Merge and update about-ql-packs with about-codeql-packs
#10105
Conversation
This is the first of a series of commits around updating packaging docs. `about-ql-packs.rst` is outdated. All relevant information has been moved to about-codeql-packs.rst`.
aeisenberg
force-pushed
the
aeisenberg/about-codeql-packs
branch
from
77c0fb1 to
d737b57
Compare
In this commit: - Replace _QL pack_ with _CodeQL pack_ - Replace `about-ql-pack` references with `about-codeql-packs` - Replace examples using `libraryPathDependencies with `dependencies` - Update some examples to specify the optional `version` field - Update description of query specifiers to note that a path within a pack is valid.
aeisenberg
force-pushed
the
aeisenberg/about-codeql-packs
branch
from
bc3d2b2 to
3890907
Compare
|
It would be great to get lots of different eyes on this. I would like to have a technical review first before getting more of a copy-editing review from someone on the docs team. |
|
@jf205 Should we be removing the beta comment for all packaging features? |
Thanks for asking. CodeQL packaging is still in beta, so let's leave the comments in place. |
docs/codeql/codeql-cli/analyzing-databases-with-the-codeql-cli.rst
Outdated
Show resolved
Hide resolved
docs/codeql/codeql-cli/analyzing-databases-with-the-codeql-cli.rst
Outdated
Show resolved
Hide resolved
docs/codeql/codeql-cli/creating-and-working-with-codeql-packs.rst
Outdated
Show resolved
Hide resolved
Co-authored-by: Henry Mercer <henrymercer@github.com>
There was a problem hiding this comment.
Thanks so much for making a start on this @aeisenberg. I've passed through once and have added a round of comments.
I'd like to look again with fresh eyes soon. It would be good if we could trigger the Docs - Generate Sphinx CI check -- that checks the RST formatting and renders the articles so that we can see what the changes will look like on the docs site.
| You shouldn't specify the root of a :doc:`QL pack | ||
| <about-ql-packs>` when executing ``database analyze`` | ||
| You shouldn't specify the root of a :doc:`CodeQL pack | ||
| <about-codeql-packs>` when executing ``database analyze`` | ||
| as it contains some special queries that aren't designed to be used with | ||
| the command. Rather, to run a wide range of useful queries, run one of the | ||
| LGTM.com query suites. |
There was a problem hiding this comment.
Can we change this to 'code scanning query suites' while we are here?
There was a problem hiding this comment.
Right...I haven't done a search for LGTM references. Looks like there are quite a few. Updating them is outside the scope of this change, but I will change this lgtm reference.
We should schedule some work to update other lgtm references.
There was a problem hiding this comment.
Thanks. We'll address the other LGTM references elsewhere. I think it makes sense to change this while we are so close to it!
| @@ -239,18 +240,23 @@ recursively, so any queries contained in subfolders will also be executed. | |||
|
|
|||
| Important | |||
|
|
|||
| You shouldn't specify the root of a :doc:`QL pack | |||
| <about-ql-packs>` when executing ``database analyze`` | |||
| You shouldn't specify the root of a :doc:`CodeQL pack | |||
There was a problem hiding this comment.
Perhaps we should make clear that this applies to the standard CodeQL packs? Custom CodeQL packs might not contain any special queries.
There was a problem hiding this comment.
It also looks like the order is a bit off here too. Do you think "Running all queries in a directory" should appear before "Integrating a CodeQL pack into a code scanning workflow in GitHub"?
There was a problem hiding this comment.
Yes. I'll change the order.
Custom packs might, or might not contain custom special queries. If you run the pack, it's generally safer since you don't know unless you inspect the pack. It's always safer to run the pack instead of the directory since there's no danger of running special queries.
I'll change it to say something like that.
There was a problem hiding this comment.
