.github/workflows/script/update-required-checks.sh

@@ -28,8 +28,7 @@ fi
 echo "Getting checks for $GITHUB_SHA"
 
 # Ignore any checks with "https://", CodeQL, LGTM, and Update checks.
-# Also ignore the non-matrixed "Unit Tests" job that only runs on pushes to protected branches.
-CHECKS="$(gh api repos/github/codeql-action/commits/"${GITHUB_SHA}"/check-runs --paginate | jq --slurp --compact-output --raw-output '[.[].check_runs | .[].name | select(contains("https://") or . == "CodeQL" or . == "Dependabot" or . == "check-expected-release-files" or . == "Unit Tests" or contains("Update") or contains("update") or contains("test-setup-python-scripts") | not)] | unique | sort')"
+CHECKS="$(gh api repos/github/codeql-action/commits/"${GITHUB_SHA}"/check-runs --paginate | jq --slurp --compact-output --raw-output '[.[].check_runs.[] | select(.conclusion != "skipped") | .name | select(contains("https://") or . == "CodeQL" or . == "Dependabot" or . == "check-expected-release-files" or contains("Update") or contains("update") or contains("test-setup-python-scripts") | not)] | unique | sort')"
 
 echo "$CHECKS" | jq
 

CHANGELOG.md

@@ -4,6 +4,10 @@ See the [releases page](https://github.com/github/codeql-action/releases) for th
 
 Note that the only difference between `v2` and `v3` of the CodeQL Action is the node version they support, with `v3` running on node 20 while we continue to release `v2` to support running on node 16. For example `3.22.11` was the first `v3` release and is functionally identical to `2.22.11`. This approach ensures an easy way to track exactly which features are included in different versions, indicated by the minor and patch version numbers.
 
+## 3.26.1 - 13 Aug 2024
+
+No user facing changes.
+
 ## 3.26.0 - 06 Aug 2024
 
 - _Deprecation:_ Swift analysis on Ubuntu runner images is no longer supported. Please migrate to a macOS runner if this affects you. [#2403](https://github.com/github/codeql-action/pull/2403)

README.md

@@ -33,17 +33,18 @@ To provide the best experience to customers using older versions of GitHub Enter
 
 For more information, see "[Code scanning: deprecation of CodeQL Action v2](https://github.blog/changelog/2024-01-12-code-scanning-deprecation-of-codeql-action-v2/)."
 
-## Supported versions of the CodeQL CLI and GitHub Enterprise Server
+## Supported versions of the CodeQL Bundle and GitHub Enterprise Server
 
-We typically release new minor versions of the CodeQL Action and CLI when a new minor version of GitHub Enterprise Server (GHES) is released. When a version of GHES is deprecated, the CodeQL Action and CLI releases that shipped with it are deprecated as well.
+We typically release new minor versions of the CodeQL Action and Bundle when a new minor version of GitHub Enterprise Server (GHES) is released. When a version of GHES is deprecated, the CodeQL Action and Bundle releases that shipped with it are deprecated as well.
 
-| Recommended CodeQL Action | Recommended CodeQL CLI Version | GitHub Environment |
+| Recommended CodeQL Action | Recommended CodeQL Bundle Version | GitHub Environment |
 |---------|----------|--------------|
 | `v3` | default (do not pass a `tools` input) | GitHub.com |
-| `v3.24.11` | `v2.16.6` | Enterprise Server 3.13 |
-| `3.22.12` | `2.15.5` | Enterprise Server 3.12 |
-| `2.22.1` | `2.14.6` | Enterprise Server 3.11 |
-| `2.20.3` | `2.13.5` | Enterprise Server 3.10 |
+| `v3.25.11` | `2.17.6` | Enterprise Server 3.14 |
+| `v3.24.11` | `2.16.6` | Enterprise Server 3.13 |
+| `v3.22.12` | `2.15.5` | Enterprise Server 3.12 |
+| `v2.22.1` | `2.14.6` | Enterprise Server 3.11 |
+| `v2.20.3` | `2.13.5` | Enterprise Server 3.10 |
 
 CodeQL Action `v2` will stop receiving updates when GHES 3.11 is deprecated.
 

