github · aeisenberg · Jun 16, 2022 · Jun 14, 2022 · Jun 14, 2022 · Jun 14, 2022
diff --git a/.github/check-sarif/action.yml b/.github/check-sarif/action.yml
@@ -0,0 +1,20 @@
+name: Check SARIF
+description: Checks a SARIF file to see if certain queries were run and others were not run.
+inputs:
+  sarif-file:
+    required: true
+    description: The sarif file to check
+
+  queries-run:
+    required: true
+    description: |
+      Comma separated list of query ids that should be included in this SARIF file.
+
+  queries-not-run:
+    required: true
+    description: |
+      Comma separated list of query ids that should NOT be included in this SARIF file.
+
+runs:
+  using: node12
+  main: index.js
diff --git a/.github/check-sarif/index.js b/.github/check-sarif/index.js
@@ -0,0 +1,52 @@
+'use strict'
+
+const core = require('@actions/core');
+const fs = require('fs')
+
+const sarif = JSON.parse(fs.readFileSync(core.getInput('sarif-file'), 'utf8'))
+const rules = sarif.runs[0].tool.extensions.flatMap(ext => ext.rules || [])
+
+// Expected Queries
+const expectedQueriesRun = getInput('queries-run')
+const queriesThatShouldHaveRunButDidnt = expectedQueriesRun.reduce((acc, queryId) => {
+  if (!rules.some(rule => rule.id === queryId)) {
+    acc.push(queryId)
+  }
+  return acc
+}, []);
+
+if (queriesThatShouldHaveRunButDidnt.length > 0) {
+  core.setFailed(`The following queries were expected to run but did not: ${queriesThatShouldHaveRunButDidnt.join(', ')}`)
+}
+
+// Unexpected Queries
+const expectedQueriesNotRun = getInput('queries-not-run')
+
+const queriesThatShouldNotHaveRunButDid = expectedQueriesNotRun.reduce((acc, queryId) => {
+  if (rules.some(rule => rule.id === queryId)) {
+    acc.push(queryId)
+  }
+  return acc
+}, []);
+
+if (queriesThatShouldNotHaveRunButDid.length > 0) {
+  core.setFailed(`The following queries were NOT expected to have run but did: ${queriesThatShouldNotHaveRunButDid.join(', ')}`)
+}
+
+
+core.startGroup('All queries run')
+rules.forEach(rule => {
+  core.info(`${rule.id}: ${(rule.properties && rule.properties.name) || rule.name}`)
+})
+core.endGroup()
+
+core.startGroup('Full SARIF')
+core.info(JSON.stringify(sarif, null, 2))
+core.endGroup()
+
+function getInput(name) {
+  return core.getInput(name)
+    .split(',')
+    .map(q => q.trim())
+    .filter(q => q.length > 0)
+}
diff --git a/.github/workflows/expected-queries-runs.yml b/.github/workflows/expected-queries-runs.yml
@@ -0,0 +1,46 @@
+name: Expected queries runs
+
+on:
+  push:
+    branches:
+    - main
+    - releases/v1
+    - releases/v2
+  pull_request:
+    types:
+    - opened
+    - synchronize
+    - reopened
+    - ready_for_review
+  workflow_dispatch: {}
+
+jobs:
+  expected-queries:
+    timeout-minutes: 45
+    runs-on: ubuntu-latest
+    steps:
+    - name: Check out repository
+      uses: actions/checkout@v3
+    - name: Prepare test
+      id: prepare-test
+      uses: ./.github/prepare-test
+      with:
+        version: latest
+    - uses: ./../action/init
+      with:
+        languages: javascript
+        tools: ${{ steps.prepare-test.outputs.tools-url }}
+    - uses: ./../action/analyze
+      with:
+        output: ${{ runner.temp }}/results
+        upload-database: false
+        upload: false
+      env:
+        TEST_MODE: true
+
+    - name: Check Sarif
+      uses: ./../action/.github/check-sarif
+      with:
+        sarif-file:  ${{ runner.temp }}/results/javascript.sarif
+        queries-run: js/incomplete-hostname-regexp,js/path-injection
