Add functionality to enable use with the VS Code CodeQL extension (#20)

rvermeulen · web-flow · commit 8efc4e5615a0 · 2022-08-18T19:27:27.000+01:00
* Add local version pinning

This enables pinning a CodeQL version per working directory.

* Add install stub command

This installs a stub allowing the GH CodeQL extension to be used by the
VS Code extension.

* Add version override through environment variable

The environment variable `GH_CODEQL_VERSION` can be used to override the
global and local version specification. This is needed when we want to
override the CodeQL version used by the VS Code extension, because the
working directory used by the extension is `/` so we can't find any
local version specification part of the project using CodeQL.

With this override we can alias `code` to check for `.codeql-version` in
PWD or the path passed as an argument and set `GH_CODEQL_VERSION`.

* Update README with new commands

* Add description of local version pinning

* Add description of the `install-stub` command.

* Address incorrect indentation

* Add test for `install-stub` command

* Ensure the latest version is avaible for the test

* Add test for version override

* Restore the channel after the nightly version test

* Address spelling mistake in comment

* Remove superfluous download step

The selected version will be downloaded if not available.

* Address spelling mistake in comment

* Update install-stub command's descriptive comment

Explain what the command does.

* Address `jq` parser error

The version override causes a CodeQL CLI download that outputs cURL
outpuut which confuses the `jq` parser.
By running the command twice we remediate the issue.

* Add test for local pinned version modification

This test validates if we properly handle a local pinned version
modification without using the `set-local-version` command.

* Address pinning persistence influencing other tests

After each test using local pinning we unpin the version.

* Update error message when installing stub

When a directory doesn't exists, the user is asked to provide a
different directory to install a stub.

* Add permission check to install-stub command

Check if we can write to the provided/default directory and return an error message if we
can't.

* Disable per directory pinning by default

The command 'set-local-version' will show a warning when per directory
pinning is disabled (the default) and explicitly asks the user to enable
it.

* Update how we support local version

- Add explicit commands to enable/disable local version support.
- Show a warning when a local version is specified, but local version
  support is disabled.
- Show a warning when enabling local version support.
- Show an error when a local version is set while local version support
  is disabled.

* Address spelling mistake in test name

* Improve error message 'local-version' command
diff --git a/.github/workflows/pr-checks.yml b/.github/workflows/pr-checks.yml
@@ -32,7 +32,7 @@ jobs:
           # Note we need to run a command before trying to parse the output below, or the
           # messages from the download will end up in the JSON that jq tries to parse
           gh codeql version 
-          
+
           INSTALLED=`gh codeql version --format json | jq -r '.version'`
           if [[ "v$INSTALLED" != $LATEST ]]; then
             echo "::error::Expected latest version of $LATEST to be installed, but found v$INSTALLED"
@@ -84,6 +84,103 @@ jobs:
             exit 1
           fi
 
