Merge pull request #26 from advanced-security/patch-codeql-loading

fix: improve token handling and logging in CodeQL extractor

Author: GeekMasher

.release.yml

@@ -1,6 +1,6 @@
 name: "codeql-extractor-action"
 repository: "advanced-security/codeql-extractor-action"
-version: 0.1.3
+version: 0.1.4
 
 ecosystems:
   - Docs

Cargo.lock

@@ -1,7 +1,7 @@
 [package]
 name = "codeql-extractor-action"
 description = "GitHub Action for CodeQL Extractors"
-version = "0.1.3"
+version = "0.1.4"
 authors = ["GeekMasher"]
 
 license = "MIT"

Cargo.toml

@@ -29,7 +29,7 @@ This action is designed to be used in conjunction with the [CodeQL][CodeQL] anal
 
 ```yml
 - name: "CodeQL Extractor Action"
-  uses: advanced-security/codeql-extractor-action@v0.1.3
+  uses: advanced-security/codeql-extractor-action@v0.1.4
   with:
     # Repository reference (e.g. "owner/repo", "owner/repo@ref")
     extractor: "advanced-security/codeql-extractor-iac"

README.md

@@ -1,3 +1,3 @@
-FROM ghcr.io/advanced-security/codeql-extractor-action:v0.1.3
+FROM ghcr.io/advanced-security/codeql-extractor-action:v0.1.4
 
 ENTRYPOINT [ "codeql-extractor-action" ]

action.Dockerfile

@@ -105,10 +105,15 @@ pub struct Action {
 impl Action {
     /// Returns the GitHub Token for the action
     pub fn get_token(&self) -> String {
-        if self.token.is_empty() {
-            std::env::var("GITHUB_TOKEN").unwrap_or_default()
-        } else {
+        if !self.token.is_empty() {
+            log::debug!("Using provided token");
             self.token.clone()
+        } else if let Ok(gh_token) = std::env::var("GITHUB_TOKEN") {
+            log::debug!("No token provided, using GITHUB_TOKEN environment variable");
+            gh_token
+        } else {
+            log::debug!("No token provided, and GITHUB_TOKEN environment variable not set");
+            String::new()
         }
     }
 
@@ -205,12 +210,6 @@ impl Action {
     fn get_codeql_directories(&self) -> Vec<PathBuf> {
         let mut paths = Vec::new();
 
-        // GITHUB_WORKSPACE
-        if let Ok(github_workspace) = std::env::var("GITHUB_WORKSPACE") {
-            log::debug!("GITHUB_WORKSPACE found: {}", github_workspace);
-            paths.push(PathBuf::from(github_workspace).join(".codeql"));
-        }
-
         // Local CodeQL directory in the working directory
         if let Ok(working_dir) = self.working_directory() {
             if let Ok(local_codeql) = working_dir.join(".codeql").canonicalize() {
@@ -219,6 +218,12 @@ impl Action {
             }
         }
 
+        // GITHUB_WORKSPACE
+        if let Ok(github_workspace) = std::env::var("GITHUB_WORKSPACE") {
+            log::debug!("GITHUB_WORKSPACE found: {}", github_workspace);
+            paths.push(PathBuf::from(github_workspace).join(".codeql"));
+        }
+
         // Runner temp directory
         if let Ok(runner_temp) = std::env::var("RUNNER_TEMP") {
             log::debug!("RUNNER_TEMP found: {}", runner_temp);

src/action.rs

@@ -26,7 +26,7 @@ pub async fn codeql_download(action: &Action) -> Result<CodeQL> {
 
         // Try to install with authentication first (if token is available)
         if !token.is_empty() {
-            let octocrab_auth = action.octocrab_with_token(token)?;
+            let octocrab_auth = action.octocrab_with_token(&token)?;
             if let Ok(_) = codeql.install(&octocrab_auth, codeql_version).await {
                 log::info!("CodeQL installed using authentication");
                 return Ok(codeql);
@@ -35,6 +35,8 @@ pub async fn codeql_download(action: &Action) -> Result<CodeQL> {
                     "Failed to install CodeQL with authentication, trying without authentication..."
                 );
             }
+        } else {
+            log::debug!("No token provided, skipping authenticated installation attempt");
