From 6952ab2973729263dfd9f43f344ab9cafdebf81f Mon Sep 17 00:00:00 2001 From: Nev Wylie <54870357+MSNev@users.noreply.github.com> Date: Fri, 23 May 2025 10:22:18 -0700 Subject: [PATCH] Update SDK Loader to rename the snippet postfix file to avoid CodeQL scanning issues --- .github/codeql/codeql-config.yml | 8 +- .github/workflows/codeql-analysis.yml | 86 +++++++++++++------ common/config/rush/npm-shrinkwrap.json | 18 ++-- gruntfile.js | 4 +- ...snippet-config.js => snippet-config.jsonc} | 0 5 files changed, 72 insertions(+), 44 deletions(-) rename tools/applicationinsights-web-snippet/src/{snippet-config.js => snippet-config.jsonc} (100%) diff --git a/.github/codeql/codeql-config.yml b/.github/codeql/codeql-config.yml index f4a608cf4..d7ae4d259 100644 --- a/.github/codeql/codeql-config.yml +++ b/.github/codeql/codeql-config.yml @@ -9,8 +9,6 @@ paths-ignore: - '**/dist-history/' - '**/rollup.config.js' - '**/docs/webSdk/' - -query-filters: - - exclude: - paths: - - tools/applicationinsights-web-snippet/src/snippet-config.js + - '**/tools/**/*.jsonc' + - '**/node_modules/' + - '**/*.d.ts' \ No newline at end of file diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml index 6b984191f..2e1a1337d 100644 --- a/.github/workflows/codeql-analysis.yml +++ b/.github/workflows/codeql-analysis.yml @@ -22,51 +22,81 @@ on: jobs: analyze: - name: Analyze + name: Analyze (${{ matrix.language }}) runs-on: ubuntu-latest permissions: + # required for all workflows + security-events: write + # required to fetch internal or private CodeQL packs + packages: read + # only required for workflows in private repositories actions: read contents: read - security-events: write - + strategy: fail-fast: false matrix: - language: [ 'javascript' ] - # CodeQL supports [ 'cpp', 'csharp', 'go', 'java', 'javascript', 'python' ] - # Learn more: - # https://docs.github.com/en/free-pro-team@latest/github/finding-security-vulnerabilities-and-errors-in-your-code/configuring-code-scanning#changing-the-languages-that-are-analyzed + include: + - language: actions + - language: javascript + - language: javascript-typescript + node-version: '18' + # CodeQL supports the following values keywords for 'language': 'actions', 'c-cpp', 'csharp', 'go', 'java-kotlin', 'javascript-typescript', 'python', 'ruby', 'swift' + # Use `c-cpp` to analyze code written in C, C++ or both + # Use 'java-kotlin' to analyze code written in Java, Kotlin or both + # Use 'javascript-typescript' to analyze code written in JavaScript, TypeScript or both + # To learn more about changing the languages that are analyzed or customizing the build mode for your analysis, + # see https://docs.github.com/en/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/customizing-your-advanced-setup-for-code-scanning. + # If you are analyzing a compiled language, you can modify the 'build-mode' for that language to customize how + # your codebase is analyzed, see https://docs.github.com/en/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/codeql-code-scanning-for-compiled-languages steps: - name: Checkout repository uses: actions/checkout@v4 - # Initializes the CodeQL tools for scanning. + # Setup Node.js for JavaScript projects + - name: Setup Node.js ${{ matrix.node-version }} + # Only run the build for Typescript/JavaScript language match + if: matrix.language == 'javascript-typescript' + uses: actions/setup-node@v4 + with: + node-version: ${{ matrix.node-version }} + + # Install dependencies for JavaScript projects + - name: Install dependencies + # Only run the build for Typescript/JavaScript language match + if: matrix.language == 'javascript-typescript' + run: | + node common/scripts/install-run-rush.js update --full --recheck + npm install rollup -g + npm install grunt-cli + npm install + node common/scripts/install-run-rush.js update --full --recheck + + # Initializes the CodeQL tools for scanning - name: Initialize CodeQL uses: github/codeql-action/init@v3 with: languages: ${{ matrix.language }} config-file: ./.github/codeql/codeql-config.yml - # If you wish to specify custom queries, you can do so here or in a config file. - # By default, queries listed here will override any specified in a config file. - # Prefix the list here with "+" to use these queries and those in the config file. - # queries: ./path/to/local/query, your-org/your-repo/queries@main - - # Autobuild attempts to build any compiled languages (C/C++, C#, or Java). - # If this step fails, then you should remove it and run the build manually (see below) - - name: Autobuild - uses: