ATM: add PR check running the boosted queries

jhelie · jhelie · commit 44bf8184fece · 2022-11-01T20:57:58.000+01:00
diff --git a/.github/workflows/atm-check-queries-run.yml b/.github/workflows/atm-check-queries-run.yml
@@ -1,13 +1,79 @@
 name: ATM Check Queries Run
 
-# This check is required, therefore we must run it on all PRs, even if only Markdown has changed.
+env:
+  AZURE_STORAGE_URL: "https://atmcodeqldata.blob.core.windows.net"
+  DB_NAME: "AmanSultanBaig/SignIn-SignUp-System-with-Nodejs"
+  DB_PATH: test_db
+  MODEL_BULDING_PACK_PATH: javascript/ql/experimental/adaptivethreatmodeling/modelbuilding
+  QUERY_SUITE: javascript/ql/experimental/adaptivethreatmodeling/src/codeql-suites/javascript-atm-code-scanning.qls
+
 on:
+  pull_request:
+    paths:
+      - "javascript/ql/experimental/adaptivethreatmodeling/modelbuilding/codeql-pack.lock.yml"
+      - "javascript/ql/experimental/adaptivethreatmodeling/modelbuilding/qlpack.yml"
+      - "javascript/experimental/adpativethreatmodeling/src/qlpack.yml"
+      - "javascript/experimental/adpativethreatmodeling/src/codeql-pack.lock.yml"
   workflow_dispatch:
 
 jobs:
-  hello-world:
+  run-atm-queries:
     runs-on: ubuntu-latest
 
     steps:
-      - name: foo
-        run: echo "Hello world"
+      - uses: actions/checkout@v3
+        with:
+          path: codeql-lib
+
+      - name: Install CodeQL CLI
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        run: |
+          gh extensions install github/gh-codeql
+          gh codeql download
+
+      - name: Download model pack
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          STORAGE_SAS: ${{ secrets.AZURE_BLOB_STORAGE_ATMCODEQLDATA_SAS }}
+        run: |
+          echo "::group::Download ATM model pack"
+          set -exu
+
+          # Get pack version and checksum
+          pack_version=$(yq '.dependencies.codeql/javascript-experimental-atm-model' ./codeql-lib/${MODEL_BULDING_PACK_PATH}/qlpack.yml )
+          model_checksum="${pack_version##*.}"
+          echo "Will use pack model ${pack_version} with model checksum ${model_checksum}."
+
+          # Download the model to the package cache
+          tmp_dir=$(mktemp -d)
+          gh codeql pack download codeql/javascript-experimental-atm-model@${pack_version}
+
+          # Trust the model so that we can use it in the ATM boosted queries
+          mkdir -p "$HOME/.config/codeql"
+          echo "--insecurely-execute-ml-model-checksums ${model_checksum}" >> "$HOME/.config/codeql/config"
+          echo "::endgroup::"
+
+      - name: Create test DB
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        run: |
+          echo "::group::Create test database"
+          gh repo clone ${DB_NAME} -- --depth 1
+          gh codeql database create ${DB_PATH} --language javascript 
+          echo "::endgroup::"
+
+      - name: Run ATM query suite
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        run: |
+          echo "::group::Run boosted query suite"
+          gh codeql database run-queries -vv -- ${DB_PATH} codeql-lib/${QUERY_SUITE}
+          if [[ $? -ne 0 ]]; then
+            echo "Failed to run the ATM query suite."
+            exit 1
+          else
+            echo "Successfully run ATM query suite."
+          fi
+          echo "::endgroup::"
+      