         }
 
         // Try to install without authentication
@@ -47,15 +49,17 @@ pub async fn codeql_download(action: &Action) -> Result<CodeQL> {
             log::info!("Attempting to install CodeQL using GitHub CLI...");
         }
 
-        let location = gh_codeql_download(codeql_version)
-            .await
-            .context("Failed to download CodeQL using GitHub CLI")?;
-        // Reinitialize CodeQL with the new path
-        codeql = CodeQL::init()
-            .path(location)
-            .build()
-            .await
-            .context("Failed to create CodeQL instance after GitHub CLI installation")?;
+        if !token.is_empty() {
+            let location = gh_codeql_download(codeql_version, &token)
+                .await
+                .context("Failed to download CodeQL using GitHub CLI")?;
+            // Reinitialize CodeQL with the new path
+            codeql = CodeQL::init()
+                .path(location)
+                .build()
+                .await
+                .context("Failed to create CodeQL instance after GitHub CLI installation")?;
+        }
 
         log::info!("CodeQL installed");
     } else {
@@ -78,15 +82,13 @@ pub async fn codeql_download(action: &Action) -> Result<CodeQL> {
 ///
 /// # Returns
 /// * `Result<String>` - Path to the installed CodeQL binary or an error
-async fn gh_codeql_download(codeql_version: &str) -> Result<String> {
+async fn gh_codeql_download(codeql_version: &str, token: &String) -> Result<String> {
     log::info!("Downloading CodeQL Extension for GitHub CLI...");
     log::debug!("Running command: gh extensions install github/gh-codeql");
+
     let status = tokio::process::Command::new("gh")
         .args(&["extensions", "install", "github/gh-codeql"])
-        .env(
-            "GH_TOKEN",
-            std::env::var("GITHUB_TOKEN").unwrap_or_default(),
-        )
+        .env("GH_TOKEN", &token)
         .status()
         .await
         .context("Failed to execute `gh extensions install github/gh-codeql` command")?;
@@ -107,10 +109,7 @@ async fn gh_codeql_download(codeql_version: &str) -> Result<String> {
     log::debug!("Running command: gh codeql set-version {codeql_version}");
     let status = tokio::process::Command::new("gh")
         .args(&["codeql", "set-version", codeql_version])
-        .env(
-            "GH_TOKEN",
-            std::env::var("GITHUB_TOKEN").unwrap_or_default(),
-        )
+        .env("GH_TOKEN", &token)
         .status()
         .await
         .context("Failed to execute `gh codeql set-version` command")?;
@@ -131,10 +130,7 @@ async fn gh_codeql_download(codeql_version: &str) -> Result<String> {
     log::debug!("Running command: gh codeql install-stub");
     let status = tokio::process::Command::new("gh")
         .args(&["codeql", "install-stub"])
-        .env(
-            "GH_TOKEN",
-            std::env::var("GITHUB_TOKEN").unwrap_or_default(),
-        )
+        .env("GH_TOKEN", &token)
         .status()
         .await
         .context("Failed to execute `gh codeql install-stub` command")?;

src/codeql.rs

@@ -165,10 +165,10 @@ async fn main() -> Result<()> {
 
     log::info!("CodeQL :: {codeql:#?}");
 
-    groupend!();
-
     std::fs::create_dir_all(&sarif_output).context("Failed to create results directory")?;
 
+    groupend!();
+
     for (extractor, reporef) in extractors {
         // The language is the name of the extractor
         let language = extractor.name.to_string();
@@ -248,7 +248,7 @@ async fn main() -> Result<()> {
         match codeql
             .database(&database)
             .queries(queries)
-            .output(sarif_path.clone())
+            .sarif(sarif_path.clone())
             .analyze()
             .await
         {