Initial commit

Author: hvitved

.codeqlmanifest.json

@@ -0,0 +1,10 @@
+{
+    "provide": [
+        "ql/src/qlpack.yml",
+        "ql/consistency-queries/qlpack.yml",
+        "ql/test/qlpack.yml",
+        "ql/examples/qlpack.yml",
+        "upgrades/qlpack.yml",
+        "extractor-pack/codeql-extractor.yml"
+    ]
+}

.devcontainer/Dockerfile

@@ -0,0 +1,15 @@
+# See here for image contents: https://github.com/microsoft/vscode-dev-containers/tree/v0.162.0/containers/rust/.devcontainer/base.Dockerfile
+
+FROM mcr.microsoft.com/vscode/devcontainers/rust:0-1
+
+RUN apt-key --keyring /usr/share/keyrings/githubcli-archive-keyring.gpg adv \
+    --keyserver keyserver.ubuntu.com --recv-key C99B11DEB97541F0 && \
+    echo "deb [arch=$(dpkg --print-architecture) signed-by=/usr/share/keyrings/githubcli-archive-keyring.gpg] https://cli.github.com/packages $(lsb_release -cs) main" \
+    |  tee /etc/apt/sources.list.d/github-cli2.list > /dev/null
+
+
+RUN apt-get update && export DEBIAN_FRONTEND=noninteractive \
+    && apt-get -y install --no-install-recommends gh 
+
+COPY post_create.sh /bin/post_create.sh
+COPY post_attach.sh /bin/post_attach.sh

.devcontainer/devcontainer.json

@@ -0,0 +1,39 @@
+// For format details, see https://aka.ms/devcontainer.json. For config options, see the README at:
+// https://github.com/microsoft/vscode-dev-containers/tree/v0.162.0/containers/rust
+{
+	"name": "Rust",
+	"build": {
+		"dockerfile": "Dockerfile"
+	},
+	"runArgs": [
+		"--cap-add=SYS_PTRACE",
+		"--security-opt",
+		"seccomp=unconfined"
+	],
+	// Set *default* container specific settings.json values on container create.
+	"settings": {
+		"terminal.integrated.shell.linux": "/bin/bash",
+		"lldb.executable": "/usr/bin/lldb",
+		// VS Code don't watch files under ./target
+		"files.watcherExclude": {
+			"**/target/**": true
+		}
+	},
+	// Add the IDs of extensions you want installed when the container is created.
+	"extensions": [
+		"rust-lang.rust",
+		"bungcip.better-toml",
+		"vadimcn.vscode-lldb",
+		"mutantdino.resourcemonitor",
+		"ms-azuretools.vscode-docker",
+		"github.vscode-codeql"
+	],
+	// Use 'forwardPorts' to make a list of ports inside the container available locally.
+	// "forwardPorts": [],
+	// Use 'postCreateCommand' to run commands after the container is created.
+	// "postCreateCommand": "rustc --version",
+	// Comment out connect as root instead. More info: https://aka.ms/vscode-remote/containers/non-root.
+	"remoteUser": "vscode",
+	"postCreateCommand": [ "/bin/post_create.sh" ],
+	"postAttachCommand": [ "flock", "-E", "0", "-n", "/var/lock/post_attach.lock", "/bin/post_attach.sh" ]
+}

.devcontainer/post_attach.sh

@@ -0,0 +1,36 @@
+#! /bin/bash
+set -xe
+
+echo "Check installed CodeQL version"
+CURRENT_CODEQL_BIN=$(readlink -e /usr/local/bin/codeql || echo "")
+LATEST=$(gh release list --repo https://github.com/github/codeql-cli-binaries | cut -f 1 | sort --version-sort | tail -1)
+
+BASE_DIR=/home/vscode/codeql-binaries
+mkdir -p "${BASE_DIR}"
+LATEST_CODEQL_DIR="${BASE_DIR}/codeql-${LATEST}"
+LATEST_CODEQL_BIN="${LATEST_CODEQL_DIR}/codeql/codeql"
+
+if [ "${CURRENT_CODEQL_BIN}" != "${LATEST_CODEQL_BIN}" ]; then
+  echo "Installing CodeQL ${LATEST}"
+  TMPDIR=$(mktemp -d -p "$(dirname ${LATEST_CODEQL_DIR})")
+  gh release download --repo https://github.com/github/codeql-cli-binaries --pattern codeql-linux64.zip -D "${TMPDIR}" "$LATEST" 
+  unzip -oq "${TMPDIR}/codeql-linux64.zip" -d "${TMPDIR}"
+  rm -f "${TMPDIR}/codeql-linux64.zip"
+  mv "${TMPDIR}" "${LATEST_CODEQL_DIR}"
+  test -x "${LATEST_CODEQL_BIN}" && sudo ln -sf "${LATEST_CODEQL_BIN}" /usr/local/bin/codeql
+  if [[ "${CURRENT_CODEQL_BIN}" =~ .*/codeql/codeql ]]; then
+    rm -rf "$(dirname $(dirname ${CURRENT_CODEQL_BIN}))"
+  fi
+fi
+
+echo "Build the Ruby extractor"
+
+# clone the git dependencies using "git clone" because cargo's builtin git support is rather slow
+REPO_DIR="${CARGO_HOME:-/home/vscode/.cargo}/git/db" 
+REPO_DIR_ERB="${REPO_DIR}/tree-sitter-embedded-template-4c796e3340c233b6"
+REPO_DIR_RUBY="${REPO_DIR}/tree-sitter-ruby-666a40ce046f8e7a"
+
+mkdir -p "${REPO_DIR}"
+test -e "${REPO_DIR_RUBY}" || git clone -q --bare https://github.com/tree-sitter/tree-sitter-ql.git "${REPO_DIR_RUBY}"
+
+./create-extractor-pack.sh