Actually, I take that back, this paragraph really is focused on core packs.
|
|
||
| codeql database analyze <python-database> ../ql/python/ql/src/Functions/ --format=sarif-latest --output=python-analysis/python-results.sarif | ||
|
|
||
| A SARIF results file is generated. Specifying ``--format=sarif-latest`` ensures | ||
| If you do not have the CodeQL repository checked out, you can execute the same queries by specifying the query pack name and the path to the queries: |
There was a problem hiding this comment.
| If you do not have the CodeQL repository checked out, you can execute the same queries by specifying the query pack name and the path to the queries: | |
| If you do not have the CodeQL repository checked out, you can execute the same queries by specifying the query pack name and the path to the queries:: |
|
|
||
| Use the ``--download`` flag to download the query pack if it isn't yet available locally. | ||
|
|
||
| After evaluating, a SARIF results file is generated. Specifying ``--format=sarif-latest`` ensures |
There was a problem hiding this comment.
| After evaluating, a SARIF results file is generated. Specifying ``--format=sarif-latest`` ensures | |
| When the analysis has finished, a SARIF results file is generated. Specifying ``--format=sarif-latest`` ensures |
| @@ -34,24 +34,26 @@ You must specify: | |||
|
|
|||
| The ``codeql pack init`` command creates the directory structure and configuration files for a CodeQL pack. By default, the command creates a query pack. If you want to create a library pack, you must edit the ``qlpack.yml`` file to explicitly declare the file as a library pack by including the ``library:true`` property. | |||
|
|
|||
| Modifying an existing QL pack to create a CodeQL pack | |||
| ----------------------------------------------------- | |||
| Modifying an existing legacy CodeQL pack to create a CodeQL pack | |||
There was a problem hiding this comment.
Perhaps we should still refer to the old-style packs as "QL packs" to avoid confusion?
| Modifying an existing legacy CodeQL pack to create a CodeQL pack | |
| Modifying an existing legacy QL pack to create a CodeQL pack |
| .. _standard-ql-packs: | ||
|
|
||
| Examples of CodeQL packs in the CodeQL repository | ||
| ---------------------------------------------~~~~ |
There was a problem hiding this comment.
| ---------------------------------------------~~~~ | |
| -------------------------------------------------- |
| version: ^x.y.z | ||
|
|
||
| The ``version`` field is optional and specifies a range of compatible versions of this CodeQL pack. | ||
| If the version is excluded, then the most recent version of the pack is used. |
There was a problem hiding this comment.
| If the version is excluded, then the most recent version of the pack is used. | |
| If you don't specify a version, then the most recent version of the pack is used. |
|
|
||
| The default suite of a query pack includes a recommended set of queries | ||
| inside of that query pack. Not all query packs have a default suite. If the given query pack does not | ||
| define a default suite, the `qlpack` instruction will resolve to all of the queries within the pack. | ||
|
|
||
| The ``version`` field is optional and specifies a range of compatible versions of this CodeQL pack. | ||
| If the version is excluded, then the most recent version of the pack is used. |
There was a problem hiding this comment.
| If the version is excluded, then the most recent version of the pack is used. | |
| If you don't specify a version, then the most recent version of the pack is used. |
| version: ^x.y.z | ||
|
|
||
| The ``version`` field is optional and specifies a range of compatible versions of this CodeQL pack. | ||
| If the version is excluded, then the most recent version of the pack is used. |
There was a problem hiding this comment.
| If the version is excluded, then the most recent version of the pack is used. | |
| If you don't specify a version, then the most recent version of the pack is used. |
|
@jf205 here is the job that is building the docs. https://github.com/github/semmle-code/runs/7985186319?check_suite_focus=true When it is complete, it should contain a url. |
|
I addressed your changes two days ago, but I pushed them to the wrong branch. Fixing that now. |
Co-authored-by: Dave Bartolomeo <dbartol@github.com>
| .. | ||
| TODO: Add a link to the CodeQL CLI documentation for query resolution, specifically in regards to resolving from source | ||
|
|
||
| The ``codeql/cpp-all`` dependency is locked to version 0.1.4. The ``my-user/my-lib`` dependency is locked to version 0.2.4. The ``my-user/transitive-dependency``, which is a transitive dependency and is not specified in the ``qlpack.yml`` file, is locked to version 1.2.4. The ``other-dependency/from-source`` is absent from the lock file since it is resolved from source. This dependency must be available in the same CodeQL workspace as the pack. | ||
|
|
||
| In most cases, the ``codeql-pack.lock.yml`` file is only relevant for query packs since library packs are non-executable and usually do not need their transitive dependencies to be fixed. The exception to this is for library packs that contain tests. In this case, the ``codeql-pack.lock.yml`` file is used to ensure that the tests are always run with the same versions of dependencies to avoid spurious failures when there are mismatched dependencies. |
There was a problem hiding this comment.
