diff --git a/images/macos/provision/core/codeql-bundle.sh b/images/macos/provision/core/codeql-bundle.sh new file mode 100644 index 000000000..1b6e2c405 --- /dev/null +++ b/images/macos/provision/core/codeql-bundle.sh @@ -0,0 +1,23 @@ +#!/bin/bash -e -o pipefail +source ~/utils/utils.sh + +# Retrieve the name of the CodeQL bundle preferred by the Action (in the format codeql-bundle-YYYYMMDD). +codeql_bundle_name="$(curl -sSL https://raw.githubusercontent.com/github/codeql-action/v2/src/defaults.json | jq -r .bundleVersion)" +# Convert the bundle name to a version number (0.0.0-YYYYMMDD). +codeql_bundle_version="0.0.0-${codeql_bundle_name##*-}" + +echo "Downloading CodeQL bundle $codeql_bundle_version..." +download_with_retries "https://github.com/github/codeql-action/releases/download/$codeql_bundle_name/codeql-bundle.tar.gz" "/tmp" "codeql-bundle.tar.gz" +codeqlArchive="/tmp/codeql-bundle.tar.gz" + +codeqlToolcachePath="$AGENT_TOOLSDIRECTORY/codeql/$codeql_bundle_version/x64" +mkdir -p $codeqlToolcachePath + +echo "Unpacking the downloaded CodeQL bundle archive..." +tar -xzf $codeqlArchive -C $codeqlToolcachePath + +# Touch a special file that indicates to the CodeQL Action that this bundle was baked-in to the hosted runner images. +touch "$codeqlToolcachePath/pinned-version" + +# Touch a file to indicate to the toolcache that setting up CodeQL is complete. +touch "$codeqlToolcachePath.complete" diff --git a/images/macos/software-report/SoftwareReport.Common.psm1 b/images/macos/software-report/SoftwareReport.Common.psm1 index 56d68f6e1..ff949b008 100644 --- a/images/macos/software-report/SoftwareReport.Common.psm1 +++ b/images/macos/software-report/SoftwareReport.Common.psm1 @@ -584,4 +584,12 @@ function Build-GraalVMTable { "Version" = $version "Environment variables" = $envVariables } +} + +function Get-CodeQLBundleVersion { + $CodeQLVersionWildcard = Join-Path $Env:AGENT_TOOLSDIRECTORY -ChildPath "CodeQL" | Join-Path -ChildPath "*" + $CodeQLVersionPath = Get-ChildItem $CodeQLVersionWildcard | Select-Object -First 1 -Expand FullName + $CodeQLPath = Join-Path $CodeQLVersionPath -ChildPath "x64" | Join-Path -ChildPath "codeql" | Join-Path -ChildPath "codeql" + $CodeQLVersion = & $CodeQLPath version --quiet + return "CodeQL Action Bundle $CodeQLVersion" } \ No newline at end of file diff --git a/images/macos/software-report/SoftwareReport.Generator.ps1 b/images/macos/software-report/SoftwareReport.Generator.ps1 index 199635d4f..c83645f50 100644 --- a/images/macos/software-report/SoftwareReport.Generator.ps1 +++ b/images/macos/software-report/SoftwareReport.Generator.ps1 @@ -159,7 +159,8 @@ $toolsList = @( (Get-AzureDevopsVersion), (Get-AWSCLIVersion), (Get-AWSSAMCLIVersion), - (Get-AWSSessionManagerCLIVersion) + (Get-AWSSessionManagerCLIVersion), + (Get-CodeQLBundleVersion) ) if ($os.IsLessThanMonterey) { diff --git a/images/macos/templates/macOS-11.anka.pkr.hcl b/images/macos/templates/macOS-11.anka.pkr.hcl index 48d49444a..387969d7f 100644 --- a/images/macos/templates/macOS-11.anka.pkr.hcl +++ b/images/macos/templates/macOS-11.anka.pkr.hcl @@ -212,7 +212,8 @@ build { "./provision/core/pypy.sh", "./provision/core/pipx-packages.sh", "./provision/core/bicep.sh", - "./provision/core/graalvm.sh" + "./provision/core/graalvm.sh", + "./provision/core/codeql-bundle.sh" ] environment_vars = [ "API_PAT=${var.github_api_pat}" diff --git a/images/macos/templates/macOS-11.json b/images/macos/templates/macOS-11.json index 684e3d46a..b6ef7e894 100644 --- a/images/macos/templates/macOS-11.json +++ b/images/macos/templates/macOS-11.json @@ -207,7 +207,8 @@ "./provision/core/pypy.sh", "./provision/core/pipx-packages.sh", "./provision/core/bicep.sh", - "./provision/core/graalvm.sh" + "./provision/core/graalvm.sh", + "./provision/core/codeql-bundle.sh" ], "environment_vars": [ "API_PAT={{user `github_api_pat`}}" diff --git a/images/macos/templates/macOS-12.anka.pkr.hcl b/images/macos/templates/macOS-12.anka.pkr.hcl index 2eb1366b0..c612bcefa 100644 --- a/images/macos/templates/macOS-12.anka.pkr.hcl +++ b/images/macos/templates/macOS-12.anka.pkr.hcl @@ -213,7 +213,8 @@ build { "./provision/core/pypy.sh", "./provision/core/pipx-packages.sh", "./provision/core/bicep.sh", - "./provision/core/graalvm.sh" + "./provision/core/graalvm.sh", + "./provision/core/codeql-bundle.sh" ] environment_vars = [ "API_PAT=${var.github_api_pat}" diff --git a/images/macos/templates/macOS-12.json b/images/macos/templates/macOS-12.json index ee63e9820..5cd163ba2 100644 --- a/images/macos/templates/macOS-12.json +++ b/images/macos/templates/macOS-12.json @@ -208,7 +208,8 @@ "./provision/core/pypy.sh", "./provision/core/pipx-packages.sh", "./provision/core/bicep.sh", - "./provision/core/graalvm.sh" + "./provision/core/graalvm.sh", + "./provision/core/codeql-bundle.sh" ], "environment_vars": [ "API_PAT={{user `github_api_pat`}}" diff --git a/images/macos/tests/Common.Tests.ps1 b/images/macos/tests/Common.Tests.ps1 index 7e78b182d..bd1ab630e 100644 --- a/images/macos/tests/Common.Tests.ps1 +++ b/images/macos/tests/Common.Tests.ps1 @@ -137,4 +137,13 @@ Describe "VirtualBox" -Skip:($os.IsBigSur) { It "Check kext kernel modules" { kextstat | Out-String | Should -Match "org.virtualbox.kext" } +} + +Describe "CodeQL Action Bundle" { + It "codeql" { + $CodeQLVersionWildcard = Join-Path $Env:AGENT_TOOLSDIRECTORY -ChildPath "CodeQL" | Join-Path -ChildPath "*" + $CodeQLVersionPath = Get-ChildItem $CodeQLVersionWildcard | Select-Object -First 1 -Expand FullName + $CodeQLPath = Join-Path $CodeQLVersionPath -ChildPath "x64" | Join-Path -ChildPath "codeql" | Join-Path -ChildPath "codeql" + "$CodeQLPath version --quiet" | Should -ReturnZeroExitCode + } } \ No newline at end of file