github/codeql-action/autobuild@v3 - - # ℹī¸ Command-line programs to run using the OS shell. - # 📚 https://git.io/JvXDl - - # ✏ī¸ If the Autobuild fails above, remove it and uncomment the following three lines - # and modify them (or add more) to build your code if your project - # uses a compiled language - - #- run: | - # make bootstrap - # make release + + # Build JavaScript project specifically (skipping autobuild for JavaScript) + - name: Build JavaScript + # Only run the build for Typescript/JavaScript language match + if: matrix.language == 'javascript-typescript' + run: npm run build + # Perform the CodeQL Analysis - name: Perform CodeQL Analysis uses: github/codeql-action/analyze@v3 + with: + category: "/language:${{matrix.language}}" + upload-database: true + + # Debug CodeQL configuration + - name: Debug CodeQL configuration + if: always() + run: | + echo "Executed CodeQL for language: ${{ matrix.language }}" + echo "Category used: /language:${{ matrix.language }}" + echo "Node version: ${{ matrix.node-version || 'N/A' }}" \ No newline at end of file diff --git a/common/config/rush/npm-shrinkwrap.json b/common/config/rush/npm-shrinkwrap.json index 4ac8c4e7d..e58f83e89 100644 --- a/common/config/rush/npm-shrinkwrap.json +++ b/common/config/rush/npm-shrinkwrap.json @@ -2858,9 +2858,9 @@ "integrity": "sha512-WMwm9LhRUo+WUaRN+vRuETqG89IgZphVSNkdFgeb6sS/E4OrDIN7t48CAewSHXc6C8lefD8KKfr5vY61brQlow==" }, "node_modules/electron-to-chromium": { - "version": "1.5.155", - "resolved": "https://registry.npmjs.org/electron-to-chromium/-/electron-to-chromium-1.5.155.tgz", - "integrity": "sha512-ps5KcGGmwL8VaeJlvlDlu4fORQpv3+GIcF5I3f9tUKUlJ/wsysh6HU8P5L1XWRYeXfA0oJd4PyM8ds8zTFf6Ng==" + "version": "1.5.157", + "resolved": "https://registry.npmjs.org/electron-to-chromium/-/electron-to-chromium-1.5.157.tgz", + "integrity": "sha512-/0ybgsQd1muo8QlnuTpKwtl0oX5YMlUGbm8xyqgDU00motRkKFFbUJySAQBWcY79rVqNLWIWa87BGVGClwAB2w==" }, "node_modules/emoji-regex": { "version": "8.0.0", @@ -6224,9 +6224,9 @@ } }, "node_modules/tar-fs": { - "version": "3.0.8", - "resolved": "https://registry.npmjs.org/tar-fs/-/tar-fs-3.0.8.tgz", - "integrity": "sha512-ZoROL70jptorGAlgAYiLoBLItEKw/fUxg9BSYK/dF/GAGYFJOJJJMvjPAKDJraCXFwadD456FCuvLWgfhMsPwg==", + "version": "3.0.9", + "resolved": "https://registry.npmjs.org/tar-fs/-/tar-fs-3.0.9.tgz", + "integrity": "sha512-XF4w9Xp+ZQgifKakjZYmFdkLoSWd34VGKcsTCwlNWM7QG3ZbaxnTsaBwnjFZqHRf/rROxaR8rXnbtwdvaDI+lA==", "dependencies": { "pump": "^3.0.0", "tar-stream": "^3.1.5" @@ -6819,9 +6819,9 @@ } }, "node_modules/zod": { - "version": "3.25.17", - "resolved": "https://registry.npmjs.org/zod/-/zod-3.25.17.tgz", - "integrity": "sha512-8hQzQ/kMOIFbwOgPrm9Sf9rtFHpFUMy4HvN0yEB0spw14aYi0uT5xG5CE2DB9cd51GWNsz+DNO7se1kztHMKnw==", + "version": "3.25.23", + "resolved": "https://registry.npmjs.org/zod/-/zod-3.25.23.tgz", + "integrity": "sha512-Od2bdMosahjSrSgJtakrwjMDb1zM1A3VIHCPGveZt/3/wlrTWBya2lmEh2OYe4OIu8mPTmmr0gnLHIWQXdtWBg==", "funding": { "url": "https://github.com/sponsors/colinhacks" } diff --git a/gruntfile.js b/gruntfile.js index dd217780d..a2f83cb89 100644 --- a/gruntfile.js +++ b/gruntfile.js @@ -70,7 +70,7 @@ module.exports = function (grunt) { replacements: function() { var snippetBuffer = grunt.file.read("./tools/applicationinsights-web-snippet/build/output/snippet.min.js"); - var snippetConfig = grunt.file.read("./tools/applicationinsights-web-snippet/src/snippet-config.js").trim(); + var snippetConfig = grunt.file.read("./tools/applicationinsights-web-snippet/src/snippet-config.jsonc").trim(); while(snippetConfig.endsWith("\r") || snippetConfig.endsWith("\n")) { snippetConfig = snippetConfig.substring(0, snippetConfig.length - 1); @@ -110,7 +110,7 @@ module.exports = function (grunt) { replacements: function() { var snippetBuffer = grunt.file.read("./tools/applicationinsights-web-snippet/build/output/snippet.js"); - var snippetConfig = grunt.file.read("./tools/applicationinsights-web-snippet/src/snippet-config.js").trim(); + var snippetConfig = grunt.file.read("./tools/applicationinsights-web-snippet/src/snippet-config.jsonc").trim(); while(snippetConfig.endsWith("\r") || snippetConfig.endsWith("\n")) { snippetConfig = snippetConfig.substring(0, snippetConfig.length - 1); } diff --git a/tools/applicationinsights-web-snippet/src/snippet-config.js b/tools/applicationinsights-web-snippet/src/snippet-config.jsonc similarity index 100% rename from tools/applicationinsights-web-snippet/src/snippet-config.js rename to tools/applicationinsights-web-snippet/src/snippet-config.jsonc