Merge branch 'main' into sticky-github-logo-header

Author: zeke

content/github/finding-security-vulnerabilities-and-errors-in-your-code/configuring-the-codeql-workflow-for-compiled-languages.md

@@ -40,10 +40,16 @@ If your workflow uses a `language` matrix, `autobuild` attempts to build each of
 
 | Supported system type | System name |
 |----|----|
-|  Operating system | Windows and Linux |
-| Build system | Autoconf, CMake, qmake, Meson, Waf, SCons, and Linux Kbuild |
+| Operating system | Windows, macOS, and Linux |
+| Build system | Windows: MSbuild and build scripts<br/>Linux and macOS: Autoconf, Make, CMake, qmake, Meson, Waf, SCons, Linux Kbuild, and build scripts |
 
-The behavior of the `autobuild` step varies according to the operating system that the extraction runs on. On Windows, the step has no default actions. On Linux, this step reviews the files present in the repository to determine the build system used:
+The behavior of the `autobuild` step varies according to the operating system that the extraction runs on. On Windows, the `autobuild` step attempts to autodetect a suitable build method for C/C++ using the following approach:
+
+1. Invoke `MSBuild.exe` on the solution (`.sln`) or project (`.vcxproj`) file closest to the root.
+If `autobuild` detects multiple solution or project files at the same (shortest) depth from the top level directory, it will attempt to build all of them.
+2. Invoke a script that looks like a build script—_build.bat_, _build.cmd_, _and build.exe_ (in that order).
+
+On Linux and macOS, the `autobuild` step reviews the files present in the repository to determine the build system used:
 
 1. Look for a build system in the root directory.
 2. If none are found, search subdirectories for a unique directory with a build system for C/C++.
@@ -53,7 +59,7 @@ The behavior of the `autobuild` step varies according to the operating system th
 
 | Supported system type | System name |
 |----|----|
-|  Operating system | Windows and Linux |
+| Operating system | Windows and Linux |
 | Build system | .NET and MSbuild, as well as build scripts |
 
 The `autobuild` process attempts to autodetect a suitable build method for C# using the following approach:
@@ -67,7 +73,7 @@ If `autobuild` detects multiple solution or project files at the same (shortest)
 
 | Supported system type | System name |
 |----|----|
-|  Operating system | Windows, macOS and Linux (no restriction) |
+| Operating system | Windows, macOS, and Linux (no restriction) |
 | Build system | Gradle, Maven and Ant |
 
 The `autobuild` process tries to determine the build system for Java codebases by applying this strategy:

content/github/finding-security-vulnerabilities-and-errors-in-your-code/running-code-scanning-in-your-ci-system.md

@@ -97,7 +97,7 @@ The server has access to download the {{ site.data.variables.product.prodname_co
 
 #### Compiled language example
 
-This example is similar to the previous example, however this time the repository has code in C/C++, C#, or Java. To create a {{ site.data.variables.product.prodname_codeql }} database for these languages, the CLI needs to trace the build. At the end of the initialization process, the runner reports the command you need to set up the environment before building the code. You need to run this command, before calling the normal CI build process, and then running the `analyze` command.
+This example is similar to the previous example, however this time the repository has code in C/C++, C#, or Java. To create a {{ site.data.variables.product.prodname_codeql }} database for these languages, the CLI needs to monitor the build. At the end of the initialization process, the runner reports the command you need to set up the environment before building the code. You need to run this command, before calling the normal CI build process, and then running the `analyze` command.
 
 1. Check out the repository to analyze.
 1. Move into the directory where the repository is checked out.
@@ -114,7 +114,7 @@ This example is similar to the previous example, however this time the repositor
       . /srv/checkout/example-repo-2/codeql-runner/codeql-env.sh".
       ```
 
-1. Run the script generated by the `init` action to set up the environment to trace the build.
+1. Run the script generated by the `init` action to set up the environment to monitor the build.
 
