Skip to content

Fix upload-sarif potentially initialising CodeQL twice #3006

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 5 commits into
base: main
Choose a base branch
from
Open

Fix upload-sarif potentially initialising CodeQL twice #3006

wants to merge 5 commits into from

Conversation

mbg
Copy link
Member

@mbg mbg commented Aug 6, 2025

The upload-sarif action can be used in workflows without an init step. This means that it is possible for the upload-sarif action to be used correctly even though the CodeQL CLI has not yet been initialised. However, if we are uploading multiple SARIF files to a given endpoint, then these are first combined using the CodeQL CLI. To allow this, we currently initialise the CodeQL CLI on the fly in combineSarifFilesUsingCLI if needed for this.

This was fine until #2935 where we started uploading two separate SARIF files and combineSarifFilesUsingCLI could appear more than once in the call path. Since the CodeQL instance was shared, this could result in the CLI being initialised twice.

This PR changes the upload-sarif action to initialise the CLI if needed earlier on in the flow and then propagates the instance down the call path so that it can be shared between multiple calls to combineSarifFilesUsingCLI.

Merge / deployment checklist

  • Confirm this change is backwards compatible with existing workflows.
  • Confirm the readme has been updated if necessary.
  • Confirm the changelog has been updated if necessary.

@mbg mbg requested a review from a team as a code owner August 6, 2025 14:57
@Copilot Copilot AI review requested due to automatic review settings August 6, 2025 14:57
Copilot
Copilot AI reviewed Aug 6, 2025
View reviewed changes
Copy link
Contributor

@Copilot Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull Request Overview

The PR fixes a bug where the upload-sarif action could initialize the CodeQL CLI twice when uploading multiple SARIF files. This occurred because combineSarifFilesUsingCLI could be called multiple times in the execution path and each call would initialize CodeQL if needed.

  • Extracts CodeQL initialization logic to occur earlier in the upload flow when multiple SARIF files are detected
  • Refactors the upload functions to accept and pass through a CodeQL instance parameter
  • Updates all call sites to pass the CodeQL instance parameter

Reviewed Changes

Copilot reviewed 10 out of 15 changed files in this pull request and generated 2 comments.

Show a summary per file
File Description
src/upload-sarif-action.ts Main fix - initializes CodeQL early and passes it to upload functions, adds helper functions to find SARIF files
src/upload-lib.ts Refactors upload functions to accept CodeQL parameter, extracts initialization logic to new function
src/init-action-post-helper.ts Updates uploadFiles call to pass CodeQL instance
src/analyze-action.ts Updates uploadFiles calls to pass CodeQL instance
src/init-action-post-helper.test.ts Updates test assertion to match new function signature
lib/*.js Generated JavaScript files that mirror the TypeScript changes

src/upload-sarif-action.ts
);
}

return [];
Copy link
Preview

Copilot AI Aug 6, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The two helper functions findSecuritySarifFiles and findQualitySarifFiles have duplicated logic. Consider extracting a common function that accepts the predicate as a parameter, or creating a more general function that returns both types of files to reduce code duplication.

Suggested change
return [];
async function findSarifFilesWithPredicate(
sarifPath: string,
predicate: (file: string) => boolean,
fallback: string[],
): Promise<string[]> {
if (fs.lstatSync(sarifPath).isDirectory()) {
return upload_lib.findSarifFilesInDir(sarifPath, predicate);
}
return fallback;
}
async function findSecuritySarifFiles(sarifPath: string): Promise<string[]> {
return findSarifFilesWithPredicate(
sarifPath,
upload_lib.CodeScanningTarget.sarifPredicate,
[sarifPath],
);
}
async function findQualitySarifFiles(sarifPath: string): Promise<string[]> {
return findSarifFilesWithPredicate(
sarifPath,
upload_lib.CodeQualityTarget.sarifPredicate,
[],
);

Copilot uses AI. Check for mistakes.

src/upload-lib.ts
} else {
codeQL = await initCodeQLForUpload(gitHubVersion, features, logger);
}
}
Copy link
Preview

Copilot AI Aug 6, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This CodeQL initialization logic is duplicated from the original combineSarifFilesUsingCLI function. Since this initialization is now handled earlier in the flow in most cases, consider adding a comment explaining when this fallback initialization is still needed to clarify the code's intent.

Copilot uses AI. Check for mistakes.

henrymercer
henrymercer previously approved these changes Aug 6, 2025
View reviewed changes
@mbg mbg force-pushed the mbg/upload-sarif/fix-twice-init branch from c5c724b to 4836131 Compare August 7, 2025 11:25
@mbg
Copy link
Member Author

mbg commented Aug 7, 2025

@henrymercer I rebased to resolve merge conflicts and added 4836131 since the init logic in uploadSpecifiedFiles shouldn't be needed anymore. It would probably be nicer if we split up that function into a variant that requires the CodeQL instance and uploads multiple files and one that doesn't and uploads a single file, but I am not sure it's worth the effort. What do you think?

@mbg mbg requested a review from henrymercer August 7, 2025 11:27
henrymercer
henrymercer reviewed Aug 7, 2025
View reviewed changes
Copy link
Contributor

@henrymercer henrymercer left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Throwing out a thought here — how about uploadSpecifiedFiles takes a getCodeQL(): async () => CodeQL function? We could then have analyze provide its CodeQL instance, and upload-sarif provide a function that memoises CodeQL so it's only loaded once?

@mbg
Copy link
Member Author

mbg commented Aug 7, 2025

Not a bad idea. It would probably mean throwing most of the changes in this PR out, but it would be a simpler overall change and not require us to split up uploadSpecifiedFiles or deal with the current awkwardness.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@henrymercer henrymercer henrymercer left review comments

Copilot code review Copilot Copilot left review comments

At least 1 approving review is required to merge this pull request.

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@mbg @henrymercer
pFad - Phonifier reborn

Pfad - The Proxy pFad of © 2024 Garber Painting. All rights reserved.

Note: This service is not intended for secure transactions such as banking, social media, email, or purchasing. Use at your own risk. We assume no liability whatsoever for broken pages.


Alternative Proxies:

Alternative Proxy

pFad Proxy

pFad v3 Proxy

pFad v4 Proxy