First draft with bare bones

Author: felicitymay

docs/codeql/codeql-for-visual-studio-code/customizing-settings.rst

@@ -25,6 +25,8 @@ Editing settings
 
 3. Edit a setting. The new settings are saved automatically.
 
+Alternatively, you can edit the settings in JSON format by opening the command palette and selecting **Preferences: Open User Settings (JSON)**.
+
 Choosing a version of the CodeQL CLI
 --------------------------------------
 
@@ -55,17 +57,56 @@ By default, items in the query history view are retained for 30 days. You can se
 
 .. _configuring-settings-for-running-queries:
 
-Configuring settings for running queries
------------------------------------------
+Configuring settings for running queries locally
+------------------------------------------------
 
 There are a number of settings for **Running Queries**. If your queries run too slowly and time out frequently, you may want to increase the memory. 
 
 .. include:: ../reusables/running-queries-debug.rst
 
 To save query server logs in a custom location, edit the **Running Queries: Custom Log Directory** setting. If you use a custom log directory, the extension saves the logs permanently, instead of deleting them automatically after each workspace session. This is useful if you want to investigate these logs to improve the performance of your queries.
 
-Configuring settings for testing queries
------------------------------------------
+Configuring settings for variant analysis
+------------------------------------------
+
+You can define or edit lists of GitHub repositories for variant analysis, and change to a different controller repository using the **Variant analysis** settings.
+
+For information on the purpose and requirements for a controller repository, see ":ref:`About the controller repository <controller-repository>`."
+TODO
+The items shown in the Variant Analysis Repositories panel can also be managed by editing a file in your VS Code workspace called databases.json. This file contains a JSON representation of all the items displayed in the panel. To open your databases.json file in an editor window, click the { } icon in the top right of the variant analysis repositories panel. You can then see a structured representation of the repos, orgs and lists in your panel. For example:
+
+{
+  "version": 1,
+  "databases": {
+    "variantAnalysis": {
+      "repositoryLists": [
+        {
+          "name": "My favourite JavaScript repos",
+          "repositories": [
+            "facebook/react",
+            "babel/babel",
+            "angular/angular"
+          ]
+        }
+      ],
+      "owners": [
+        "microsoft"
+      ],
+      "repositories": [
+        "apache/hadoop"
+      ]
+    }
+  },
+  "selected": {
+    "kind": "variantAnalysisSystemDefinedList",
+    "listName": "top_10"
+  }
+}
+
+You can change the items shown in the panel or add new items by directly editing this file.
+
+Configuring settings for testing queries locally
+------------------------------------------------
 
 To increase the number of threads used for testing queries, you can update the **Running Tests > Number Of Threads** setting.
 

docs/codeql/codeql-for-visual-studio-code/exploring-data-flow-with-path-queries.rst

@@ -3,7 +3,7 @@
 .. _exploring-data-flow-with-path-queries:
 
 Exploring data flow with path queries
-=================================================
+=====================================
 
 You can run CodeQL queries in VS Code to help you track the flow of data through a program, highlighting areas that are potential security vulnerabilities.
 

docs/codeql/codeql-for-visual-studio-code/running-codeql-queries-at-scale-with-mrva.rst

@@ -10,24 +10,137 @@ Running CodeQL queries at scale with multi-repository variant analysis
 About multi-repository variant analysis
 ---------------------------------------
 
-Explain what MVRA is, when it's useful, and basic billing (uses actions minutes for private repos).
+When you write a query to find variants of a security vulnerability and finish testing it locally, the next step is to run it on a large group of repositories. Multi-repository variant analysis (variant analysis) makes it easy run a query on up to 1000 repositories without leaving Visual Studio Code.
+
+The core functionality of the CodeQL extension helps you write queries and run them locally against a CodeQL database. In contrast, variant analysis allows you to send your CodeQL query to GitHub.com to be tested against a list of repositories.
 