     ```shell
     $ . /srv/checkout/example-repo-2/codeql-runner/codeql-env.sh

content/github/finding-security-vulnerabilities-and-errors-in-your-code/troubleshooting-code-scanning-in-your-ci-system.md

@@ -22,10 +22,30 @@ To avoid this automatic download, you can manually download the {{ site.data.var
 
 ### No code found during the build
 
-If the `analyze` command for the {{ site.data.variables.product.prodname_codeql_runner }} fails with an error `No source code was seen during the build`, this indicates that {{ site.data.variables.product.prodname_codeql }} was unable to trace your code. Several reasons can explain such a failure.
+If the `analyze` command for the {{ site.data.variables.product.prodname_codeql_runner }} fails with an error `No source code was seen during the build`, this indicates that {{ site.data.variables.product.prodname_codeql }} was unable to monitor your code. Several reasons can explain such a failure.
 
 1. Automatic language detection identified a supported language, but there is no analyzable code of that language in the repository. A typical example is when our language detection service finds a file associated with a particular programming language like a `.h`, or `.gyp` file, but no corresponding executable code is present in the repository. To solve the problem, you can manually define the languages you want to analyze by using the `--languages` flag of the `init` command. For more information, see "[Configuring {{ site.data.variables.product.prodname_code_scanning }} in your CI system](/github/finding-security-vulnerabilities-and-errors-in-your-code/configuring-code-scanning-in-your-ci-system)."
 
-1. You're analyzing a compiled language without using the `autobuild` command and you run the build steps yourself after the `init` step. For the build to work, you must set up the environment such that the {{ site.data.variables.product.prodname_codeql_runner }} can trace the code. The `init` command generates instructions for how to export the required environment variables, so you can copy and run the script. For more information, see "[Running {{ site.data.variables.product.prodname_code_scanning }} in your CI system](/github/finding-security-vulnerabilities-and-errors-in-your-code/running-code-scanning-in-your-ci-system#compiled-language-example)."
+1. You're analyzing a compiled language without using the `autobuild` command and you run the build steps yourself after the `init` step. For the build to work, you must set up the environment such that the {{ site.data.variables.product.prodname_codeql_runner }} can monitor the code. The `init` command generates instructions for how to export the required environment variables, so you can copy and run the script after you've run the `init` command.
+   - On macOS and Linux:
+     ```shell
+      $ . codeql-runner/codeql-env.sh
+     ```
+   - On Windows, using the Command shell (`cmd`) or a batch file (`.bat`):
+     ```shell
+     > call codeql-runner\codeql-env.bat
+     ```
+   - On Windows, using PowerShell:
+     ```shell
+     > cat codeql-runner\codeql-env.sh | Invoke-Expression
+     ```
+
+   The environment variables are also stored in the file `codeql-runner/codeql-env.json`. This file contains a single JSON object which maps environment variable keys to values. If you can't run the script generated by the `init` command, then you can use the data in JSON format instead.
+
+   {% note %}
+
+   **Note:** If you used the `--temp-dir` flag of the `init` command to specify a custom directory for temporary files, the path to the `codeql-env` files might be different.
+
+   {% endnote %}
 
 1. The code is built in a container or on a separate machine. If you use a containerized build or if you outsource the build to another machine, make sure to run the {{ site.data.variables.product.prodname_codeql_runner }} in the container or on the machine where your build task takes place.

content/github/finding-security-vulnerabilities-and-errors-in-your-code/troubleshooting-the-codeql-workflow.md

@@ -44,7 +44,7 @@ If an automatic build of code for a compiled language within your project fails,
 
 ### No code found during the build
 
-If your workflow fails with an error `No source code was seen during the build` or `The process '/opt/hostedtoolcache/CodeQL/0.0.0-20200630/x64/codeql/codeql' failed with exit code 32`, this indicates that {{ site.data.variables.product.prodname_codeql }} was unable to trace your code. Several reasons can explain such a failure:
+If your workflow fails with an error `No source code was seen during the build` or `The process '/opt/hostedtoolcache/CodeQL/0.0.0-20200630/x64/codeql/codeql' failed with exit code 32`, this indicates that {{ site.data.variables.product.prodname_codeql }} was unable to monitor your code. Several reasons can explain such a failure:
 