+      - name: Check local version pinning
+        shell: bash
+        run: |
+          # Enable local version support
+          gh codeql local-version on
+          gh codeql set-version latest
+          # Get the latest installed version
+          LATEST=`gh codeql version --format json | jq -r '.version'`
+          # Set a local version
+          gh codeql set-local-version 2.5.9
+          VERSION=`gh codeql version --format json | jq -r '.version'`
+          if [[ $VERSION != "2.5.9" ]]; then
+            echo "::error::Expected version 2.5.9 but got $VERSION"
+            exit 1
+          fi
+
+          # Create a temp directory so we can  change the working directory
+          mkdir temp
+          pushd temp
+          OTHER_VERSION=`gh codeql version --format json | jq -r '.version'`
+
+          if [[ $OTHER_VERSION != $LATEST ]]; then
+            echo "::error::Expected version $LATEST but got $OTHER_VERSION"
+            exit 1
+          fi
+          popd
+          rmdir temp
+          gh codeql unset-local-version
+          # Disable local version support
+          gh codeql local-version off
+
+      - name: Check local version unpinning
+        shell: bash
+        run: |
+          # Enable local version support
+          gh codeql local-version on
+          gh codeql set-version latest
+          # Get the latest installed version
+          LATEST=`gh codeql version --format json | jq -r '.version'`
+          # Set a local version
+          gh codeql set-local-version 2.5.9
+          # Unset the local version
+          gh codeql unset-local-version
+          if [[ $VERSION == "2.5.9" ]]; then
+            echo "::error::Expected $LATEST version but got 2.5.9"
+            exit 1
+          fi
+          # Disable local version support
+          gh codeql local-version off
+
+      - name: Check local version pinning modification
+        shell: bash
+        run: |
+          # Enable local version support
+          gh codeql local-version on
+          gh codeql set-version latest
+          # Get the latest installed version
+          LATEST=`gh codeql version --format json | jq -r '.version'`
+          # Set a local version
+          gh codeql set-local-version 2.5.9
+          VERSION=`gh codeql version --format json | jq -r '.version'`
+          if [[ $VERSION != "2.5.9" ]]; then
+            echo "::error::Expected version 2.5.9 but got $VERSION"
+            exit 1
+          fi
+
+          # Modify the pinned version without using the CLI
+          echo v2.7.6 > .codeql-version
+          # We run the command twice to prevent cURL output from causing a `jq` parser error.
+          gh codeql version
+          VERSION=`gh codeql version --format json | jq -r '.version'`
+          if [[ $VERSION != "2.7.6" ]]; then
+            echo "::error::Expected version 2.7.6 but got $VERSION"
+            exit 1
+          fi
+          gh codeql unset-local-version
+          # Disable local version support
+          gh codeql local-version off
+
+      - name: Check local version pinning is disabled by default
+        shell: bash
+        run: |
+          gh codeql set-version latest
+          # Get the latest installed version
+          LATEST=`gh codeql version --format json | jq -r '.version'`
+
+          # Modify the pinned version without using the CLI
+          echo v2.7.6 > .codeql-version
+          # We run the command twice to prevent cURL output from causing a `jq` parser error.
+          gh codeql version
+          VERSION=`gh codeql version --format json | jq -r '.version'`
+          if [[ $VERSION = "2.7.6" ]]; then
+            echo "::error::Expected version $LATEST but got $VERSION"
+            exit 1
+          fi
+          rm .codeql-version
+
       - name: Check getting nightly version
         shell: bash
         run: |
@@ -93,4 +190,36 @@ jobs:
           if [[ $VERSION != "2.6.0+202108311306" ]]; then
             echo "::error::Expected version 2.6.0+202108311306 but got $VERSION"
             exit 1
-          fi
+          fi
+          gh codeql set-channel release
+
+      - name: Check version override
+        shell: bash
+        run: |
+          gh codeql set-version latest
+          # We run the command with a version override twice such that first run will download the CodeQL CLI
+          # and the cURL output doesn't confuse the `jq` parser in the second run.
+          # This implicit download is to test that we properly support the implicit download of a requested version if it is not present.
+          GH_CODEQL_VERSION=v2.7.6 gh codeql version
+          VERSION=`GH_CODEQL_VERSION=v2.7.6 gh codeql version --format json | jq -r '.version'`
+
+          if [[ $VERSION != "2.7.6" ]]; then
+            echo "::error::Expected version 2.7.6 but got $VERSION"
+            exit 1
+          fi
+
+      - name: Check use of stub
+        shell: bash
+        run: |
+          gh codeql set-version latest
+          VERSION=`gh codeql version --format json | jq -r '.version'`
+
+          mkdir temp
+          gh codeql install-stub temp
+          OTHER_VERSION=`temp/codeql version --format json | jq -r '.version'`
+          if [[ $OTHER_VERSION != $VERSION ]]; then
+            echo "::error::Expected version $VERSION but got $OTHER_VERSION"
+            exit 1
+          fi
+
+          rm -r temp
diff --git a/README.md b/README.md
@@ -15,12 +15,15 @@ GitHub command-line wrapper for the CodeQL CLI.
 Usage:
     gh codeql set-channel [release|nightly]     # default: release
     gh codeql set-version [version]             # default: latest
+    gh codeql set-local-version [version]       # set the version for the current working directory, default: latest
+    gh codeql unset-local-version               # switch back to the global version
     gh codeql list-versions                     # list all available versions for current channel
     gh codeql list-installed                    # list installed versions for current channel
     gh codeql cleanup <version>                 # delete a specific downloaded version
     gh codeql cleanup-all                       # delete all installed versions for all channels
     gh codeql download [version]                # download a specific version (default: latest)
     gh codeql debug [on|off]                    # enable/disable debug output for gh extension
+    gh codeql install-stub [dir]                # default: /usr/local/bin/
     gh codeql <anything else>                   # pass arguments to CodeQL CLI
 
