Skip to content
Permalink

Comparing changes

Choose two branches to see what’s changed or to start a new pull request. If you need to, you can also or learn more about diff comparisons.

Open a pull request

Create a new pull request by comparing changes across two branches. If you need to, you can also . Learn more about diff comparisons here.
base repository: github/vscode-codeql
Failed to load repositories. Confirm that selected base ref is valid, then try again.
Loading
base: v1.4.5
Choose a base ref
...
head repository: github/vscode-codeql
Failed to load repositories. Confirm that selected head ref is valid, then try again.
Loading
compare: main
Choose a head ref
Loading
Showing 1,286 changed files with 402,308 additions and 38,182 deletions.
5 changes: 5 additions & 0 deletions .git-blame-ignore-revs
Original file line number Diff line number Diff line change
@@ -0,0 +1,5 @@
# Run this command to always ignore formatting commits in `git blame`
# git config blame.ignoreRevsFile .git-blame-ignore-revs

# Formatted all code using Prettier instead of tsfmt
ebcdf8ad0bb5bcb3efa679211709671716b892ba
9 changes: 8 additions & 1 deletion .gitattributes
Original file line number Diff line number Diff line change
@@ -18,4 +18,11 @@ yarn.lock merge=binary
# https://mirrors.edge.kernel.org/pub/software/scm/git/docs/gitattributes.html
# suggests that this might interleave lines arbitrarily, but empirically
# it keeps added chunks contiguous
CHANGELOG.md merge=union
CHANGELOG.md merge=union

# Mark some JSON files containing test data as generated so they are not included
# as part of diffs or language statistics.
extensions/ql-vscode/src/stories/variant-analysis/data/*.json linguist-generated

# Always use LF line endings, also on Windows
* text=auto eol=lf
7 changes: 6 additions & 1 deletion .github/ISSUE_TEMPLATE/bug_report.md
Original file line number Diff line number Diff line change
@@ -10,7 +10,12 @@ assignees: ''
**Describe the bug**
A clear and concise description of what the bug is.

**To Reproduce**
**Version**
The CodeQL and VS Code version in which the bug occurs.
<!-- To copy version information for the CodeQL extension, click "CodeQL CLI vX.X.X" in the status bar at the bottom of the screen.
To copy detailed version information for VS Code itself, see https://code.visualstudio.com/docs/supporting/FAQ#_how-do-i-find-the-version. -->

**To reproduce**
Steps to reproduce the behavior.

**Expected behavior**
18 changes: 0 additions & 18 deletions .github/ISSUE_TEMPLATE/new-extension-release.md

This file was deleted.

82 changes: 82 additions & 0 deletions .github/actions/create-pr/action.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,82 @@
name: Create a PR if one doesn't exists
description: >
Creates a commit with the current changes to the repo, and opens a PR for that commit. If
any PR with the same title exists, then this action is marked as succeeded.
inputs:
commit-message:
description: >
The message for the commit to be created.
required: true

title:
description: >
The title of the PR. If empty, the title and body will be determined from the commit message.
default: ''
required: false

body:
description: >
The body (description) of the PR. The `title` input must be specified in order for this input to be used.
default: ''
required: false

head-branch:
description: >
The name of the branch to hold the new commit. If an existing open PR with the same head
branch exists, the new branch will be force-pushed to that PR instead of creating a new PR.
required: true

base-branch:
description: >
The base branch to target with the new PR.
required: true

token:
description: |
The GitHub token to use. It must have enough privileges to
make API calls to create and close pull requests.
required: true

runs:
using: composite
steps:
- name: Update git config
shell: bash
run: |
git config --global user.email "github-actions@github.com"
git config --global user.name "github-actions[bot]"
- name: Commit, Push and Open PR
shell: bash
env:
COMMIT_MESSAGE: ${{ inputs.commit-message }}
HEAD_BRANCH: ${{ inputs.head-branch }}
BASE_BRANCH: ${{ inputs.base-branch }}
GH_TOKEN: ${{ inputs.token }}
TITLE: ${{ inputs.title }}
BODY: ${{ inputs.body }}
run: |
set -exu
if ! [[ $(git diff --stat) != '' ]]; then
exit 0 # exit early
fi
# stage changes in the working tree
git add .
git commit -m "$COMMIT_MESSAGE"
git checkout -b "$HEAD_BRANCH"
# CAUTION: gits history changes with the following
git push --force origin "$HEAD_BRANCH"
PR_JSON=$(gh pr list --state open --json number --head "$HEAD_BRANCH")
if [[ $? -ne 0 ]]; then
echo "Failed to fetch existing PRs."
exit 1
fi
PR_NUMBERS=$(echo $PR_JSON | jq '. | length')
if [[ $PR_NUMBERS -ne 0 ]]; then
echo "Found existing open PR: $PR_NUMBERS"
exit 0
fi
gh pr create --head "$HEAD_BRANCH" --base "$BASE_BRANCH" --title "$TITLE" --body "$BODY" --assignee ${{ github.actor }} --draft
if [[ $? -ne 0 ]]; then
echo "Failed to create new PR."
exit 1
fi
4 changes: 4 additions & 0 deletions .github/codeql/codeql-config.yml
Original file line number Diff line number Diff line change
@@ -2,10 +2,14 @@ name: "CodeQL config"
queries:
- name: Run standard queries
uses: security-and-quality
- name: Experimental queries
uses: security-experimental
- name: Run custom javascript queries
uses: ./.github/codeql/queries
paths:
- ./extensions/ql-vscode
- ./.github/workflows
- ./.github/actions
paths-ignore:
- '**/node_modules'
- '**/build'
16 changes: 16 additions & 0 deletions .github/codeql/queries/ProgressBar.qll
Original file line number Diff line number Diff line change
@@ -0,0 +1,16 @@
import javascript

