feat(actions): use published actions packs

Alvaro Muñoz · Alvaro Muñoz · commit 76f245b33714 · 2024-02-16T15:34:20.000+01:00
diff --git a/.github/action/dist/index.js b/.github/action/dist/index.js
@@ -28596,7 +28596,7 @@ var __importStar = (this && this.__importStar) || function (mod) {
     return result;
 };
 Object.defineProperty(exports, "__esModule", ({ value: true }));
-exports.codeqlDatabaseAnalyze = exports.codeqlDatabaseCreate = exports.installPack = exports.downloadPack = exports.runCommandJson = exports.runCommand = exports.newCodeQL = void 0;
+exports.codeqlDatabaseAnalyze = exports.codeqlDatabaseCreate = exports.downloadPack = exports.runCommandJson = exports.runCommand = exports.newCodeQL = void 0;
 const fs = __importStar(__nccwpck_require__(7147));
 const path = __importStar(__nccwpck_require__(1017));
 const core = __importStar(__nccwpck_require__(2186));
@@ -28675,18 +28675,6 @@ async function downloadPack(codeql) {
     return false;
 }
 exports.downloadPack = downloadPack;
-async function installPack(codeql, dir) {
-    try {
-        await runCommand(codeql, ["pack", "install"], path.join(dir, "/ql/lib"));
-        await runCommand(codeql, ["pack", "install"], path.join(dir, "/ql/src"));
-        return true;
-    }
-    catch (error) {
-        core.warning("Failed to install local packs ...");
-    }
-    return false;
-}
-exports.installPack = installPack;
 async function codeqlDatabaseCreate(codeql) {
     // get runner temp directory for database
     var temp = process.env["RUNNER_TEMP"];
@@ -28734,84 +28722,6 @@ async function codeqlDatabaseAnalyze(codeql, database_path) {
 exports.codeqlDatabaseAnalyze = codeqlDatabaseAnalyze;
 
 
-/***/ }),
-
-/***/ 1772:
-/***/ (function(__unused_webpack_module, exports, __nccwpck_require__) {
-
-"use strict";
-
-var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
-    if (k2 === undefined) k2 = k;
-    var desc = Object.getOwnPropertyDescriptor(m, k);
-    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
-      desc = { enumerable: true, get: function() { return m[k]; } };
-    }
-    Object.defineProperty(o, k2, desc);
-}) : (function(o, m, k, k2) {
-    if (k2 === undefined) k2 = k;
-    o[k2] = m[k];
-}));
-var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
-    Object.defineProperty(o, "default", { enumerable: true, value: v });
-}) : function(o, v) {
-    o["default"] = v;
-});
-var __importStar = (this && this.__importStar) || function (mod) {
-    if (mod && mod.__esModule) return mod;
-    var result = {};
-    if (mod != null) for (var k in mod) if (k !== "default" && Object.prototype.hasOwnProperty.call(mod, k)) __createBinding(result, mod, k);
-    __setModuleDefault(result, mod);
-    return result;
-};
-Object.defineProperty(exports, "__esModule", ({ value: true }));
-exports.clonePackRepo = exports.runCommandJson = exports.runCommand = exports.newGHConfig = void 0;
-const path = __importStar(__nccwpck_require__(1017));
-const core = __importStar(__nccwpck_require__(2186));
-const toolrunner = __importStar(__nccwpck_require__(8159));
-async function newGHConfig() {
-    return {
-        path: "/usr/bin/",
-    };
-}
-exports.newGHConfig = newGHConfig;
-async function runCommand(config, args) {
-    var bin = path.join(config.path, "gh");
-    let output = "";
-    var options = {
-        listeners: {
-            stdout: (data) => {
-                output += data.toString();
-            },
-        },
-    };
-    await new toolrunner.ToolRunner(bin, args, options).exec();
-    core.debug(`Finished running command :: ${bin} ${args.join(" ")}`);
-    return output.trim();
-}
-exports.runCommand = runCommand;
-async function runCommandJson(config, args) {
-    return JSON.parse(await runCommand(config, args));
-}
-exports.runCommandJson = runCommandJson;
-async function clonePackRepo(gh, path) {
-    try {
-        await runCommand(gh, [
-            "repo",
-            "clone",
-            "GitHubSecurityLab/codeql-actions",
-            path,
-        ]);
-        return true;
-    }
-    catch (error) {
-        core.warning("Failed to clone pack from GitHub...");
-    }
-    return false;
-}
-exports.clonePackRepo = clonePackRepo;
-
-
 /***/ }),
 