 1. Automatic language detection identified a supported language, but there is no analyzable code of that language in the repository. A typical example is when our language detection service finds a file associated with a particular programming language like a `.h`, or `.gyp` file, but no corresponding executable code is present in the repository. To solve the problem, you can manually define the languages you want to analyze by updating the list of languages in the `language` matrix. For example, the following configuration will analyze only Go, and JavaScript.
 

includes/head.html

@@ -1,4 +1,5 @@
 <head>
+  <meta charset="utf-8" />
   <title>{% if error == '404' %}{{ site.data.ui.errors.oops }}{% elsif currentVersion == 'homepage' %}GitHub Documentation{% else %}{{ page.fullTitle }}{% endif %}</title>
   <meta name="viewport" content="width=device-width, initial-scale=1">{% if page.hidden %}
   <meta name="robots" content="noindex" />{% endif %}
@@ -25,14 +26,4 @@
   <link rel="stylesheet" href="/dist/index.css">
   <link rel="alternate icon" type="image/png" href="/assets/images/site/favicon.png">
   <link rel="icon" type="image/svg+xml" href="/assets/images/site/favicon.svg">
-
-  {% if page.relativePath contains "managing-your-work-on-github/disabling-project-boards-in-your-organization" %}
-  <!--TODO CSRF remove the outer check -->
-  {% if fastlyEnabled %}
-    <!-- https://www.fastly.com/blog/caching-uncacheable-csrf-security -->
-    <esi:include src="/csrf" />
-  {% else %}
-    <meta name="csrf-token" content="{{ csrfToken }}" />
-  {% endif %}
-  {% endif %}
 </head>

javascripts/get-csrf.js

@@ -1,3 +1,17 @@
+export async function fillCsrf () {
+  const response = await fetch('/csrf', {
+    method: 'GET',
+    headers: {
+      'Content-Type': 'application/json'
+    }
+  })
+  const json = response.ok ? await response.json() : {}
+  const meta = document.createElement('meta')
+  meta.setAttribute('name', 'csrf-token')
+  meta.setAttribute('content', json.token)
+  document.querySelector('head').append(meta)
+}
+
 export default function getCsrf () {
   const csrfEl = document
     .querySelector('meta[name="csrf-token"]')

javascripts/index.js

@@ -13,6 +13,7 @@ import print from './print'
 import localization from './localization'
 import helpfulness from './helpfulness'
 import experiment from './experiment'
+import { fillCsrf } from './get-csrf'
 
 document.addEventListener('DOMContentLoaded', () => {
   displayPlatformSpecificContent()
@@ -26,6 +27,7 @@ document.addEventListener('DOMContentLoaded', () => {
   wrapCodeTerms()
   print()
   localization()
+  fillCsrf()
   helpfulness()
   experiment()
 })

layouts/default.html

@@ -1,3 +1,4 @@
+<!doctype html>
 <html lang="{{currentLanguage}}">
   {% include head %}
 

layouts/product-landing.html

@@ -1,9 +1,10 @@
+<!doctype html>
 <html lang="{{currentLanguage}}">
   {% include head %}
 
   <body class="d-lg-flex">
     {% include sidebar %}
-    
+
     <main class="width-full">
       {% include header %}
 

middleware/context.js

@@ -55,14 +55,6 @@ module.exports = async function contextualize (req, res, next) {
   req.context.siteTree = siteTree
   req.context.pages = pages
 
-  // To securely accept data from end users,
-  // we need to validate that they were actually on a docs page first.
-  // We'll put this token in the <head> and call on it when we send user data
-  // to the docs server, so we know the request came from someone on the page.
-  req.context.csrfToken = req.csrfToken()
-  req.context.fastlyEnabled = process.env.NODE_ENV === 'production' &&
-    req.hostname === 'docs.github.com'
-
   return next()
 }