[pull] main from github:main

.github/codeql/codeql-config.yml

@@ -2,10 +2,14 @@ name: "CodeQL config"
 queries:
   - name: Run standard queries
     uses: security-and-quality
+  - name: Experimental queries
+    uses: security-experimental
   - name: Run custom javascript queries
     uses: ./.github/codeql/queries
 paths:
   - ./extensions/ql-vscode
+  - ./.github/workflows
+  - ./.github/actions
 paths-ignore:
   - '**/node_modules'
   - '**/build'

.github/codeql/queries/ProgressBar.qll

@@ -0,0 +1,16 @@
+import javascript
+
+class WithProgressCall extends CallExpr {
+  WithProgressCall() { this.getCalleeName() = "withProgress" }
+
+  predicate usesToken() { exists(this.getTokenParameter()) }
+
+  Parameter getTokenParameter() { result = this.getArgument(0).(Function).getParameter(1) }
+
+  Property getCancellableProperty() { result = this.getArgument(1).(ObjectExpr).getPropertyByName("cancellable") }
+
+  predicate isCancellable() {
+    this.getCancellableProperty().getInit().(BooleanLiteral).getBoolValue() =
+      true
+  }
+}

.github/codeql/queries/assert-no-vscode-dependency.ql

@@ -0,0 +1,37 @@
+/**
+ * @name Unwanted dependency on vscode API
+ * @kind path-problem
+ * @problem.severity error
+ * @id vscode-codeql/assert-no-vscode-dependency
+ * @description The modules stored under `common` should not have dependencies on the VS Code API
+ */
+
+import javascript
+
+class VSCodeImport extends ImportDeclaration {
+  VSCodeImport() { this.getImportedPath().getValue() = "vscode" }
+}
+
+class CommonFile extends File {
+  CommonFile() {
+    this.getRelativePath().regexpMatch(".*/src/common/.*") and
+    not this.getRelativePath().regexpMatch(".*/vscode/.*")
+  }
+}
+
+Import getANonTypeOnlyImport(Module m) {
+  result = m.getAnImport() and not result.(ImportDeclaration).isTypeOnly()
+}
+
+query predicate edges(AstNode a, AstNode b) {
+  getANonTypeOnlyImport(a) = b or
+  a.(Import).getImportedModule() = b
+}
+
+from Module m, VSCodeImport v
+where
+  m.getFile() instanceof CommonFile and
+  edges+(m, v)
+select m, m, v,
+  "This module is in the 'common' directory but has a transitive dependency on the vscode API imported $@",
+  v, "here"

.github/codeql/queries/progress-not-cancellable.ql

@@ -0,0 +1,20 @@
+/**
+ * @name Using token for non-cancellable progress bar
+ * @kind problem
+ * @problem.severity warning
+ * @id vscode-codeql/progress-not-cancellable
+ * @description If we call `withProgress` without `cancellable: true` then the
+ * token that is given to us should be ignored because it won't ever be cancelled.
+ * This makes the code more confusing as it tries to account for cases that can't
+ * happen. The fix is to either not use the token or make the progress bar cancellable.
+ */
+
+import javascript
+import ProgressBar
+
+from WithProgressCall t
+where not t.isCancellable() and t.usesToken()
+select t,
+  "The $@ should not be used when the progress bar is not cancellable. Either stop using the $@ or mark the progress bar as cancellable.",
+  t.getTokenParameter(), t.getTokenParameter().getName(), t.getTokenParameter(),
+  t.getTokenParameter().getName()

.github/codeql/queries/qlpack.yml

@@ -1,3 +1,4 @@
 name: vscode-codeql-custom-queries-javascript
 version: 0.0.0
-libraryPathDependencies: codeql-javascript
+dependencies:
+  codeql/javascript-queries: "*"

.github/codeql/queries/token-not-used.ql

@@ -0,0 +1,18 @@
+/**
+ * @name Don't ignore the token for a cancellable progress bar
+ * @kind problem
+ * @problem.severity warning
+ * @id vscode-codeql/token-not-used
+ * @description If we call `withProgress` with `cancellable: true` but then
+ * ignore the token that is given to us, it will lead to a poor user experience
+ * because the progress bar will appear to be canceled but it will not actually
+ * affect the background process. Either check the token and respect when it
+ * has been cancelled, or mark the progress bar as not cancellable.
+ */
+
+import javascript
+import ProgressBar
+
+from WithProgressCall t
+where t.isCancellable() and not t.usesToken()
+select t, "This progress bar is $@ but the token is not used. Either use the token or mark the progress bar as not cancellable.", t.getCancellableProperty(), "cancellable"

