Add QL for QL #7410
Add QL for QL #7410
Conversation
…step New performance query: Transitive step in recursion.
New performance query: Transitive step in recursion.
Finds a single result in
```
semmle.code.java.dataflow.internal.rangeanalysis.SignAnalysisSpecific.qll
```
which starts with
```ql
module Private {
import semmle.code.java.dataflow.RangeUtils as RU
private import semmle.code.java.dataflow.SSA as Ssa
private import semmle.code.java.controlflow.Guards as G
private import java as J
private import Sign
...
```
Finds a single result in
```
semmle.code.java.dataflow.internal.rangeanalysis.SignAnalysisSpecific.qll
```
which starts with
```ql
module Private {
import semmle.code.java.dataflow.RangeUtils as RU
private import semmle.code.java.dataflow.SSA as Ssa
private import semmle.code.java.controlflow.Guards as G
private import java as J
private import Sign
...
```
…this fix implicit this
fix implicit this
There was a problem hiding this comment.
Would it be possible to configure categories for each of our CodeQL languages? (python, javascript, java, ...) that should allows us to filter down on just a single language when viewing Code Scanning alerts.
erik-krogh
force-pushed
the
erik-krogh/publish-ql-for-ql
branch
from
0bebac5
to
4beacee
Compare
|
I've fixed all the comments (some things are left for followup PRs). |
There was a problem hiding this comment.
The workflow parts look good enough to merge now.
I do agree with Arthur that the codeql-cli download trick through codeql-action appears to just complicate matters with little tangible benefit. Perhaps the next iteration of that logic should use https://github.com/github/gh-codeql?
Some integration concerns:
- Could we exclude the known test directories from extraction to avoid lots of noisy alerts?
- Will we be overriding the results from the ordinary codeql-action run if that runs happen before this customized codeql action run (or vice versa)? I'm too fuzzy on how code-scanning behaves.
| uses: actions/cache@v2 | ||
| with: | ||
| path: ${{ runner.temp }}/query-pack.zip | ||
| key: queries-${{ hashFiles('**/*.ql*') }} |
There was a problem hiding this comment.
Nit: Technically, the dbscheme and its stats belong to this key as well. But so does the hash of the codeql-cli itself.
There was a problem hiding this comment.
I've added the version (from codeql-version) and the hash of the dbscheme files to the key.
Maybe... I think I'll look into that in a followup PR.
That is not an issue. |
erik-krogh
force-pushed
the
erik-krogh/publish-ql-for-ql
branch
9 times, most recently
from
ec1b574
to
1b98661
Compare
erik-krogh
force-pushed
the
erik-krogh/publish-ql-for-ql
branch
from
1b98661
to
2626b0b
Compare
This PR merges the QL for QL project into
github/codeql.Included is a new workflow that runs QL for QL on all PRs.
I moved the implementation into a
ql/folder, and I updated the workflow files such that they should work well in this repository.You can see the implementation here.
That is the commit right before the merge (the merge was clean, there were no conflicting files).
You can inspect the results found by QL for QL by clicking on the failing code-scanning check in the bottom of this PR.
How to review
There are really only two things that need review:
The rest is the unmodified QL for QL implementation.
We don't have a QL for QL team, so I think everyone that is part of a CodeQL team is qualified to review (and approve) this PR.