.devcontainer/post_create.sh

@@ -0,0 +1,4 @@
+#! /bin/bash
+
+mkdir -p /home/vscode/.config/codeql
+echo '--search-path /workspaces/codeql-ruby' >> /home/vscode/.config/codeql/config

.gitattributes

@@ -0,0 +1 @@
+Cargo.lock   -diff -whitespace

.github/workflows/build.yml

@@ -0,0 +1,97 @@
+name: Rust
+
+on:
+  push:
+    branches: [main]
+  pull_request:
+    branches: [main]
+
+env:
+  CARGO_TERM_COLOR: always
+
+jobs:
+  build:
+    strategy:
+      fail-fast: false
+      matrix:
+        os: [ubuntu-latest, macos-latest, windows-latest]
+
+    runs-on: ${{ matrix.os }}
+
+    steps:
+      - uses: actions/checkout@v2
+      - name: Install GNU tar
+        if: runner.os == 'macOS'
+        run: |
+          brew install gnu-tar
+          echo "/usr/local/opt/gnu-tar/libexec/gnubin" >> $GITHUB_PATH
+      - uses: actions/cache@v2
+        with:
+          path: |
+            ~/.cargo/registry
+            ~/.cargo/git
+            target
+          key: ${{ runner.os }}-rust-cargo-${{ hashFiles('**/Cargo.lock') }}
+      - name: Check formatting
+        run: cargo fmt --all -- --check
+      - name: Build
+        run: cargo build --verbose
+      - name: Run tests
+        run: cargo test --verbose
+      - name: Release build
+        run: cargo build --release
+      - name: Generate dbscheme
+        if: ${{ matrix.os == 'ubuntu-latest' }}
+        run: target/release/ql-generator
+      - uses: actions/upload-artifact@v2
+        if: ${{ matrix.os == 'ubuntu-latest' }}
+        with:
+          name: ql.dbscheme
+          path: ql/src/ql.dbscheme
+      - uses: actions/upload-artifact@v2
+        if: ${{ matrix.os == 'ubuntu-latest' }}
+        with:
+          name: TreeSitter.qll
+          path: ql/src/codeql_ql/ast/internal/TreeSitter.qll
+      - uses: actions/upload-artifact@v2
+        with:
+          name: extractor-${{ matrix.os }}
+          path: |
+            target/release/ql-extractor
+            target/release/ql-extractor.exe
+          retention-days: 1
+  package:
+    runs-on: ubuntu-latest
+    needs: build
+    steps:
+      - uses: actions/checkout@v2
+      - uses: actions/download-artifact@v2
+        with:
+          name: ql.dbscheme
+          path: ruby
+      - uses: actions/download-artifact@v2
+        with:
+          name: extractor-ubuntu-latest
+          path: linux64
+      - uses: actions/download-artifact@v2
+        with:
+          name: extractor-windows-latest
+          path: win64
+      - uses: actions/download-artifact@v2
+        with:
+          name: extractor-macos-latest
+          path: osx64
+      - run: |
+          mkdir -p ruby
+          cp -r codeql-extractor.yml tools ql/src/ql.dbscheme.stats ruby/
+          mkdir -p ruby/tools/{linux64,osx64,win64}
+          cp linux64/ql-extractor ruby/tools/linux64/extractor
+          cp osx64/ql-extractor ruby/tools/osx64/extractor
+          cp win64/ql-extractor.exe ruby/tools/win64/extractor.exe
+          chmod +x ruby/tools/{linux64,osx64}/extractor
+          zip -rq codeql-ruby.zip ruby
+      - uses: actions/upload-artifact@v2
+        with:
+          name: codeql-ruby-pack
+          path: codeql-ruby.zip
+          retention-days: 1

