github · aeisenberg · Jun 16, 2022 · Jun 14, 2022 · Jun 14, 2022 · Jun 14, 2022
diff --git a/.github/workflows/expected-queries-runs.yml b/.github/workflows/expected-queries-runs.yml
@@ -1,6 +1,4 @@
 name: Expected queries runs
-env:
-  GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
 
 on:
   push:

diff --git a/.github/workflows/query-filters.yml b/.github/workflows/query-filters.yml
@@ -0,0 +1,97 @@
+name: Query filters tests
+
+on:
+  push:
+    branches:
+    - main
+    - releases/v1
+    - releases/v2
+  pull_request:
+    types:
+    - opened
+    - synchronize
+    - reopened
+    - ready_for_review
+  workflow_dispatch: {}
+
+jobs:
+  expected-queries:
+    timeout-minutes: 45
+    runs-on: ubuntu-latest
+    steps:
+    - name: Check out repository
+      uses: actions/checkout@v3
+    - name: Prepare test
+      id: prepare-test
+      uses: ./.github/prepare-test
+      with:
+        version: latest
+
+    # Test 1
+    - uses: ./../action/init
+      with:
+        languages: javascript
+        config-file: ./.github/codeql/codeql-config-query-filters1.yml
+        tools: ${{ steps.prepare-test.outputs.tools-url }}
+        db-location: ${{ runner.temp }}/test1
+    - uses: ./../action/analyze
+      with:
+        output: ${{ runner.temp }}/results
+        upload-database: false
+        upload: false
+      env:
+        TEST_MODE: true
+    - name: Check Sarif
+      uses: ./../action/.github/check-sarif
+      with:
+        sarif-file:  ${{ runner.temp }}/results/javascript.sarif
+        queries-run: js/zipslip
+        queries-not-run: js/path-injection
+    - name: Cleanup after test
+      run: rm -rf "$RUNNER_TEMP/results"
+
+    # Test 2
+    - uses: ./../action/init
+      with:
+        languages: javascript
+        config-file: ./.github/codeql/codeql-config-query-filters2.yml
+        tools: ${{ steps.prepare-test.outputs.tools-url }}
+        db-location: ${{ runner.temp }}/test2
+    - uses: ./../action/analyze
+      with:
+        output: ${{ runner.temp }}/results
+        upload-database: false
+        upload: false
+      env:
+        TEST_MODE: true
+    - name: Check Sarif
+      uses: ./../action/.github/check-sarif
+      with:
+        sarif-file:  ${{ runner.temp }}/results/javascript.sarif
+        queries-run: js/zipslip,javascript/example/empty-or-one-block
+        queries-not-run: js/path-injection
+    - name: Cleanup after test
+      run: rm -rf "$RUNNER_TEMP/results"
+
+    # Test 3
+    - uses: ./../action/init
+      with:
+        languages: javascript
+        config-file: ./.github/codeql/codeql-config-query-filters3.yml
+        tools: ${{ steps.prepare-test.outputs.tools-url }}
+        db-location: ${{ runner.temp }}/test3
+    - uses: ./../action/analyze
+      with:
+        output: ${{ runner.temp }}/results
+        upload-database: false
+        upload: false
+      env:
+        TEST_MODE: true
+    - name: Check Sarif
+      uses: ./../action/.github/check-sarif
+      with:
+        sarif-file:  ${{ runner.temp }}/results/javascript.sarif
+        queries-run: js/zipslip,javascript/example/empty-or-one-block,inrepo-javascript-querypack/show-ifs
+        queries-not-run: js/path-injection,complex-python-querypack/show-ifs,complex-python-querypack/foo/bar/show-ifs
+    - name: Cleanup after test
+      run: rm -rf "$RUNNER_TEMP/results"
diff --git a/tests/multi-language-repo/.github/codeql/codeql-config-query-filters1.yml b/tests/multi-language-repo/.github/codeql/codeql-config-query-filters1.yml
@@ -0,0 +1,10 @@
+name: "CodeQL config 1"
+
+query-filters:
+# This should run js/path-injection and js/zipslip
+- include:
+    tags contain: external/cwe/cwe-022
+
+# Removes out js/path-injection
-# Removes out js/path-injection
+# Removes js/path-injection
-# Removes out js/path-injection
+# Removes js/path-injection
+- exclude:
+    id: js/path-injection
diff --git a/tests/multi-language-repo/.github/codeql/codeql-config-query-filters2.yml b/tests/multi-language-repo/.github/codeql/codeql-config-query-filters2.yml
@@ -0,0 +1,21 @@
+name: "CodeQL config 2"
+
+disable-default-queries: true
+
+packs:
+  javascript:
+    - codeql/javascript-queries
+    - dsp-testing/[email protected]
+
+query-filters:
+# This should run js/path-injection and js/zipslip
+- include:
+    tags contain: external/cwe/cwe-022
+
+# Removes out js/path-injection
-# Removes out js/path-injection
+# Removes js/path-injection
-# Removes out js/path-injection
+# Removes js/path-injection
+- exclude:
+    id: js/path-injection
+
+# Query from extra pack
+- include:
+    id: javascript/example/empty-or-one-block
diff --git a/tests/multi-language-repo/.github/codeql/codeql-config-query-filters3.yml b/tests/multi-language-repo/.github/codeql/codeql-config-query-filters3.yml
@@ -0,0 +1,35 @@
+name: "CodeQL config 3"
+
+disable-default-queries: true
+
+queries:
+# Local query
+  - name: Run an extra local query
+    uses: ./codeql-qlpacks/javascript-qlpack/show_ifs.ql
+
+# These queries are ignored
+  - name: Ignored queries
+    uses: ./codeql-qlpacks/complex-python-qlpack/rootAndBar.qls
+
+
+packs:
+  javascript:
+    - codeql/javascript-queries
+    - dsp-testing/[email protected]
+
+query-filters:
+# This should run js/path-injection and js/zipslip
+- include:
+    tags contain: external/cwe/cwe-022
+
+# Removes out js/path-injection
-# Removes out js/path-injection
+# Removes js/path-injection
-# Removes out js/path-injection
+# Removes js/path-injection
+- exclude:
+    id: js/path-injection
+
+# Query from extra pack
+- include:
+    id: javascript/example/empty-or-one-block
+
+# Local query
+- include:
+    id: inrepo-javascript-querypack/show-ifs