 Current channel: release.
@@ -39,12 +42,16 @@ You can list the installed versions from the current channel with `gh codeql lis
 
 ### Versions
 
-The `gh codeql` command always works relative to a pinned version on the current channel. You can manually specify the pinned version using `gh codeql set-version`.
+The `gh codeql` command always works relative to a pinned version on the current channel. You can manually specify the pinned version using `gh codeql set-version`. To pin a version to a working directory you can use the command `gh codeql set-local-version` and `gh codeql` will always use that version when running in that working directory. To remove a pin from a working directory run `gh codeql unset-local-version` in that working directory.
 
 You can download additional versions without pinning them (perhaps to prepare for local comparisons) using `gh codeql download`.
 
 To upgrade, run `gh codeql set-version latest`, which will pin you to the current latest version.
 
+### CodeQL stub
+
+If you want to use the GitHub CLI managed CodeQL version directly in a terminal or use it with the Visual Studio Code CodeQL extension then you can install a stub using the command `gh codeql install-stub` that will install a Bash script called `codeql` that invokes the GitHub CLI. The default install directory is `/usr/local/bin/`, but you can change this by passing an existing directory.
+
 ## Development
 
 This extension is newly released and under active development. Contributions are very welcome, for more information about how you can contribute, please check our [CONTRIBUTING.md](CONTRIBUTING.md) file. For a list of outstanding issues, please take a look at [our backlog](https://github.com/github/gh-codeql/issues). If you encounter a problem that does not already have an open issue associated with it, please open one there.
diff --git a/gh-codeql b/gh-codeql
@@ -11,23 +11,58 @@ error() {
     exit 1
 }
 
+warning() {
+    echo "WARNING: $*" 1>&2
+}
+
 rootdir="$(dirname "$0")"
 channel="$(gh config get extensions.codeql.channel 2> /dev/null)" || : # Suppress an error and return empty if the field doesn't exist
 version="$(gh config get extensions.codeql.version 2> /dev/null)" || : # Suppress an error and return empty if the field doesn't exist
 
+# Handle local-version command first to prevent local version warning when enabling local version support if a local version is specified..
+if [ "$1" = "local-version" ] ; then
+    if [ "$2" = "on" ] ; then
+        warning "Local version support is disabled by default to remove the opportunity from untrusted git repositories to
+abuse older CodeQL CLIs. To disable local version support again run the command 'gh codeql local-version off'."
+        gh config set extensions.codeql.local-version true 2> /dev/null # Ignore a warning about unrecognized custom keys
+    elif [ "$2" = "off" ] ; then
+        gh config set extensions.codeql.local-version false 2> /dev/null # Ignore a warning about unrecognized custom keys
+    else
+        error "Invalid local-version command: '$2'. Supported values are 'on' or 'off'."
+    fi
+    exit 0
+fi
+
+local_version="$(gh config get extensions.codeql.local-version 2> /dev/null)" || : # Suppress an error and return empty if the field doesn't exist
+
+if [ -e .codeql-version ]; then
+    if [ "$local_version" = "true" ]; then
+        version=$(<.codeql-version)
+    else
+        warning "Ignoring local version because local version support is off. Call the command 'gh codeql local-version on' to enable local version support. "
+    fi
+fi
+
+# The environment variable GH_CODEQL_VERSION overrides all specified versions.
+version=${GH_CODEQL_VERSION:-$version}
+
 if [ -z "$1" ]; then
     cat <<EOF
 GitHub command-line wrapper for the CodeQL CLI.
 