.github/workflows/dataset_measure.yml

@@ -0,0 +1,80 @@
+name: Collect database stats
+
+on:
+  push:
+    branches: [main]
+    paths:
+      - ql/src/ql.dbscheme
+  pull_request:
+    branches: [main]
+    paths:
+      - ql/src/ql.dbscheme
+  workflow_dispatch:
+
+jobs:
+  measure:
+    env:
+      CODEQL_THREADS: 4 # TODO: remove this once it's set by the CLI
+    strategy:
+      fail-fast: false
+      matrix:
+        repo: [rails/rails, discourse/discourse, spree/spree]
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v2
+
+      - name: Fetch CodeQL
+        run: |
+          LATEST=$(gh release list --repo https://github.com/github/codeql-cli-binaries | cut -f 1 | sort --version-sort | tail -1)
+          gh release download --repo https://github.com/github/codeql-cli-binaries --pattern codeql-linux64.zip "$LATEST"
+          unzip -q codeql-linux64.zip
+        env:
+          GITHUB_TOKEN: ${{ github.token }}
+      - uses: actions/cache@v2
+        with:
+          path: |
+            ~/.cargo/registry
+            ~/.cargo/git
+            target
+          key: ${{ runner.os }}-qltest-cargo-${{ hashFiles('**/Cargo.lock') }}
+      - name: Build Extractor
+        run: env "PATH=$PATH:${{ github.workspace }}/codeql" ./create-extractor-pack.sh
+
+      - name: Checkout ${{ matrix.repo }}
+        uses: actions/checkout@v2
+        with:
+          repository: ${{ matrix.repo }}
+          path: ${{ github.workspace }}/repo
+      - name: Create database
+        run: |
+          codeql/codeql database create \
+            --search-path "${{ github.workspace }}" \
+            --threads 4 \
+            --language ruby --source-root "${{ github.workspace }}/repo" \
+            "${{ runner.temp }}/database"
+      - name: Measure database
+        run: |
+          mkdir -p "stats/${{ matrix.repo }}"
+          codeql/codeql dataset measure --threads 4 --output "stats/${{ matrix.repo }}/stats.xml" "${{ runner.temp }}/database/db-ruby"
+      - uses: actions/upload-artifact@v2
+        with:
+          name: measurements
+          path: stats
+          retention-days: 1
+
+  merge:
+    runs-on: ubuntu-latest
+    needs: measure
+    steps:
+      - uses: actions/checkout@v2
+      - uses: actions/download-artifact@v2
+        with:
+          name: measurements
+          path: stats
+      - run: |
+          python -m pip install --user lxml
+          find stats -name 'stats.xml' | sort | xargs python scripts/merge_stats.py --output ql/src/ql.dbscheme.stats --normalise tokeninfo
+      - uses: actions/upload-artifact@v2
+        with:
+          name: ql.dbscheme.stats
+          path: ql/src/ql.dbscheme.stats

.github/workflows/qltest.yml

@@ -0,0 +1,38 @@
+name: Run QL Tests
+
+on:
+  push:
+    branches: [main]
+  pull_request:
+    branches: [main]
+
+env:
+  CARGO_TERM_COLOR: always
+
+jobs:
+  qltest:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v2
+      - name: Fetch CodeQL
+        run: | 
+          LATEST=$(gh release list --repo https://github.com/github/codeql-cli-binaries | cut -f 1 | sort --version-sort | tail -1)
+          gh release download --repo https://github.com/github/codeql-cli-binaries --pattern codeql-linux64.zip "$LATEST"
+          unzip -q codeql-linux64.zip
+        env:
+          GITHUB_TOKEN: ${{ github.token }}
+      - uses: actions/cache@v2
+        with:
+          path: |
+            ~/.cargo/registry
+            ~/.cargo/git
+            target
+          key: ${{ runner.os }}-qltest-cargo-${{ hashFiles('**/Cargo.lock') }}
+      - name: Build Extractor
+        run: env "PATH=$PATH:${{ github.workspace }}/codeql" ./create-extractor-pack.sh
+      - name: Run QL tests
+        run: codeql/codeql test run --check-databases --check-unused-labels --check-repeated-labels --check-redefined-labels --check-use-before-definition --search-path "${{ github.workspace }}" --consistency-queries ql/consistency-queries ql/test
+      - name: Check QL formatting
+        run: find ql "(" -name "*.ql" -or -name "*.qll" ")" -print0 | xargs -0 codeql/codeql query format --check-only
+      - name: Check QL compilation
+        run: codeql/codeql query compile --check-only --threads=4 --warnings=error --search-path "${{ github.workspace }}" "ql/src" "ql/examples"

.github/workflows/sync_files.yml

@@ -0,0 +1,17 @@
+name: Check synchronized files
+
+on:
+  push:
+    branches: [main]
+  pull_request:
+    branches: [main]
+
+jobs:
+  sync:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v2
+        with:
+          submodules: true
+      - name: Check synchronized files
+        run: scripts/sync-identical-files.py