 /***/ 6144:
@@ -28847,17 +28757,12 @@ exports.run = void 0;
 const path = __importStar(__nccwpck_require__(1017));
 const core = __importStar(__nccwpck_require__(2186));
 const cql = __importStar(__nccwpck_require__(950));
-const gh = __importStar(__nccwpck_require__(1772));
 /**
  * The main function for the action.
  * @returns {Promise<void>} Resolves when the action is complete.
  */
 async function run() {
     try {
-        // set up gh
-        var ghc = await gh.newGHConfig();
-        core.debug(`GH CLI found at '${ghc.path}'`);
-        await gh.runCommand(ghc, ["version"]);
         // set up codeql
         var codeql = await cql.newCodeQL();
         core.debug(`CodeQL CLI found at '${codeql.path}'`);
@@ -28873,21 +28778,17 @@ async function run() {
             core.setFailed("CodeQL Yaml extractor not installed");
             throw new Error("CodeQL Yaml extractor not installed");
         }
-        core.info(`Cloning CodeQL Actions pack into '${codeql.pack}'`);
-        let pack_path = "/tmp/codeql-actions";
-        var pack_cloned = await gh.clonePackRepo(ghc, pack_path);
-        core.info(`Cloned CodeQL Actions pack into '${pack_path}'`);
-        if (pack_cloned === false) {
-            throw new Error("Could not clone the actions ql pack");
-        }
-        core.info(`Installing CodeQL Actions packs from '${pack_path}'`);
-        var pack_installed = await cql.installPack(codeql, pack_path);
-        if (pack_installed === false) {
-            throw new Error("Could not install the actions ql packs");
-        }
-        core.info(`Pack path: '${pack_path}'`);
-        codeql.pack = path.join(pack_path, "ql", "src");
-        core.info(`Codeql Queries pack path: '${codeql.pack}'`);
+        // download pack
+        core.info(`Downloading CodeQL IaC pack '${codeql.pack}'`);
+        var pack_downloaded = await cql.downloadPack(codeql);
+        if (pack_downloaded === false) {
+            var action_path = path.resolve(path.join(__dirname, "..", "..", ".."));
+            codeql.pack = path.join(action_path, "ql", "src");
+            core.info(`Pack defaulting back to local pack: '${codeql.pack}'`);
+        }
+        else {
+            core.info(`Pack downloaded '${codeql.pack}'`);
+        }
         core.info("Creating CodeQL database...");
         var database_path = await cql.codeqlDatabaseCreate(codeql);
         core.info("Running CodeQL analysis...");
diff --git a/.github/action/src/codeql.ts b/.github/action/src/codeql.ts
@@ -106,20 +106,6 @@ export async function downloadPack(codeql: CodeQLConfig): Promise<boolean> {
   return false;
 }
 
-export async function installPack(
-  codeql: CodeQLConfig,
-  dir: string,
-): Promise<boolean> {
-  try {
-    await runCommand(codeql, ["pack", "install"], path.join(dir, "/ql/lib"));
-    await runCommand(codeql, ["pack", "install"], path.join(dir, "/ql/src"));
-    return true;
-  } catch (error) {
-    core.warning("Failed to install local packs ...");
-  }
-  return false;
-}
-
 export async function codeqlDatabaseCreate(
   codeql: CodeQLConfig,
 ): Promise<string> {
diff --git a/.github/action/src/gh.ts b/.github/action/src/gh.ts
diff --git a/.github/action/src/index.ts b/.github/action/src/index.ts
@@ -1,21 +1,13 @@
 import * as path from "path";
 import * as core from "@actions/core";
 import * as cql from "./codeql";
-import * as gh from "./gh";
 
