Merge pull request #2463 from github/henrymercer/job-uuid-in-sarif

Add job run UUID to SARIF output
github · Sep 5, 2024 · ad5c608 · ad5c608
2 parents 3b0aa30 + 90cf3d2
commit ad5c608
Show file tree

Hide file tree

Showing 8 changed files with 138 additions and 2 deletions.
diff --git a/.github/workflows/__job-run-uuid-sarif.yml b/.github/workflows/__job-run-uuid-sarif.yml
diff --git a/lib/codeql.js b/lib/codeql.js
diff --git a/lib/codeql.js.map b/lib/codeql.js.map
diff --git a/lib/tools-features.js b/lib/tools-features.js
diff --git a/lib/tools-features.js.map b/lib/tools-features.js.map
diff --git a/pr-checks/checks/job-run-uuid-sarif.yml b/pr-checks/checks/job-run-uuid-sarif.yml
@@ -0,0 +1,30 @@
+name: "Job run UUID added to SARIF"
+description: "Tests that the job run UUID is added to the SARIF output"
+operatingSystems: ["ubuntu"]
+versions: ["nightly-latest"]
+steps:
+  - uses: ./../action/init
+    id: init
+    with:
+      languages: javascript
+      tools: ${{ steps.prepare-test.outputs.tools-url }}
+  - uses: ./../action/analyze
+    with:
+      output: "${{ runner.temp }}/results"
+  - name: Upload SARIF
+    uses: actions/upload-artifact@v3
+    with:
+      name: ${{ matrix.os }}-${{ matrix.version }}.sarif.json
+      path: "${{ runner.temp }}/results/javascript.sarif"
+      retention-days: 7
+  - name: Check results
+    shell: bash
+    run: |
+      cd "$RUNNER_TEMP/results"
+      actual=$(jq -r '.runs[0].properties.jobRunUuid' javascript.sarif)
+      if [[ "$actual" != "$JOB_RUN_UUID" ]]; then
+        echo "Expected SARIF output to contain job run UUID '$JOB_RUN_UUID', but found '$actual'."
+        exit 1
+      else
+        echo "Found job run UUID '$actual'."
+      fi
diff --git a/src/codeql.ts b/src/codeql.ts
@@ -870,6 +870,7 @@ export async function getCodeQLForCmd(
         )}`,
         "--sarif-group-rules-by-pack",
         ...(await getCodeScanningQueryHelpArguments(this)),
+        ...(await getJobRunUuidSarifOptions(this)),
         ...getExtraOptionsFromEnv(["database", "interpret-results"]),
       ];
       if (automationDetailsId !== undefined) {
@@ -1423,3 +1424,14 @@ function applyAutobuildAzurePipelinesTimeoutFix() {
     "-Dmaven.wagon.http.pool=false",
   ].join(" ");
 }
+
+async function getJobRunUuidSarifOptions(codeql: CodeQL) {
+  const jobRunUuid = process.env[EnvVar.JOB_RUN_UUID];
+
+  return jobRunUuid &&
+    (await codeql.supportsFeature(
+      ToolsFeature.DatabaseInterpretResultsSupportsSarifRunProperty,
+    ))
+    ? [`--sarif-run-property=jobRunUuid=${jobRunUuid}`]
+    : [];
+}
diff --git a/src/tools-features.ts b/src/tools-features.ts
@@ -3,6 +3,7 @@ import type { VersionInfo } from "./codeql";
 export enum ToolsFeature {
   AnalysisSummaryV2IsDefault = "analysisSummaryV2Default",
   BuildModeOption = "buildModeOption",
+  DatabaseInterpretResultsSupportsSarifRunProperty = "databaseInterpretResultsSupportsSarifRunProperty",
   IndirectTracingSupportsStaticBinaries = "indirectTracingSupportsStaticBinaries",
   InformsAboutUnsupportedPathFilters = "informsAboutUnsupportedPathFilters",
   SetsCodeqlRunnerEnvVar = "setsCodeqlRunnerEnvVar",