Merge branch 'main' into GeekMasher-patch-1

Author: mbaluda

.github/instructions/extractors_cds_tools_ts.instructions.md

@@ -0,0 +1,65 @@
+---
+applyTo: 'extractors/cds/tools/**/*.ts'
+description: 'Instructions for CodeQL CDS extractor TypeScript source and test files.'
+---
+
+# Copilot Instructions for `extractors/cds/tools/**/*.ts` files
+
+## PURPOSE
+
+This file contains instructions for working with TypeScript source code files in the `extractors/cds/tools/` directory of the `codeql-sap-js` repository. This includes the main `cds-extractor.ts` entry-point, modular source files in `src/**/*.ts`, and comprehensive test files in `test/**/*.test.ts`.
+
+## REQUIREMENTS
+
+## COMMON REQUIREMENTS
+
+- ALWAYS use modern TypeScript syntax and features compatible with the configured target (ES2020).
+- ALWAYS follow best practices for implementing secure and efficient CodeQL extractor functionality.
+- ALWAYS order imports, definitions, static lists, and similar constructs alphabetically.
+- ALWAYS follow a test-driven development (TDD) approach by writing comprehensive tests for new features or bug fixes.
+- ALWAYS fix lint errors by running `npm run lint:fix` from the `extractors/cds/tools/` directory before committing changes.
+- ALWAYS maintain consistency between the CDS extractor's compilation behavior and the `extractors/cds/tools/test/cds-compilation-for-actions.test.sh` script to prevent CI/CD workflow failures.
+- **ALWAYS run `npm run build:all` from the `extractors/cds/tools/` directory and ensure it passes completely before committing any changes. This is MANDATORY and includes lint checks, test coverage, and bundle validation.**
+
+### CDS EXTRACTOR SOURCE REQUIREMENTS
+
+The following requirements are specific to the CDS extractor main entry-point `cds-extractor.ts` and source files matching `extractors/cds/tools/src/**/*.ts`.
+
+- ALWAYS keep the main entry-point `cds-extractor.ts` focused on orchestration, delegating specific tasks to well-defined modules in `src/`.
+- ALWAYS gracefully handle extraction failures using tool-level diagnostics in order to avoid disrupting the overall CodeQL extraction process. Instead of exiting with a non-zero code, the CDS extractor should generate a diagnostic error (or warning) that points to the relative path (from source root) of the problematic source (e.g. `.cds`) file.
+
+### CDS EXTRACTOR TESTING REQUIREMENTS
+
+The following requirements are specific to the CDS extractor test files matching `extractors/cds/tools/test/**/*.test.ts`.
+
+- ALWAYS write unit tests for new functions and classes in corresponding `test/src/**/*.test.ts` files.
+- ALWAYS use Jest testing framework with the configured `ts-jest` preset.
+- ALWAYS follow the AAA pattern (Arrange, Act, Assert) for test structure.
+- ALWAYS mock external dependencies (filesystem, child processes, network calls) using Jest mocks or `mock-fs`.
+- ALWAYS test both success and error scenarios with appropriate edge cases.
+- ALWAYS maintain test coverage above the established threshold.
+- **ALWAYS run `npm test` or `npm run test:coverage` from the `extractors/cds/tools/` directory and ensure all tests pass before committing changes.**
+
+## PREFERENCES
+
+- PREFER modular design with each major functionality implemented in its own dedicated file or module under `src/`.
+- PREFER the existing architectural patterns:
+  - `src/cds/compiler/` for CDS compiler specific logic
+  - `src/cds/parser/` for CDS parser specific logic
+  - `src/logging/` for unified logging and performance tracking
+  - `src/packageManager/` for dependency management and caching
+  - `src/codeql.ts` for CodeQL JavaScript extractor integration
+  - `src/environment.ts` for environment setup and validation
+- PREFER comprehensive error handling with diagnostic reporting through the `src/diagnostics.ts` module.
+- PREFER performance-conscious implementations that minimize filesystem operations and dependency installations.
+- PREFER project-aware processing that understands CDS file relationships and dependencies.
+
+## CONSTRAINTS
+
+- NEVER leave any trailing whitespace on any line.
+- NEVER directly modify any compiled files in the `dist/` directory; all changes must be made in the corresponding `src/` files and built using the build process.
+- NEVER commit changes without verifying that `npm run build:all` passes completely when run from the `extractors/cds/tools/` directory.
+- NEVER modify compilation behavior without updating the corresponding test script `extractors/cds/tools/test/cds-compilation-for-actions.test.sh`.
+- NEVER process CDS files in isolation - maintain project-aware context for accurate extraction.
+- NEVER bypass the unified logging system - use `src/logging/` utilities for all output and diagnostics.
+- NEVER commit extra documentation files that purely explain what has been changed and/or fixed; use git commit messages instead of adding any `.md` files that you have not explicitly been requested to create.