package.json

@@ -1,6 +1,6 @@
 {
   "name": "codeql",
-  "version": "3.26.0",
+  "version": "3.26.1",
   "private": true,
   "description": "CodeQL action",
   "scripts": {
@@ -34,7 +34,7 @@
     "@schemastore/package": "0.0.10",
     "@types/node-forge": "^1.3.11",
     "@types/uuid": "^10.0.0",
-    "adm-zip": "^0.5.14",
+    "adm-zip": "^0.5.15",
     "check-disk-space": "^3.4.0",
     "console-log-level": "^1.4.1",
     "del": "^6.1.1",
@@ -58,16 +58,16 @@
     "@ava/typescript": "4.1.0",
     "@eslint/compat": "^1.1.1",
     "@eslint/eslintrc": "^3.1.0",
-    "@eslint/js": "^9.8.0",
+    "@eslint/js": "^9.9.0",
     "@types/adm-zip": "^0.5.5",
     "@types/console-log-level": "^1.4.5",
     "@types/get-folder-size": "^2.0.0",
     "@types/js-yaml": "^4.0.9",
     "@types/node": "20.9.0",
     "@types/semver": "^7.5.8",
     "@types/sinon": "^17.0.3",
-    "@typescript-eslint/eslint-plugin": "^8.0.1",
-    "@typescript-eslint/parser": "^8.0.1",
+    "@typescript-eslint/eslint-plugin": "^8.1.0",
+    "@typescript-eslint/parser": "^8.1.0",
     "ava": "^5.3.1",
     "eslint": "^8.57.0",
     "eslint-import-resolver-typescript": "^3.6.1",

pr-checks/checks/submit-sarif-failure.yml

@@ -19,6 +19,7 @@ steps:
   - uses: ./init
     with:
       languages: javascript
+      tools: ${{ steps.prepare-test.outputs.tools-url }}
   - name: Fail
     # We want this job to pass if the Action correctly uploads the SARIF file for
     # the failed run.

src/codeql.test.ts

@@ -134,7 +134,9 @@ test("downloads and caches explicitly requested bundles that aren't in the toolc
       t.assert(toolcache.find("CodeQL", `0.0.0-${version}`));
       t.is(result.toolsVersion, `0.0.0-${version}`);
       t.is(result.toolsSource, ToolsSource.Download);
-      t.assert(Number.isInteger(result.toolsDownloadDurationMs));
+      t.assert(
+        Number.isInteger(result.toolsDownloadStatusReport?.downloadDurationMs),
+      );
     }
 
     t.is(toolcache.findAllVersions("CodeQL").length, 2);
@@ -162,7 +164,9 @@ test("caches semantically versioned bundles using their semantic version number"
     t.assert(toolcache.find("CodeQL", `2.14.0`));
     t.is(result.toolsVersion, `2.14.0`);
     t.is(result.toolsSource, ToolsSource.Download);
-    t.assert(Number.isInteger(result.toolsDownloadDurationMs));
+    t.assert(
+      Number.isInteger(result.toolsDownloadStatusReport?.downloadDurationMs),
+    );
   });
 });
 
@@ -191,7 +195,9 @@ test("downloads an explicitly requested bundle even if a different version is ca
     t.assert(toolcache.find("CodeQL", "0.0.0-20200610"));
     t.deepEqual(result.toolsVersion, "0.0.0-20200610");
     t.is(result.toolsSource, ToolsSource.Download);
-    t.assert(Number.isInteger(result.toolsDownloadDurationMs));
+    t.assert(
+      Number.isInteger(result.toolsDownloadStatusReport?.downloadDurationMs),
+    );
   });
 });
 
@@ -233,7 +239,9 @@ for (const {
       t.assert(toolcache.find("CodeQL", expectedToolcacheVersion));
       t.deepEqual(result.toolsVersion, expectedToolcacheVersion);
       t.is(result.toolsSource, ToolsSource.Download);
-      t.assert(Number.isInteger(result.toolsDownloadDurationMs));
+      t.assert(
+        Number.isInteger(result.toolsDownloadStatusReport?.downloadDurationMs),
+      );
     });
   });
 }
@@ -268,7 +276,7 @@ for (const toolcacheVersion of [
         );
         t.is(result.toolsVersion, SAMPLE_DEFAULT_CLI_VERSION.cliVersion);
         t.is(result.toolsSource, ToolsSource.Toolcache);
-        t.is(result.toolsDownloadDurationMs, undefined);
+        t.is(result.toolsDownloadStatusReport?.downloadDurationMs, undefined);
       });
     },
   );
@@ -298,7 +306,7 @@ test(`uses a cached bundle when no tools input is given on GHES`, async (t) => {
     );
     t.deepEqual(result.toolsVersion, "0.0.0-20200601");
     t.is(result.toolsSource, ToolsSource.Toolcache);
-    t.is(result.toolsDownloadDurationMs, undefined);
+    t.is(result.toolsDownloadStatusReport?.downloadDurationMs, undefined);
 
     const cachedVersions = toolcache.findAllVersions("CodeQL");
     t.is(cachedVersions.length, 1);
@@ -332,7 +340,9 @@ test(`downloads bundle if only an unpinned version is cached on GHES`, async (t)
     );
     t.deepEqual(result.toolsVersion, defaults.cliVersion);
     t.is(result.toolsSource, ToolsSource.Download);
-    t.assert(Number.isInteger(result.toolsDownloadDurationMs));
+    t.assert(
+      Number.isInteger(result.toolsDownloadStatusReport?.downloadDurationMs),
+    );
 
