup |
| 50 | +- **Rich Command Set**: |
| 51 | + - `CodeQL: Run Scan` - Execute local or remote security analysis |
| 52 | + - `CodeQL: Initialize Repository` - Setup configuration files and workflows |
| 53 | + - `CodeQL: Run Analysis` - View analysis history from GitHub |
| 54 | + - `CodeQL: Configure Settings` - Open interactive configuration panel |
| 55 | + - `CodeQL: Show Logs` - Display extension logs for debugging |
| 56 | + - `CodeQL: Clear Logs` - Clear extension log history |
| 57 | + - `CodeQL: Clear Inline Diagnostics` - Remove VS Code diagnostics |
| 58 | + - `CodeQL: Copy Flow Path` - Copy data flow paths to clipboard |
| 59 | + - `CodeQL: Navigate Flow Steps` - Step through vulnerability flow |
| 60 | + - `CodeQL: Reload SARIF` - Refresh existing scan results |
| 61 | +- **Automated File Generation**: |
| 62 | + - `.github/codeql/codeql-config.yml` with customizable paths and exclusions |
| 63 | + - `.github/workflows/codeql-analysis.yml` with multi-language matrix |
| 64 | + - YAML configuration using js-yaml library with proper formatting |
| 65 | + - Workflow dispatch inputs for flexible GitHub Actions execution |
| 66 | +- **Extended Multi-language Support**: |
| 67 | + - JavaScript, TypeScript, Python, Java, C#, C/C++, Go, Ruby, Swift, Kotlin, Scala |
| 68 | + - Language-specific database creation with appropriate build modes |
| 69 | + - Dynamic language detection from CodeQL CLI capabilities |
| 70 | + - GitHub repository language mapping and auto-selection |
| 71 | + - Language filtering and exclusion capabilities |
| 72 | +- **Enhanced User Experience**: |
| 73 | + - Progressive loading indicators with duration tracking |
| 74 | + - Auto-save indicators for configuration changes |
| 75 | + - Animated success/error feedback with visual cues |
| 76 | + - Responsive design for different screen sizes |
| 77 | + - Intelligent error handling with actionable messages |
| 78 | + - Background SARIF file auto-loading |
| 79 | + - Real-time scan progress with detailed status updates |
| 80 | + |
| 81 | +### Technical Details |
| 82 | +- Built with TypeScript and VS Code Extension API |
| 83 | +- Uses @octokit/rest for comprehensive GitHub API integration |
| 84 | +- Implements subprocess execution for CodeQL CLI with proper error handling |
| 85 | +- Advanced SARIF result format parsing with flow step extraction |
| 86 | +- Modern webview provider with CSS animations and responsive design |
| 87 | +- Tree data provider with context menu actions |
| 88 | +- Real-time communication between webview and extension |
| 89 | +- Sophisticated logging system with configurable levels |
| 90 | +- Background task management and cancellation support |
| 91 | +- Memory-efficient result caching and management |
| 92 | + |
| 93 | +### Dependencies |
| 94 | +- @octokit/rest: GitHub API client with full CodeQL support |
| 95 | +- js-yaml: YAML parsing and generation for configuration files |
| 96 | +- axios: HTTP client for additional API calls and error handling |
| 97 | +- VS Code Extension API: Core functionality and UI integration |
| 98 | + |
| 99 | +### Configuration Properties |
| 100 | +- `codeql-scanner.github.token`: GitHub API authentication token |
| 101 | +- `codeql-scanner.github.owner`: Repository owner/organization name |
| 102 | +- `codeql-scanner.github.repo`: Repository name |
| 103 | +- `codeql-scanner.github.baseUrl`: GitHub API base URL (Enterprise support) |
| 104 | +- `codeql-scanner.github.languages`: Auto-detected repository languages |
| 105 | +- `codeql-scanner.suites`: CodeQL query suites (array support) |
| 106 | +- `codeql-scanner.threatModel`: Analysis threat model (Remote/Local) |
| 107 | +- `codeql-scanner.languages`: Programming languages to analyze (array) |
| 108 | +- `codeql-scanner.codeqlPath`: Path to CodeQL CLI executable |
| 109 | +- `codeql-scanner.useLocalScan`: Enable local CLI scanning mode |
| 110 | +- `codeql-scanner.logging.level`: Logging verbosity (DEBUG/INFO/WARN/ERROR) |
| 111 | +- `codeql-scanner.logging.enableConsole`: Enable console logging for development |
| 112 | + |
| 113 | +### Activity Bar Integration |
| 114 | +- Dedicated CodeQL Scanner activity bar with shield icon |
| 115 | +- Scan Results view (conditional display when results available) |
| 116 | +- Configuration webview panel for settings management |
| 117 | +- Context menu integration in file explorer |
| 118 | +- Result item context menus for flow navigation and copying |
0 commit comments