.github/pull_request_template.md

@@ -0,0 +1,10 @@
+## What This PR Contributes
+
+<!-- Explain in Markdown bullet points what is covered in this PR:
+     1. Organize the bullet points in a reasonable level of hierarchy, and
+     2. Be as EXHAUSTIVE as possible. -->
+
+## Future Works
+
+<!-- Explain in Markdown bullet points what is OUT OF SCOPE of this PR.
+     Also organize them with bullet points in a reasonable of hierarchy. -->

.github/workflows/cds-extractor-dist-bundle.yml

@@ -0,0 +1,88 @@
+name: CDS Extractor Distribution Bundle
+
+on:
+  push:
+    branches: [ main ]
+    paths: 
+      - 'extractors/cds/**'
+  pull_request:
+    branches: [ main ]
+    paths:
+      - 'extractors/cds/**'
+  workflow_dispatch:
+    # This job can be manually triggered to validate the CDS extractor bundle
+
+jobs:
+  bundle-validation:
+    name: CDS extractor bundle validation
+    runs-on: ubuntu-latest
+    
+    steps:
+    - name: Checkout repository
+      uses: actions/checkout@v4
+    
+    - name: Setup Node.js
+      uses: actions/setup-node@v4
+      with:
+        node-version: '20'
+        cache: 'npm'
+        cache-dependency-path: 'extractors/cds/tools/package-lock.json'
+    
+    - name: Install node dependencies
+      working-directory: extractors/cds/tools
+      run: npm ci
+    
+    - name: Run TS code linter
+      working-directory: extractors/cds/tools
+      run: npm run lint
+    
+    - name: Run TS code unit tests with coverage report
+      working-directory: extractors/cds/tools
+      run: npm run test:coverage
+    
+    - name: Build and validate the CDS extractor bundle
+      working-directory: extractors/cds/tools
+      run: npm run build:validate
+
+    - name: Validate CDS extractor JS bundle and map files
+      working-directory: extractors/cds/tools
+      run: |
+        _bundle_file="dist/cds-extractor.bundle.js"
+        _bundle_map_file="${_bundle_file}.map"
+        if [ -f "$_bundle_file" ]; then
+          echo "✅ Bundle file exists."
+        else
+          echo "❌ Bundle file not found."
+          exit 2
+        fi
+
+        if [ -f "$_bundle_map_file" ]; then
+          echo "✅ CDS extractor JS bundle source map file exists."
+        else
+          echo "❌ CDS extractor JS bundle source map file not found."
+          exit 3
+        fi
+
+        # Check if the built bundle and map files differ
+        # from the versions committed to git.
+        if git diff --exit-code "$_bundle_file" "$_bundle_map_file"; then
+          echo "✅ CDS JS bundle and map files match committed versions."
+        else
+          echo "❌ CDS JS bundle and/or map file(s) differ from committed version(s)."
+          echo "The built bundle and/or source map do not match the committed versions."
+          echo "Please rebuild the bundle and commit the changes:"
+          echo "  cd extractors/cds/tools"
+          echo "  npm install"
+          echo "  npm run build:all"
+          echo "  git add dist/cds-extractor.bundle.*"
+          echo "  git commit -m 'Update CDS extractor dist bundle'"
+          exit 4
+        fi
+
+        # Check if bundle file starts with the expected shebang for `node`.
+        if head -n 1 "${_bundle_file}" | grep -q "#!/usr/bin/env node"; then
+          echo "✅ Bundle has Node.js shebang"
+        else
+          echo "❌  Bundle missing Node.js shebang"
+          exit 5
+        fi