 .. _controller-repository:
 
 About the controller repository
 -------------------------------
-Explain what a controller repository is, how to choose a good repository, can a team use a single repository, and any other questions that came up during the private beta test. Note that if you want to run MRVA on private repositories, you need to use a private controller repository to enable analysis.
-
-Getting started with variant analysis
--------------------------------------
-Explain how to set it up for the first time.
-Explain how to run variant analysis.
-Explain how the results view works.
-
-Configuring variant analysis
-----------------------------
-Explain how to create your own list of repositories.
-Explain how to change your controller repository.
+
+When you run variant analysis, the analysis is run entirely using dynamic workflows for GitHub Actions. You don't need to create any workflows, but you must specify which GitHub repository the CodeQL extension should use as the "controller repository."
+
+Functions of the controller repository
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+- **Workflow management:** the workflow runs that are triggered when you run variant analysis are shown on the **Actions** tab for the repository in much the same as other workflow runs.
+- **Billing:** when you analyze private repositories, the actions minutes used by CodeQL analysis are billed to the owner of the controller repository.
+
+Requirements of the controller repository
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+- The repository must have at least one commit. 
+- The ``GITHUB_TOKEN`` must have "Read and write permissions" when running workflows in this repository. For more information, see "`Managing GitHub Actions settings for a repository <https://docs.github.com/en/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-github-actions-settings-for-a-repository#setting-the-permissions-of-the-github_token-for-your-repository>`__."
+- The repository visibility must be "public" if you plan to analyze public repositories. The variant analysis will be free.
+- The repository visibility must be "private" or "internal" if you need to analyze private and internal repositories. Any actions minutes used by variant analysis, above the free limit, will be charged to the repository owner. For more information about free minutes and billing, see "`About billing for GitHub Actions <https://docs.github.com/en/billing/managing-billing-for-github-actions/about-billing-for-github-actions>`__." 
+
+TODO: Check on "internal" repositories.
+
+.. pull-quote::
+
+    Note
+
+    You can update your settings to use a different controller repository when you want to run variant analysis on a different group of repositories. For example, if you have finished testing the query on open source code and now want to test it on your private code. However, you must wait until any previous analysis is complete before you change the controller repository.
+
+TODO: check that the guess in the note above is accurate.
+
+Setting up variant analysis
+---------------------------
+
+You can configure the CodeQL extension to run variant analysis by defining a controller repository.
+
+.. image:: ../images/codeql-for-visual-studio-code/controller-repository.png
+    :width: 350
+    :alt: Screenshot of the CodeQL extension in Visual Studio Code. The "Variant Analysis Repositories" section is expanded and the "Set up controller repository" button is highlighted with a dark orange outline.
+
+#. In Visual Studio Code, click **QL** in the left sidebar to display the CodeQL extension.
+
+#. Expand **Variant Analysis Repositories** and click **Set up controller repository** to display a field for the controller repository.
+
+#. Type the owner and name of the repository on GitHub.com that you want to use as your controller repository and press the **Enter** key.
+
+#. If you are prompted to authenticate with GitHub, follow the instructions and sign into your pesonal or organization account. When you have finished following the process, a prompt from GitHub Authentication may ask for permission to open a URI in Visual Studio Code, click **Open**.
+
+The name of the controller repository is saved in your settings for the CodeQL extension. For information on how to edit the controller repository, see ":ref:`Customizing settings <customizing-settings>`."
+
+Running a query at scale using variant analysis
+-----------------------------------------------
+
+#. Expand the **Variant Analysis Repositories** section, to show the default lists of the top 10, top 100, and top 1000 public repositories on GitHub.com. These are ranked by considering various metrics such as number of stars, number of watchers, number of forks etc.
+
+#. Select the **Top 10 repositories** to test your query against.