.github/codeql/queries/unique-command-use.ql

@@ -0,0 +1,159 @@
+/**
+ * @name A VS Code command should not be used in multiple locations
+ * @kind problem
+ * @problem.severity warning
+ * @id vscode-codeql/unique-command-use
+ * @description Using each VS Code command from only one location makes
+ * our telemetry more useful, because we can differentiate more user
+ * interactions and know which features of the UI our users are using.
+ * To fix this alert, new commands will need to be made so that each one
+ * is only used from one location. The commands should share the same
+ * implementation so we do not introduce duplicate code.
+ * When fixing this alert, search the codebase for all other references
+ * to the command name. The location of the alert is an arbitrarily
+ * chosen usage of the command, and may not necessarily be the location
+ * that should be changed to fix the alert.
+ */
+
+import javascript
+
+/**
+ * The name of a VS Code command.
+ */
+class CommandName extends string {
+  CommandName() { exists(CommandUsage e | e.getCommandName() = this) }
+
+  /**
+   * In how many ways is this command used. Will always be at least 1.
+   */
+  int getNumberOfUsages() { result = count(this.getAUse()) }
+
+  /**
+   * Get a usage of this command.
+   */
+  CommandUsage getAUse() { result.getCommandName() = this }
+
+  /**
+   * Get the canonical first usage of this command, to use for the location
+   * of the alert. The implementation of this ordering of usages is arbitrary
+   * and the usage given may not be the one that should be changed when fixing
+   * the alert.
+   */
+  CommandUsage getFirstUsage() {
+    result =
+      max(CommandUsage use |
+        use = this.getAUse()
+      |
+        use
+        order by
+          use.getFile().getRelativePath(), use.getLocation().getStartLine(),
+          use.getLocation().getStartColumn()
+      )
+  }
+}
+
+/**
+ * Matches one of the members of `BuiltInVsCodeCommands` from `extensions/ql-vscode/src/common/commands.ts`.
+ */
+class BuiltInVSCodeCommand extends string {
+  BuiltInVSCodeCommand() {
+    exists(TypeAliasDeclaration tad |
+      tad.getIdentifier().getName() = "BuiltInVsCodeCommands" and
+      tad.getDefinition().(InterfaceTypeExpr).getAMember().getName() = this
+    )
+  }
+}
+
+/**
+ * Represents a single usage of a command, either from within code or
+ * from the command's definition in package.json
+ */
+abstract class CommandUsage extends Locatable {
+  abstract string getCommandName();
+}
+
+/**
+ * A usage of a command from the typescript code, by calling `executeCommand`.
+ */
+class CommandUsageCallExpr extends CommandUsage, CallExpr {
+  CommandUsageCallExpr() {
+    this.getCalleeName() = "executeCommand" and
+    this.getArgument(0).(StringLiteral).getValue().matches("%codeQL%") and
+    not this.getFile().getRelativePath().matches("extensions/ql-vscode/test/%")
+  }
+
+  override string getCommandName() { result = this.getArgument(0).(StringLiteral).getValue() }
+}
+
+/**
+ * A usage of a command from the typescript code, by calling `CommandManager.execute`.
+ */
+class CommandUsageCommandManagerMethodCallExpr extends CommandUsage, MethodCallExpr {
+  CommandUsageCommandManagerMethodCallExpr() {
+    this.getCalleeName() = "execute" and
+    this.getReceiver().getType().unfold().(TypeReference).getTypeName().getName() = "CommandManager" and
+    this.getArgument(0).(StringLiteral).getValue().matches("%codeQL%") and
+    not this.getFile().getRelativePath().matches("extensions/ql-vscode/test/%")
+  }
+
+  override string getCommandName() { result = this.getArgument(0).(StringLiteral).getValue() }
+}
+
+/**
+ * A usage of a command from any menu that isn't the command palette.
+ * This means a user could invoke the command by clicking on a button in
+ * something like a menu or a dropdown.
+ */
+class CommandUsagePackageJsonMenuItem extends CommandUsage, JsonObject {
+  CommandUsagePackageJsonMenuItem() {
+    exists(this.getPropValue("command")) and
+    exists(PackageJson packageJson, string menuName |
+      packageJson
+          .getPropValue("contributes")
+          .getPropValue("menus")
+          .getPropValue(menuName)
+          .getElementValue(_) = this and
+      menuName != "commandPalette"
+    )
+  }
+
+  override string getCommandName() { result = this.getPropValue("command").getStringValue() }
+}
+
+/**
+ * Is the given command disabled for use in the command palette by
+ * a block with a `"when": "false"` field.
+ */
+predicate isDisabledInCommandPalette(string commandName) {
+  exists(PackageJson packageJson, JsonObject commandPaletteObject |
+    packageJson
+        .getPropValue("contributes")
+        .getPropValue("menus")
+        .getPropValue("commandPalette")
+        .getElementValue(_) = commandPaletteObject and
+    commandPaletteObject.getPropValue("command").getStringValue() = commandName and
+    commandPaletteObject.getPropValue("when").getStringValue() = "false"
+  )
+}
+
+/**
+ * Represents a command being usable from the command palette.
+ * This means that a user could choose to manually invoke the command.
+ */
+class CommandUsagePackageJsonCommandPalette extends CommandUsage, JsonObject {
+  CommandUsagePackageJsonCommandPalette() {
+    this.getFile().getBaseName() = "package.json" and
+    exists(this.getPropValue("command")) and
+    exists(PackageJson packageJson |
+      packageJson.getPropValue("contributes").getPropValue("commands").getElementValue(_) = this
+    ) and
+    not isDisabledInCommandPalette(this.getPropValue("command").getStringValue())
+  }
+
+  override string getCommandName() { result = this.getPropValue("command").getStringValue() }
+}
+
+from CommandName c
+where c.getNumberOfUsages() > 1 and not c instanceof BuiltInVSCodeCommand
+select c.getFirstUsage(),
+  "The " + c + " command is used from " + c.getNumberOfUsages() + " locations"