.github/workflows/code_scanning.yml

@@ -10,6 +10,9 @@ on:
     - cron: '39 12 * * 2'
   workflow_dispatch:
 
+env:
+  CODEQL_ACTION_DIFF_INFORMED_QUERIES: false
+
 jobs:
   analyze-javascript:
     name: Analyze

.github/workflows/javascript.sarif.expected

@@ -77,24 +77,28 @@ jobs:
         run: |
           qlt query run install-packs
 
-      - name: Ensure presence of cds shell command
-        run: |
-          if ! command -v cds &> /dev/null
-          then
-            npm install -g @sap/cds-dk
-          fi
+      - name: Setup Node.js for CDS compilation
+        uses: actions/setup-node@v4
+        with:
+          node-version: '18'
+          cache: 'npm'
+          cache-dependency-path: 'extractors/cds/tools/package-lock.json'
 
-      # Compile .cds files to .cds.json files.
+      - name: Verify Node.js and npm tools
+        run: |
+          echo "Node.js version: $(node --version)"
+          echo "npm version: $(npm --version)"
+          echo "npx version: $(npx --version)"
+          # Verify npx can access @sap/cds-dk without installing globally
+          echo "Testing npx access to @sap/cds-dk..."
+          npx --yes --package @sap/cds-dk@latest cds --version || echo "CDS will be installed per-project as needed"
+
+      # Compile .cds files to .cds.json files using the dedicated test script
       - name: Compile CAP CDS files
         run: |
-          for cds_file in $(find . -type f \( -iname '*.cds' \) -print)
-          do
-            echo "I am compiling $cds_file"
-            cds compile $cds_file \
-              -2 json \
-              -o "$cds_file.json" \
-              --locations
-          done
+          # Use the dedicated CDS compilation script that includes proper version resolution
+          # This script follows the same logic as the CDS extractor's resolveCdsVersions function
+          ./extractors/cds/tools/workflow/cds-compilation-for-actions.sh
 
       - name: Run test suites
         id: run-test-suites
@@ -105,7 +109,7 @@ jobs:
           CODEQL_STDLIB_IDENT: ${{matrix.codeql_standard_library_ident}}
           RUNNER_TMP: ${{ runner.temp }}
           LGTM_INDEX_XML_MODE: all
-          LGTM_INDEX_FILETYPES: ".json:JSON"
+          LGTM_INDEX_FILETYPES: ".json:JSON\n.cds:JSON"
 