+
+#. Open the query you want to run, right-click in the query file, and select **CodeQL: Run Variant Analysis** to start variant analysis.
+
+The CodeQL extension builds a CodeQL pack with your library and any library dependencies. The CodeQL pack and your selected repository list are posted to an API endpoint on GitHub.com which triggers a GitHub Actions dynamic workflow in your controller repository. The workflow spins up multiple parallel jobs to execute the CodeQL query against the repositories in the list, optimizing query execution. As each workflow run finishes, the results are processed and displayed in a variant analysis results view in Visual Studio Code.
+
+.. pull-quote::
+
+    Note
+
+    If you need to cancel the variant analysis run for any reason, click **Stop query** in the Variant Analysis Results view.
+
+Exploring your results
+----------------------
+
+When you run variant analysis, as soon as a workflow to run your analysis on GitHub is running, a Variant Analysis Results view opens to display the results as soon as they are ready. You can use this view to monitor progress, see any errors, and access the workflow logs in your controller repository.
+
+.. image:: ../images/codeql-for-visual-studio-code/variant-analysis-results-view.png
+    :alt: Screenshot of the "Variant Analysis Results" view showing a partially complete run. Analysis of ``angular/angular`` is still running but all other results are displayed. ``facebook/create-react-app`` has three results for this query.
+
+When your variant analysis run is scheduled, the results view automatically opens. Initially the view shows a list of every repository that was scheduled for analysis. As each repository is analyzed, the view is updated to show a summary of the number of results. To view the detailed results for a repository (including results paths), click the repository name.
+
+For each repository, you can see:
+
+- Number of results found by the query
+- Visibility of the repository
+- Whether analysis is still running (black, moving circle) or finished (green checkmark)
+- Number of stars the repository has on GitHub
+- How long ago the CodeQL database that was analyzed was created
+
+To see the results for a repository:
+
+.. image:: ../images/codeql-for-visual-studio-code/variant-analysis-result.png
+    :alt: Screenshot of an example result in the "Variant Analysis Results" view. The result has blue links to the source files in GitHub so you can go straight to the repository to fix the problem. There is also a "Show paths" link because this is a data flow query.
+
+#. Click the repository name to show a summary of each result.
+
+#. Explore the information available for each result using links to the source files in GitHub.com and, for data flow queries, the **Show paths** link. For more information, see "ref:`Exploring data flow with path queries <exploring-data-flow-with-path-queries>`."
+
+Exporting your results
+----------------------
+
+#. Optionally, click **Export results** to export the results to a gist on GitHub.com or to a markdown file
+
+
+Creating your own lists of repositories
+---------------------------------------
+
+The Variant analysis repositories panel is used to select and manage the repos queried during variant analysis. We provide predefined lists of the most important repositories per language (Top 10, Top 100, or Top 1000) but you can also add your own lists, single repos, or GitHub organizations to the panel. To add new items, use the buttons located on the top right of the panel.
+
+Note: When you run variant analysis against a list of repositories, the query will only be executed against the repos that currently have a CodeQL database available to download. We store CodeQL databases for thousands of public repositories, including all repos that run code scanning. So the best way to make a repository available for variant analysis is to enable code scanning with CodeQL.
+Adding a single GitHub repository or organization for variant analysis
+Click the + icon. 
+From the drop down menu, choose to either add a GitHub repository or a GitHub organisation/owner.
+Specify either the org/repo or org identifier in the text box.
+Adding a new list of repositories for variant analysis
+Click the +📁 icon.
+Specify a name for your list in the drop down text box and hit enter.
+Add repos to the list by first clicking on the name of the new list in the panel. Then click + and specify the org/repo identifier for each repo you want to add.
+
+#. Optionally, click **Copy repository list** to add a list of the repositories that have results for your query to the clipboard as JSON. For example:
+
+.. code-block:: json
+
+    {
+        "name": "new-repo-list",
+        "repositories": [
+            "facebook/create-react-app"
+        ]
+    }
+
+
 
