Remote Queries: Create packs for remote queries #985
Conversation
This is still a bit rough, but handles two cases: 1. There is a qlpack.yml or codeql-pack.yml file in the same directory as the query to run remotely. In this case, run `codeql pack packlist` to determine what files to include (and also always include the lock file and the query itself. Copy to a temp folder and run `pack install`, then `pack bundle`. Finally upload. 2. There is no qlpack in the current directory. Just copy the single file to the temp folder and generate a synthetic qlpack before installing, bundling and uploading. Two cases that are not handled: 1. The query file is part of a workspace. Peer dependencies will not be found. 2. The query file and its qlpack file are not in the same directory. These should be possible to handle later. Also, need to create some unit and integration tests for this.
|
Failing tests are now because the remote-queries commands will not work on older versions of the CLI. I will need to disable for < 2.6.3 (or maybe even 2.7.0). |
Also: - Fix the count of copied files - A few typos - Ensure the correct settings are applied for remote queries before running tests.
aeisenberg
force-pushed
the
qc-packs
branch
2 times, most recently
from
21aebcd to
15b0d6e
Compare
Help understand why tests are failing.
How would we lift this restriction in the end? Search upwards for an enclosing directory containing a |
|
|
||
| // If the user has an explicit `.repositories` file, use that. |
There was a problem hiding this comment.
Does this PR remove support for .repositories entirely? Seems like a good change if so.
| name: 'codeql-remote/query', | ||
| version: '1.0.0', | ||
| dependencies: { | ||
| [`codeql/${language}-all`]: '*', |
There was a problem hiding this comment.
This part interests me. I take it this is the equivalent of https://github.com/dsp-testing/qc-run2/blob/ff207ffe5d100a9eb55743bc01f032336abdcde7/src/codeql.ts#L46? How does this behave in the following cases:
- I've made a qlpack that doesn't depend on the core libraries (perhaps it is language independent). Odd case, I know.
- I have a qlpack that contains just a query and the qlpack yml file. I've modified one of the core libraries, for example to add a new sink.
- I have a qlpack that adds some new library files and also uses the core libraries.
There was a problem hiding this comment.
To be clear, this situation only exists when there is no qlpack associated with this query. So...
- As long as there is a qlpack.yml that can be resolved and correctly declares itself to be no-lang, it should be fine.
- I don't think we can (or should?) support this. The
codeql pack createcommand compiles the current pack and also grabs all of its dependencies from the package cache, which get copied into the pack. Users are not supposed to manually edit these dependencies (it would be like manually editing yournode_modules). If this is something that a user feels they need to do, then that's a missing feature we need to work on. - This is already handled by
codeql pack create.
There was a problem hiding this comment.
2. I don't think we can (or should?) support this. The
codeql pack createcommand compiles the current pack and also grabs all of its dependencies from the package cache, which get copied into the pack. Users are not supposed to manually edit these dependencies (it would be like manually editing yournode_modules). If this is something that a user feels they need to do, then that's a missing feature we need to work on.
That's fine for this PR but I think we are missing an important use-case where a CodeQL developer is working on a new or updated query that also requires changes to the core language libraries. I'll add it to the agenda for discussion.
There was a problem hiding this comment.
Hmmm...yes, something to discuss since I don't think we should be encouraging users to change the core libraries. Maybe there's a use case I'm missing.
But, even so, when we run the pack create command, all paths in the vscode workspace are added to the --additional-packs path, so if the core libraries are in the workspace, they should be used instead of whatever is published in the package registry (I haven't tried this out yet, so not sure).
| message: 'Determining query target language' | ||
| }); | ||
|
|
||
| // If the user has an explicit `.repositories` file, use that. |
There was a problem hiding this comment.
Ah, we do still have support for .repositories. I think that would be completely fine to remove at this point, but perhaps we should discuss in our next meeting.
There was a problem hiding this comment.
I think that's worth talking about. @shati-patel may have some opinions on this.
| cliServer: cli.CodeQLCliServer, | ||
| credentials: Credentials, | ||
| uri: Uri | undefined, | ||
| dryRun: boolean, |
There was a problem hiding this comment.
As an alternative to an explicit option like this we have also used stubbing (e.g. https://github.com/github/codeql-action/blob/main/src/database-upload.test.ts), or you could pass in a mocked Octokit.
For the integration test I think it would be quite reasonable to call the API endpoint and run a query in its entirety. If it's against a one or a small number of repositories the cost is extremely small. If the results issue spam is annoying then you could use another repository as the controller.
All up to you.
There was a problem hiding this comment.
I've been finding it very useful to have it as an explicit parameter. This is mostly because I've been testing locally and I don't want to actually upload anything most of the time.
I was even toying with adding a codeql.remote.dryRun undocumented setting, but then I changed my mind.
For now, when I try uploading anything, even though the initial request is successful, the workflow run on the controller repo fails. Once this feature is stable, it may make sense to remove the dry-run flag altogether and actually upload something to run.
There was a problem hiding this comment.
Once this feature is stable, it may make sense to remove the dry-run flag altogether and actually upload something to run.
Hopefully it should all work now as we shipped the server-side changes yesterday.
|
I didn't spot this in my earlier review, but I've just tried with a quick query, and it doesn't seem to work for me 🤔 I'm getting: Possibly because the qlpack.yml for my quick query uses the old format: Do quick queries work for you? |
Yes. I don't think it will be hard to do, but I just want to focus on the simple parts first. |
Hmm...let me check this... Actually, it's for a trivial reason. The qlpack.yml file is missing a scope and |
When we generate the synthetic pack, just ensure that there is a valid name.
|
My comments are now limited to two discussion points for a future meeting, so I'm happy once @shati-patel is! |
|
Thanks 🌞 PR looks good, apart from quick queries 👇🏽
Quick queries still aren't working for me (though possibly for a different reason now 🙃): Can't seems to resolve any dependencies or install any packages... Which then causes other stuff to fail further down the line (like |
|
@shati-patel, it's working for me out of the box, but if I remove the codeql-go submodule from the workspace, then I get the error you mention. Is this what you are seeing? |
|
With some help from @shati-patel, I worked out what the issue was. It's a bug in the CLI and I pushed up a private PR to fix. Basically, old style package name references like |
|
Thanks for the review and trying this out! |
Remote Queries: Create packs for remote queries
This PR handles two cases:
as the query to run remotely. In this case, run
codeql pack packlistto determine what files to include (and also always includethe lock file and the query itself. Copy to a temp folder and run
pack install, thenpack bundle. Finally upload.file to the temp folder and generate a synthetic qlpack before
installing, bundling and uploading.
Two cases that are not handled:
found.
These case should be possible to handle later.
This PR also includes integration tests that build the pack and verify that its components are what we expect.
Checklist
@github/docs-content-codeqlhas been cc'd in all issues for UI or other user-facing changes made by this pull request.