I'm not 100% sure, but I believe that lock files for library packs may also influence the VS Code QL language server, especially if the repo has only library packs. So, it's not just for tests. That said, I think this paragraph that just mentions tests is fine.
There was a problem hiding this comment.
Oh...I didn't know that. Makes sense, though.
There was a problem hiding this comment.
On line 26 we say that lock files are relevant for Query packs. It's possible that we should make a minor update to that line since it sounds as if you may get a lock file with all pack types?
There was a problem hiding this comment.
I made a small change.
aeisenberg
added
the
ready-for-doc-review
docs/codeql/codeql-cli/analyzing-databases-with-the-codeql-cli.rst
Outdated
Show resolved
Hide resolved
| Use the ``--download`` flag to download the query pack if it isn't yet available locally. | ||
|
|
||
| .. _run-query-pack: | ||
|
|
||
| Running a CodeQL pack |
There was a problem hiding this comment.
I'm still not sure the order is right here and we have a bit of repetition, but maybe that's my fault for making a confusing suggestion in an earlier review. Let's not fix it in this PR though. I'll open an issue with my thoughts.
| If you do not have the CodeQL repository checked out, you can execute the same queries by specifying the query pack name and the path to the queries:: | ||
|
|
||
| codeql database analyze --download <python-database> codeql/python-queries:Functions/ --format=sarif-latest --output=python-analysis/python-results.sarif | ||
|
|
||
| Use the ``--download`` flag to download the query pack if it isn't yet available locally. | ||
|
|
There was a problem hiding this comment.
This is almost a repetition of what is in the section on CodeQL packs above. Can we leave it out for now and address the structure of this whole section in a separate issue?
There was a problem hiding this comment.
I'll remove that. Really, we should have the pack variant of the command coming first and the filesystem variant of the command second (if at all).
docs/codeql/codeql-cli/using-custom-queries-with-the-codeql-cli.rst
Outdated
Show resolved
Hide resolved
| .. | ||
| TODO: Add a link to the CodeQL CLI documentation for query resolution, specifically in regards to resolving from source | ||
|
|
||
| The ``codeql/cpp-all`` dependency is locked to version 0.1.4. The ``my-user/my-lib`` dependency is locked to version 0.2.4. The ``my-user/transitive-dependency``, which is a transitive dependency and is not specified in the ``qlpack.yml`` file, is locked to version 1.2.4. The ``other-dependency/from-source`` is absent from the lock file since it is resolved from source. This dependency must be available in the same CodeQL workspace as the pack. | ||
|
|
||
| In most cases, the ``codeql-pack.lock.yml`` file is only relevant for query packs since library packs are non-executable and usually do not need their transitive dependencies to be fixed. The exception to this is for library packs that contain tests. In this case, the ``codeql-pack.lock.yml`` file is used to ensure that the tests are always run with the same versions of dependencies to avoid spurious failures when there are mismatched dependencies. |
There was a problem hiding this comment.
Oh...I didn't know that. Makes sense, though.
docs/codeql/codeql-cli/analyzing-databases-with-the-codeql-cli.rst
Outdated
Show resolved
Hide resolved
| If you do not have the CodeQL repository checked out, you can execute the same queries by specifying the query pack name and the path to the queries:: | ||
|
|
||
| codeql database analyze --download <python-database> codeql/python-queries:Functions/ --format=sarif-latest --output=python-analysis/python-results.sarif | ||
|
|
||
| Use the ``--download`` flag to download the query pack if it isn't yet available locally. | ||
|
|
There was a problem hiding this comment.
I'll remove that. Really, we should have the pack variant of the command coming first and the filesystem variant of the command second (if at all).
Co-authored-by: Felicity Chapman <felicitymay@github.com> Co-authored-by: James Fletcher <42464962+jf205@users.noreply.github.com>
|
Addressed your comments in a few more commits. |
|
@jf205 has some suggestions for a followup PR, but it looks like others are happy. Thanks for the reviews. |
This is the first of a series of commits around updating packaging docs.
about-ql-packs.rstis outdated. All relevant information has beenmoved to
about-codeql-packs.rst.Also, this goes through all of the other main documentation pages to update them for packaging.