         shell: bash
         run: >

.github/workflows/run-codeql-unit-tests-javascript.yml

@@ -0,0 +1,111 @@
+name: "Update the CodeQL CLI dependencies"
+
+on:
+    workflow_dispatch:
+    # nightly runs to update the CodeQL CLI dependencies
+    schedule:
+      - cron: '30 0 * * *'
+
+permissions:
+    contents: write
+    pull-requests: write
+
+jobs:
+    update-codeql:
+        name: Update CodeQL CLI dependencies
+        runs-on: ubuntu-latest
+
+        steps:
+        - name: Checkout repository
+          uses: actions/checkout@v4
+
+        - name: Check latest CodeQL CLI version and update qlt.conf.json
+          id: check-version
+          env:
+            GH_TOKEN: ${{ github.token }}
+          run: |
+            echo "Checking latest CodeQL CLI version"
+            current_version=$(jq .CodeQLCLI qlt.conf.json -r)
+            latest_version=$(gh release list --repo github/codeql-cli-binaries --json 'tagName,isLatest' --jq '.[] | select(.isLatest == true) | .tagName')
+            echo "Current CodeQL CLI version: $current_version"
+            echo "Latest CodeQL CLI version: $latest_version"
+
+            # Remove 'v' prefix if present for comparison with current version
+            latest_clean=$(echo "$latest_version" | sed 's/^v//')
+
+            if [ "$latest_clean" != "$current_version" ]; then
+              echo "Updating CodeQL CLI from $current_version to $latest_clean"
+              echo "update_needed=true" >> $GITHUB_OUTPUT
+              echo "latest_version=$latest_clean" >> $GITHUB_OUTPUT
+              echo "latest_version_tag=$latest_version" >> $GITHUB_OUTPUT
+
+              # Update qlt.conf.json with all properties
+              echo "Updating qlt.conf.json with all properties for version $latest_clean"
+              jq --arg cli_version "$latest_clean" \
+                 --arg std_lib "codeql-cli/$latest_version" \
+                 --arg bundle "codeql-bundle-$latest_version" \
+                 '.CodeQLCLI = $cli_version | .CodeQLStandardLibrary = $std_lib | .CodeQLCLIBundle = $bundle' \
+                 qlt.conf.json > qlt.conf.json.tmp && mv qlt.conf.json.tmp qlt.conf.json
+
+              echo "Updated qlt.conf.json contents:"
+              cat qlt.conf.json
+            else
+              echo "CodeQL CLI is already up-to-date at version $current_version."
+              echo "update_needed=false" >> $GITHUB_OUTPUT
+            fi
+
+        - name: Install QLT
+          if: steps.check-version.outputs.update_needed == 'true'
+          id: install-qlt
+          uses: advanced-security/codeql-development-toolkit/.github/actions/install-qlt@main
+          with:
+            qlt-version: 'latest'
+            add-to-path: true
+
+        - name: Install CodeQL
+          if: steps.check-version.outputs.update_needed == 'true'
+          id: install-codeql
+          shell: bash
+          run: |
+            echo "Installing CodeQL"
+            qlt codeql run install
+            echo "-----------------------------"
+            echo "CodeQL Home: $QLT_CODEQL_HOME"
+            echo "CodeQL Binary: $QLT_CODEQL_PATH"
+
+        - name: Upgrade CodeQL pack lock files
+          if: steps.check-version.outputs.update_needed == 'true'
+          shell: bash
+          run: |
+            echo "Upgrading CodeQL pack lock files"
+            echo "Finding all directories with qlpack.yml files..."
+
+            # Find all directories containing qlpack.yml files
+            find . -name "qlpack.yml" -type f | while read -r qlpack_file; do
+              pack_dir=$(dirname "$qlpack_file")
+              echo "Upgrading pack in directory: $pack_dir"
+
+              # Change to the directory and run codeql pack upgrade
+              cd "$pack_dir"
+              $QLT_CODEQL_PATH pack upgrade
+              cd - > /dev/null
+            done
+
+            echo "Finished upgrading all CodeQL pack lock files"
+
+        - name: Create Pull Request
+          if: steps.check-version.outputs.update_needed == 'true'
+          uses: peter-evans/create-pull-request@271a8d0340265f705b14b6d32b9829c1cb33d45e # v7.0.8
+          with:
+            title: "Upgrade CodeQL CLI dependency to ${{ steps.check-version.outputs.latest_version_tag }}"
+            body: |
+                This PR upgrades the CodeQL CLI version to ${{ steps.check-version.outputs.latest_version_tag }}.
+
+                **Changes made:**
+                - Updated `CodeQLCLI` to `${{ steps.check-version.outputs.latest_version }}`
+                - Updated `CodeQLStandardLibrary` to `codeql-cli/${{ steps.check-version.outputs.latest_version_tag }}`
+                - Updated `CodeQLCLIBundle` to `codeql-bundle-${{ steps.check-version.outputs.latest_version_tag }}`
+                - Upgraded all CodeQL pack lock files using `codeql pack upgrade`
+            commit-message: "Upgrade CodeQL CLI dependency to ${{ steps.check-version.outputs.latest_version_tag }}"
+            delete-branch: true
+            branch: "codeql/upgrade-to-${{ steps.check-version.outputs.latest_version_tag }}"

.github/workflows/update-codeql.yml

@@ -62,6 +62,7 @@ typings/
 
 # Misc
 .DS_Store
+.*.swp
 
 dist/
 tmp/
@@ -70,3 +71,5 @@ tmp/
 **.testproj
 dbs
 *.cds.json
+.cds-extractor-cache
+