+        queries-not-run: foo,bar
diff --git a/.github/workflows/query-filters.yml b/.github/workflows/query-filters.yml
@@ -0,0 +1,97 @@
+name: Query filters tests
+
+on:
+  push:
+    branches:
+    - main
+    - releases/v1
+    - releases/v2
+  pull_request:
+    types:
+    - opened
+    - synchronize
+    - reopened
+    - ready_for_review
+  workflow_dispatch: {}
+
+jobs:
+  expected-queries:
+    timeout-minutes: 45
+    runs-on: ubuntu-latest
+    steps:
+    - name: Check out repository
+      uses: actions/checkout@v3
+    - name: Prepare test
+      id: prepare-test
+      uses: ./.github/prepare-test
+      with:
+        version: latest
+
+    # Test 1
+    - uses: ./../action/init
+      with:
+        languages: javascript
+        config-file: ./.github/codeql/codeql-config-query-filters1.yml
+        tools: ${{ steps.prepare-test.outputs.tools-url }}
+        db-location: ${{ runner.temp }}/test1
+    - uses: ./../action/analyze
+      with:
+        output: ${{ runner.temp }}/results
+        upload-database: false
+        upload: false
+      env:
+        TEST_MODE: true
+    - name: Check Sarif
+      uses: ./../action/.github/check-sarif
+      with:
+        sarif-file:  ${{ runner.temp }}/results/javascript.sarif
+        queries-run: js/zipslip
+        queries-not-run: js/path-injection
+    - name: Cleanup after test
+      run: rm -rf "$RUNNER_TEMP/results"
+
+    # Test 2
+    - uses: ./../action/init
+      with:
+        languages: javascript
+        config-file: ./.github/codeql/codeql-config-query-filters2.yml
+        tools: ${{ steps.prepare-test.outputs.tools-url }}
+        db-location: ${{ runner.temp }}/test2
+    - uses: ./../action/analyze
+      with:
+        output: ${{ runner.temp }}/results
+        upload-database: false
+        upload: false
+      env:
+        TEST_MODE: true
+    - name: Check Sarif
+      uses: ./../action/.github/check-sarif
+      with:
+        sarif-file:  ${{ runner.temp }}/results/javascript.sarif
+        queries-run: js/zipslip,javascript/example/empty-or-one-block
+        queries-not-run: js/path-injection
+    - name: Cleanup after test
+      run: rm -rf "$RUNNER_TEMP/results"
+
+    # Test 3
+    - uses: ./../action/init
+      with:
+        languages: javascript
+        config-file: ./.github/codeql/codeql-config-query-filters3.yml
+        tools: ${{ steps.prepare-test.outputs.tools-url }}
+        db-location: ${{ runner.temp }}/test3
+    - uses: ./../action/analyze
+      with:
+        output: ${{ runner.temp }}/results
+        upload-database: false
+        upload: false
+      env:
+        TEST_MODE: true
+    - name: Check Sarif
+      uses: ./../action/.github/check-sarif
+      with:
+        sarif-file:  ${{ runner.temp }}/results/javascript.sarif
+        queries-run: js/zipslip,javascript/example/empty-or-one-block,inrepo-javascript-querypack/show-ifs
+        queries-not-run: js/path-injection,complex-python-querypack/show-ifs,complex-python-querypack/foo/bar/show-ifs
+    - name: Cleanup after test
+      run: rm -rf "$RUNNER_TEMP/results"
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -2,7 +2,7 @@
 
 ## [UNRELEASED]
 
-No user facing changes.
+- Add the ability to filter queries from a code scanning run by using the `query-filters` option in the code scanning configuration file.[#1098](https://github.com/github/codeql-action/pull/1098)
 
 ## 2.1.12 - 01 Jun 2022
 

diff --git a/lib/analyze.js b/lib/analyze.js