 Troubleshooting variant analysis
 --------------------------------

docs/codeql/codeql-for-visual-studio-code/troubleshooting-codeql-for-visual-studio-code.rst

@@ -6,7 +6,7 @@ Troubleshooting CodeQL for Visual Studio Code
 =============================================
 
 This article explains how to debug problems with the analysis of CodeQL databases that are stored on your local
-machine. For information on troubleshooting variant analysis, where the CodeQL dataabases are on GitHub.com, see
+machine. For information on troubleshooting variant analysis, where the analysis is run using GitHub Actions, see
 ":ref:`Troubleshooting variant analysis <troubleshooting-variant-analysis>`."
 
 You can use the detailed information written to the extension's log files if you need to troubleshoot problems

docs/codeql/codeql-for-visual-studio-code/troubleshooting-variant-analysis.rst

@@ -7,9 +7,47 @@ Troubleshooting variant analysis
 
 .. include:: ../reusables/beta-note-mrva.rst
 
-This article explains how to debug problems with variant analysis. That is, analysis where the
-CodeQL databases are on GitHub.com and not locally on your machine.
+This article explains how to debug problems with variant analysis. That is, analysis run using GitHub Actions
+and not locally on your machine.
 For information on troubleshooting local analysis, see
 ":ref:`Troubleshooting CodeQL for Visual Studio Code <troubleshooting-codeql-for-visual-studio-code>`."
 
+When you run variant analysis, there are two key places where errors and warnings are displayed:
+
+#. **Visual Studio Code errors** - any problems with creating a CodeQL pack and sending the analysis to GitHub.com are reported as Visual Studio Code errors in the bottom right corner of the application. The problem information is also available in the **Problems** view.
+#. **Variant Analysis Results** - any problems with the variant analysis run are reported in this view.
+
+Variant analysis warning: Problem with controller repository
+------------------------------------------------------------
+
+If there are problems with the variant analysis run, you will see a warning banner at the top of the Variant Analysis Results tab. For example:
+
+.. image:: ../images/codeql-for-visual-studio-code/variant-analysis-results-warning.png
+    :width: 600
+    :alt: Screenshot of the "Variant Analysis Results" view showing a warning banner with the text "warning: Problem with controller repository" and "Publicly visible controller repository can't be used to analyze private repositories. 1 private repository was not analyzed." The "Show logs" button is highlighted with a dark orange outline.
+
+In this example, the user ran variant analysis on a custom list of two repositories. One of the repositories was a private repository and could not be analyzed because they had a public controller repository. Only the public repository was analyzed. To analyze both repositories, they need to edit their settings and update the controller repository to a private repository. For information on how to edit the controller repository, see ":ref:`Customizing settings <customizing-settings>`."
+
+CodeQL extension error: Bundling pack failed
+--------------------------------------------
+
+If the CodeQL extension fails to create the CodeQL pack, you will see an error message in the bottom right corner of Visual Studio Code. For example:
+
+.. image:: ../images/codeql-for-visual-studio-code/variant-analysis-cli-error.png
+    :width: 450
+    :alt: Screenshot of a Visual Studio Code error shown in the bottom right corner of the application. The error message "Bundling pack failed" is visible. The "Show log" button is highlighted with a dark orange outline.
+
+TODO: Ask James to check this is a reasonable example, or to create a better screenshot for this example.
+
+The most likely cause of this type of error is that your current workspace does not contain the CodeQL workspace.
+
+You can update your environment to fix this problem as follows.
+
+#. Change the root of your workspace for Visual Studio Code to be the same as your CodeQL workspace.
+
+TODO: Ask for more information about this step above.
+
+#. Add an extra folder in your workspace (**File > Add Folder to Workspace**) for the suite-helpers: ``codeql/misc/suite-helpers``.
+
+#. Using the terminal in Visual Studio Code, use the CodeQL CLI to download the ``codeql/suite-helpers`` pack: ``codeql pack download codeql/suite-helpers``.