Use the workspace trust feature

[shati-patel]

Will fix #849 and will also (indirectly) fix #509.

Uses the syntax from microsoft/vscode#120251 (comment) to let the CodeQL extension work with workspace trust. For users who have enabled the workspace trust feature:

• If the user trusts the workspace: all CodeQL features are enabled
• If the user doesn't trust the workspace: Certain settings (that could execute arbitrary code from the workspace) are disabled at the workspace level, and the extension ignores them. This is what the UI looks like:
  

⚠️ Note: Currently, you can't use the CodeQL extension at all in untrusted workspaces. This is because it depends on the Test Explorer, which currently doesn't work in untrusted workspaces. PR: hbenl/vscode-test-explorer#204. Fixed!

Checklist

• Once VS Code is released with workspace trust enabled by default, we need to update the minimum VS Code version required to run this extension. See:
  

  vscode-codeql/extensions/ql-vscode/package.json

  Lines 15 to 17 in 72d57ee

  	"engines": {
  	"vscode": "^1.43.0"
  	},

• CHANGELOG.md has been updated to incorporate all user visible changes made by this pull request.
• Issues have been created for any UI or other user-facing changes made by this pull request.
• @github/docs-content-codeql has been cc'd in all issues for UI or other user-facing changes made by this pull request.
  • Will require small update to https://codeql.github.com/docs/codeql-for-visual-studio-code/customizing-settings:

    To override the default behavior and use a different CLI, you can specify the CodeQL CLI Executable Path. Note that this is only available as a user setting, not as a workspace setting.

  • Docs PR opened here: [Already shipped] Docs: Update setting in CodeQL for VS Code codeql#6072

[aeisenberg]

This looks great! Three extra things:

1. This PR should also address Allow CodeQL CLI version (not path) to be specified in workspace settings #509 because users can now specify per-workspace cli versions.
2. We should not merge this until workspace trust is enabled by default in vscode. I'm not sure which version that will be, but I think it's happening soon.
3. We need to update the minimum vscode version required to run this extension when the appropriate vscode is released. See:
   

   vscode-codeql/extensions/ql-vscode/package.json

   Lines 15 to 17 in 72d57ee

   	"engines": {
   	"vscode": "^1.43.0"
   	},

[aeisenberg]

The upstream PR has been merged and the new version of test explorer has been released. Let's ship this!

[shati-patel]

The upstream PR has been merged and the new version of test explorer has been released. Let's ship this!

We should probably still wait until workspace trust is enabled by default in VS Code, since we've changed the CLI executable setting back to "window" scope. (i.e. anyone who hasn't explicitly set "security.workspace.trust.enabled": true doesn't yet get any of the protection offered by workspace trust.)

Points 2 and 3 in your previous comment (#861 (comment)) still hold, I think!

[adityasharad]

Nice! Do we know what version of VS Code will ship with workspace trust?

[shati-patel]

Nice! Do we know what version of VS Code will ship with workspace trust?

I've been keeping an eye on microsoft/vscode#120251, but haven't seen anything about an expected release. (Maybe I'm looking in the wrong places though...)

I suppose we could revert the "machine -> window" change and ship the workspace trust implementation itself at any time? That would at least make the extension work for users who have enabled workspace trust and are in an untrusted workspace, without changing the behaviour for anyone else.

[aeisenberg]

We should probably still wait until until workspace trust is enabled by default in VS Code

Yes. Good point.

There is a block on the package.json and we should update this to the version where workspace trust is going to be released. This will ensure that users on older versions on vscode won't accidentally get the new configuration behaviour.

"engines": {
    "vscode": "^1.43.0"
},

[alexet]

Running qtests in untrusted workspaces is also unsafe at the moment and hence also needs to be disabled.

[shati-patel]

I've added some more commits to update dependencies, since workspace trust is now fully enabled (v1.57.0). I updated to 1.48.0 separately first, cherry-picked from #874 (which will hopefully minimise conflicts with the qc-development branch), so commit ec4785e shouldn't need a re-review.

---

Re:

Running qtests in untrusted workspaces is also unsafe at the moment and hence also needs to be disabled.

I think that's what line 30 covers:

vscode-codeql/extensions/ql-vscode/package.json

Lines 28 to 31 in 85a1f66

	"restrictedConfigurations": [
	"codeQL.cli.executablePath",
	"codeQL.runningTests.additionalTestArguments"
	]

(Unless we need to disable qltests completely? I'm not sure how to do that.)

[aeisenberg]

Looks good. Just some updates for the changelog.