.github/dependabot.yml

@@ -8,15 +8,39 @@ updates:
     labels:
       - "Update dependencies"
     ignore:
-      - dependency-name: "*"
-        update-types: ["version-update:semver-minor", "version-update:semver-patch"]
+      # @types/node is related to the version of VS Code we're supporting and should
+      # not be updated to a newer version of Node automatically. However, patch versions
+      # are unrelated to the Node version, so we allow those.
+      - dependency-name: "@types/node"
+        update-types: ["version-update:semver-major", "version-update:semver-minor"]
+    groups:
+      octokit:
+        patterns:
+          - "@octokit/*"
+        update-types:
+          - "minor"
+          - "patch"
+      storybook:
+        patterns:
+          - "@storybook/*"
+          - "storybook"
+      testing-library:
+        patterns:
+          - "@testing-library/*"
+      typescript-eslint:
+        patterns:
+          - "@typescript-eslint/*"
   - package-ecosystem: "github-actions"
     directory: "/"
     schedule:
       interval: "weekly"
       day: "thursday" # Thursday is arbitrary
     labels:
       - "Update dependencies"
-    ignore:
-      - dependency-name: "*"
-        update-types: ["version-update:semver-minor", "version-update:semver-patch"]
+  - package-ecosystem: docker
+    directory: "extensions/ql-vscode/test/e2e/docker"
+    schedule:
+      interval: "weekly"
+      day: "thursday" # Thursday is arbitrary
+    labels:
+      - "Update dependencies"

.github/pull_request_template.md

@@ -5,8 +5,4 @@
 
 Replace this with a description of the changes your pull request makes.
 
-## Checklist
-
-- [ ] [CHANGELOG.md](https://github.com/github/vscode-codeql/blob/main/extensions/ql-vscode/CHANGELOG.md) has been updated to incorporate all user visible changes made by this pull request.
-- [ ] Issues have been created for any UI or other user-facing changes made by this pull request.
-- [ ] _[Maintainers only]_ If this pull request makes user-facing changes that require documentation changes, open a corresponding docs pull request in the [github/codeql](https://github.com/github/codeql/tree/main/docs/codeql/codeql-for-visual-studio-code) repo and add the `ready-for-doc-review` label there.
+Remember to update the [changelog](https://github.com/github/vscode-codeql/blob/main/extensions/ql-vscode/CHANGELOG.md) if there have been user-facing changes!