     const cachedVersions = toolcache.findAllVersions("CodeQL");
     t.is(cachedVersions.length, 2);
@@ -363,7 +373,9 @@ test('downloads bundle if "latest" tools specified but not cached', async (t) =>
     );
     t.deepEqual(result.toolsVersion, defaults.cliVersion);
     t.is(result.toolsSource, ToolsSource.Download);
-    t.assert(Number.isInteger(result.toolsDownloadDurationMs));
+    t.assert(
+      Number.isInteger(result.toolsDownloadStatusReport?.downloadDurationMs),
+    );
 
     const cachedVersions = toolcache.findAllVersions("CodeQL");
     t.is(cachedVersions.length, 2);
@@ -398,7 +410,9 @@ test("bundle URL from another repo is cached as 0.0.0-bundleVersion", async (t)
 
     t.is(result.toolsVersion, "0.0.0-20230203");
     t.is(result.toolsSource, ToolsSource.Download);
-    t.true(Number.isInteger(result.toolsDownloadDurationMs));
+    t.true(
+      Number.isInteger(result.toolsDownloadStatusReport?.downloadDurationMs),
+    );
 
     const cachedVersions = toolcache.findAllVersions("CodeQL");
     t.is(cachedVersions.length, 1);

src/codeql.ts

@@ -31,7 +31,7 @@ import * as setupCodeql from "./setup-codeql";
 import { ToolsFeature, isSupportedToolsFeature } from "./tools-features";
 import { shouldEnableIndirectTracing } from "./tracer-config";
 import * as util from "./util";
-import { BuildMode, wrapError } from "./util";
+import { BuildMode, wrapError, cloneObject } from "./util";
 
 type Options = Array<string | number | boolean>;
 
@@ -350,20 +350,24 @@ export async function setupCodeQL(
   checkVersion: boolean,
 ): Promise<{
   codeql: CodeQL;
-  toolsDownloadDurationMs?: number;
+  toolsDownloadStatusReport?: setupCodeql.ToolsDownloadStatusReport;
   toolsSource: setupCodeql.ToolsSource;
   toolsVersion: string;
 }> {
   try {
-    const { codeqlFolder, toolsDownloadDurationMs, toolsSource, toolsVersion } =
-      await setupCodeql.setupCodeQLBundle(
-        toolsInput,
-        apiDetails,
-        tempDir,
-        variant,
-        defaultCliVersion,
-        logger,
-      );
+    const {
+      codeqlFolder,
+      toolsDownloadStatusReport,
+      toolsSource,
+      toolsVersion,
+    } = await setupCodeql.setupCodeQLBundle(
+      toolsInput,
+      apiDetails,
+      tempDir,
+      variant,
+      defaultCliVersion,
+      logger,
+    );
     let codeqlCmd = path.join(codeqlFolder, "codeql", "codeql");
     if (process.platform === "win32") {
       codeqlCmd += ".exe";
@@ -376,7 +380,7 @@ export async function setupCodeQL(
     cachedCodeQL = await getCodeQLForCmd(codeqlCmd, checkVersion);
     return {
       codeql: cachedCodeQL,
-      toolsDownloadDurationMs,
+      toolsDownloadStatusReport,
       toolsSource,
       toolsVersion,
     };
@@ -1306,10 +1310,6 @@ async function generateCodeScanningConfig(
   return codeScanningConfigFile;
 }
 
-function cloneObject<T>(obj: T): T {
-  return JSON.parse(JSON.stringify(obj)) as T;
-}
-
 // This constant sets the size of each TRAP cache in megabytes.
 const TRAP_CACHE_SIZE_MB = 1024;
 

src/config-utils.ts

@@ -881,6 +881,15 @@ function parseRegistries(
   }
 }
 
+export function parseRegistriesWithoutCredentials(
+  registriesInput?: string,
+): RegistryConfigNoCredentials[] | undefined {
+  return parseRegistries(registriesInput)?.map((r) => {
+    const { url, packages } = r;
+    return { url, packages };
+  });
+}
+
 function isLocal(configPath: string): boolean {
   // If the path starts with ./, look locally
   if (configPath.indexOf("./") === 0) {

src/diagnostics.ts

@@ -100,7 +100,9 @@ export function addDiagnostic(
   diagnostic: DiagnosticMessage,
 ) {
   const logger = getActionsLogger();
-  const databasePath = getCodeQLDatabasePath(config, language);
+  const databasePath = language
+    ? getCodeQLDatabasePath(config, language)
+    : config.dbLocation;
 