 Usage:
     gh codeql set-channel [release|nightly]     # default: release
     gh codeql set-version [version]             # default: latest
+    gh codeql local-version [on|off]            # enable/disable local version support
+    gh codeql set-local-version [version]       # set the version for the current working directory, default: latest
+    gh codeql unset-local-version               # switch back to the global version
     gh codeql list-versions                     # list all available versions for current channel
     gh codeql list-installed                    # list installed versions for current channel
     gh codeql cleanup <version>                 # delete a specific downloaded version
     gh codeql cleanup-all                       # delete all installed versions for all channels
     gh codeql download [version]                # download a specific version (default: latest)
     gh codeql debug [on|off]                    # enable/disable debug output for gh extension
+    gh codeql install-stub [dir]                # install an executable script named 'codeql' that invokes 'gh codeql' with the passed arguments (default: /usr/local/bin/)
     gh codeql <anything else>                   # pass arguments to CodeQL CLI
 
 Current channel: ${channel:-not specified}.
@@ -131,7 +166,7 @@ function download() {
     rm -rf "$tempdir"
 }
 
-function set_version() {
+function validate_version() {
     local version="$1"
     if [ -z "$version" ]; then
         error "Version must be specified. Use 'latest' to automatically determine the latest version."
@@ -156,10 +191,49 @@ function set_version() {
             error "Unknown version: '$1'."
         fi
     fi
+    echo "$version"
+}
+
+function set_version() {
+    local version=$(validate_version "$1")
+    if [ -z "$version" ]; then
+        exit 1
+    fi
     download "$version"
     gh config set extensions.codeql.version "$version" 2> /dev/null # Ignore a warning about unrecognized custom keys
 }
 
+function set_local_version() {
+    local version=$(validate_version "$1")
+    download "$version"
+    echo "$version" > .codeql-version
+}
+
+function install_stub() {
+    local bindir="$1"
+    if [ -z "$bindir" ]; then
+        bindir="/usr/local/bin"
+    fi
+
+    if [ ! -e "$bindir" ]; then
+        error "The directory $bindir doesn't exist, please provide a different directory like 'gh codeql install-stub [dir]' to install a stub."
+    fi
+
+    if [ -w "$bindir" ]; then
+
+        cat << "_codeql_stub" > "$bindir/codeql"
+#!/usr/bin/env bash
+
+set -e
+exec -a codeql gh codeql "$@"
+_codeql_stub
+
+        chmod +x "$bindir/codeql"
+    else
+        error "Missing write permission on $bindir. Please provide a directory with write permissions to install a stub."
+    fi
+}
+
 # Handle the download command.
 if [ "$1" = "download" ]; then
     download "$2"
@@ -173,6 +247,31 @@ if [ "$1" = "set-version" ]; then
     exec "$rootdir/dist/$channel/$version/codeql" version
 fi
 
+# Handle the set-local-version command
+if [ "$1" = "set-local-version" ]; then
+    if [ "$local_version" = "true" ]; then
+        set_local_version "$2"
+        version="$(<.codeql-version)" || : # Supress an error and return empty if the file doesn't exist
+        exec "$rootdir/dist/$channel/$version/codeql" version
+    else
+        error "$(cat << _message
+Local version support is disabled by default to remove the opportunity from untrusted git repositories to
+abuse older CodeQL CLIs. Enable local version support with the command 'gh codeql local-version on'.
+_message
+)"
+    fi
+fi
+
+# Handle the unset-local-version command
+if [ "$1" = "unset-local-version" ]; then
+    if [ -e .codeql-version ]; then
+        rm -f .codeql-version
+    else
+        warning "No local version specified."
+    fi
+    exit 0
+fi
+
 # Handle the list-installed command.
 if [ "$1" = "list-installed" ]; then
     ( cd "$rootdir/dist/$channel" ; find . -mindepth 1 -maxdepth 1 -type d | cut -c3- ; )
@@ -196,6 +295,12 @@ if [ "$1" = "cleanup-all" ]; then
     exit 0
 fi
 
+# Handle the install-stub command
+if [ "$1" = "install-stub" ]; then
+    install_stub "$2"
+    exit 0
+fi
+
 if [ -z "$version" ]; then
     set_version latest
     version="$(gh config get extensions.codeql.version 2> /dev/null)" || : # Suppress an error and return empty if the field doesn't exist