class WithProgressCall extends CallExpr {
WithProgressCall() { this.getCalleeName() = "withProgress" }

predicate usesToken() { exists(this.getTokenParameter()) }

Parameter getTokenParameter() { result = this.getArgument(0).(Function).getParameter(1) }

Property getCancellableProperty() { result = this.getArgument(1).(ObjectExpr).getPropertyByName("cancellable") }

predicate isCancellable() {
this.getCancellableProperty().getInit().(BooleanLiteral).getBoolValue() =
true
}
}
37 changes: 37 additions & 0 deletions .github/codeql/queries/assert-no-vscode-dependency.ql
Original file line number Diff line number Diff line change
@@ -0,0 +1,37 @@
/**
* @name Unwanted dependency on vscode API
* @kind path-problem
* @problem.severity error
* @id vscode-codeql/assert-no-vscode-dependency
* @description The modules stored under `common` should not have dependencies on the VS Code API
*/

import javascript

class VSCodeImport extends ImportDeclaration {
VSCodeImport() { this.getImportedPath().getValue() = "vscode" }
}

class CommonFile extends File {
CommonFile() {
this.getRelativePath().regexpMatch(".*/src/common/.*") and
not this.getRelativePath().regexpMatch(".*/vscode/.*")
}
}

Import getANonTypeOnlyImport(Module m) {
result = m.getAnImport() and not result.(ImportDeclaration).isTypeOnly()
}

query predicate edges(AstNode a, AstNode b) {
getANonTypeOnlyImport(a) = b or
a.(Import).getImportedModule() = b
}

from Module m, VSCodeImport v
where
m.getFile() instanceof CommonFile and
edges+(m, v)
select m, m, v,
"This module is in the 'common' directory but has a transitive dependency on the vscode API imported $@",
v, "here"
21 changes: 0 additions & 21 deletions .github/codeql/queries/assert-pure.ql

This file was deleted.

20 changes: 20 additions & 0 deletions .github/codeql/queries/progress-not-cancellable.ql
Original file line number Diff line number Diff line change
@@ -0,0 +1,20 @@
/**
* @name Using token for non-cancellable progress bar
* @kind problem
* @problem.severity warning
* @id vscode-codeql/progress-not-cancellable
* @description If we call `withProgress` without `cancellable: true` then the
* token that is given to us should be ignored because it won't ever be cancelled.
* This makes the code more confusing as it tries to account for cases that can't
* happen. The fix is to either not use the token or make the progress bar cancellable.
*/

import javascript
import ProgressBar

from WithProgressCall t
where not t.isCancellable() and t.usesToken()
select t,
"The $@ should not be used when the progress bar is not cancellable. Either stop using the $@ or mark the progress bar as cancellable.",
t.getTokenParameter(), t.getTokenParameter().getName(), t.getTokenParameter(),
t.getTokenParameter().getName()
3 changes: 2 additions & 1 deletion .github/codeql/queries/qlpack.yml
Original file line number Diff line number Diff line change
@@ -1,3 +1,4 @@
name: vscode-codeql-custom-queries-javascript
version: 0.0.0
libraryPathDependencies: codeql-javascript
dependencies:
codeql/javascript-queries: "*"
18 changes: 18 additions & 0 deletions .github/codeql/queries/token-not-used.ql
Original file line number Diff line number Diff line change
@@ -0,0 +1,18 @@
/**
* @name Don't ignore the token for a cancellable progress bar
* @kind problem
* @problem.severity warning
* @id vscode-codeql/token-not-used
* @description If we call `withProgress` with `cancellable: true` but then
* ignore the token that is given to us, it will lead to a poor user experience
* because the progress bar will appear to be canceled but it will not actually
* affect the background process. Either check the token and respect when it
* has been cancelled, or mark the progress bar as not cancellable.
*/

import javascript
import ProgressBar

from WithProgressCall t
where t.isCancellable() and not t.usesToken()
select t, "This progress bar is $@ but the token is not used. Either use the token or mark the progress bar as not cancellable.", t.getCancellableProperty(), "cancellable"
Loading