 /**
  * The main function for the action.
  * @returns {Promise<void>} Resolves when the action is complete.
  */
 export async function run(): Promise<void> {
   try {
-    // set up gh
-    var ghc = await gh.newGHConfig();
-
-    core.debug(`GH CLI found at '${ghc.path}'`);
-
-    await gh.runCommand(ghc, ["version"]);
-
     // set up codeql
     var codeql = await cql.newCodeQL();
 
@@ -36,26 +28,19 @@ export async function run(): Promise<void> {
       throw new Error("CodeQL Yaml extractor not installed");
     }
 
-    core.info(`Cloning CodeQL Actions pack into '${codeql.pack}'`);
-    let pack_path = "/tmp/codeql-actions";
-    var pack_cloned = await gh.clonePackRepo(ghc, pack_path);
-    core.info(`Cloned CodeQL Actions pack into '${pack_path}'`);
+    // download pack
+    core.info(`Downloading CodeQL IaC pack '${codeql.pack}'`);
+    var pack_downloaded = await cql.downloadPack(codeql);
 
-    if (pack_cloned === false) {
-      throw new Error("Could not clone the actions ql pack");
-    }
-
-    core.info(`Installing CodeQL Actions packs from '${pack_path}'`);
-    var pack_installed = await cql.installPack(codeql, pack_path);
+    if (pack_downloaded === false) {
+      var action_path = path.resolve(path.join(__dirname, "..", "..", ".."));
+      codeql.pack = path.join(action_path, "ql", "src");
 
-    if (pack_installed === false) {
-      throw new Error("Could not install the actions ql packs");
+      core.info(`Pack defaulting back to local pack: '${codeql.pack}'`);
+    } else {
+      core.info(`Pack downloaded '${codeql.pack}'`);
     }
 
-    core.info(`Pack path: '${pack_path}'`);
-    codeql.pack = path.join(pack_path, "ql", "src");
-    core.info(`Codeql Queries pack path: '${codeql.pack}'`);
-
     core.info("Creating CodeQL database...");
     var database_path = await cql.codeqlDatabaseCreate(codeql);
 
diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
@@ -15,7 +15,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v4
-      - uses: dorny/paths-filter@4512585405083f25c027a35db413c2b3b9006d50
+      - uses: dorny/paths-filter@v3
         id: changes
         with:
           filters: |
@@ -26,5 +26,3 @@ jobs:
       - name: Run action
         if: steps.changes.outputs.src == 'true'
         uses: ./
-        with:
-          extractor-version: latest
diff --git a/ql/lib/codeql/actions/DataFlow.qll b/ql/lib/codeql/actions/DataFlow.qll
@@ -7,12 +7,13 @@ module DataFlow {
   private import codeql.actions.dataflow.internal.DataFlowImplSpecific
   import DataFlowMake<ActionsDataFlow>
   import codeql.actions.dataflow.internal.DataFlowPublic
-  
-  /** debug */
+  // debug
   private import codeql.actions.dataflow.internal.TaintTrackingImplSpecific
   import codeql.dataflow.internal.DataFlowImplConsistency as DFIC
+
   module ActionsConsistency implements DFIC::InputSig<ActionsDataFlow> { }
+
   module Consistency {
-   import DFIC::MakeConsistency<ActionsDataFlow, ActionsTaintTracking, ActionsConsistency>
-  } 
+    import DFIC::MakeConsistency<ActionsDataFlow, ActionsTaintTracking, ActionsConsistency>
+  }
 }