   // Check that the database exists before writing to it. If the database does not yet exist,
   // store the diagnostic in memory and write it later.
@@ -124,12 +126,15 @@ export function addDiagnostic(
  */
 function writeDiagnostic(
   config: Config,
-  language: Language,
+  language: Language | undefined,
   diagnostic: DiagnosticMessage,
 ) {
   const logger = getActionsLogger();
+  const databasePath = language
+    ? getCodeQLDatabasePath(config, language)
+    : config.dbLocation;
   const diagnosticsPath = path.resolve(
-    getCodeQLDatabasePath(config, language),
+    databasePath,
     "diagnostic",
     "codeql-action",
   );

src/init-action.ts

@@ -35,7 +35,7 @@ import {
 import { Language } from "./languages";
 import { getActionsLogger, Logger } from "./logging";
 import { parseRepositoryNwo } from "./repository";
-import { ToolsSource } from "./setup-codeql";
+import { ToolsDownloadStatusReport, ToolsSource } from "./setup-codeql";
 import {
   ActionName,
   StatusReportBase,
@@ -60,6 +60,7 @@ import {
   ConfigurationError,
   wrapError,
   checkActionVersion,
+  cloneObject,
 } from "./util";
 import { validateWorkflow } from "./workflow";
 
@@ -85,12 +86,19 @@ interface InitWithConfigStatusReport extends InitStatusReport {
   paths_ignore: string;
   /** Comma-separated list of queries sources, from the 'queries' config field or workflow input. */
   queries: string;
+  /** Stringified JSON object of packs, from the 'packs' config field or workflow input. */
+  packs: string;
   /** Comma-separated list of languages for which we are using TRAP caching. */
   trap_cache_languages: string;
   /** Size of TRAP caches that we downloaded, in bytes. */
   trap_cache_download_size_bytes: number;
   /** Time taken to download TRAP caches, in milliseconds. */
   trap_cache_download_duration_ms: number;
+  /** Stringified JSON array of registry configuration objects, from the 'registries' config field
+  or workflow input. **/
+  registries: string;
+  /** Stringified JSON object representing a query-filters, from the 'query-filters' config field. **/
+  query_filters: string;
 }
 
 /** Fields of the init status report populated when the tools source is `download`. */
@@ -106,7 +114,7 @@ interface InitToolsDownloadFields {
 async function sendCompletedStatusReport(
   startedAt: Date,
   config: configUtils.Config | undefined,
-  toolsDownloadDurationMs: number | undefined,
+  toolsDownloadStatusReport: ToolsDownloadStatusReport | undefined,
   toolsFeatureFlagsValid: boolean | undefined,
   toolsSource: ToolsSource,
   toolsVersion: string,
@@ -140,9 +148,9 @@ async function sendCompletedStatusReport(
 
   const initToolsDownloadFields: InitToolsDownloadFields = {};
 
-  if (toolsDownloadDurationMs !== undefined) {
+  if (toolsDownloadStatusReport !== undefined) {
     initToolsDownloadFields.tools_download_duration_ms =
-      toolsDownloadDurationMs;
+      toolsDownloadStatusReport.downloadDurationMs;
   }
   if (toolsFeatureFlagsValid !== undefined) {
     initToolsDownloadFields.tools_feature_flags_valid = toolsFeatureFlagsValid;
@@ -174,18 +182,52 @@ async function sendCompletedStatusReport(
       queries.push(...queriesInput.split(","));
     }
 
+    let packs: Record<string, string[]> = {};
+    if (
+      (config.augmentationProperties.packsInputCombines ||
+        !config.augmentationProperties.packsInput) &&
+      config.originalUserInput.packs
+    ) {
+      // Make a copy, because we might modify `packs`.
+      const copyPacksFromOriginalUserInput = cloneObject(
+        config.originalUserInput.packs,
+      );
+      // If it is an array, then assume there is only a single language being analyzed.
+      if (Array.isArray(copyPacksFromOriginalUserInput)) {
+        packs[config.languages[0]] = copyPacksFromOriginalUserInput;
+      } else {
+        packs = copyPacksFromOriginalUserInput;
+      }
+    }
+
+    if (config.augmentationProperties.packsInput) {
+      packs[config.languages[0]] ??= [];
+      packs[config.languages[0]].push(
+        ...config.augmentationProperties.packsInput,
+      );
+    }
+
     // Append fields that are dependent on `config`
     const initWithConfigStatusReport: InitWithConfigStatusReport = {
       ...initStatusReport,
       disable_default_queries: disableDefaultQueries,
       paths,
       paths_ignore: pathsIgnore,
       queries: queries.join(","),
+      packs: JSON.stringify(packs),
       trap_cache_languages: Object.keys(config.trapCaches).join(","),
       trap_cache_download_size_bytes: Math.round(
         await getTotalCacheSize(config.trapCaches, logger),
       ),
       trap_cache_download_duration_ms: Math.round(config.trapCacheDownloadTime),
+      query_filters: JSON.stringify(
+        config.originalUserInput["query-filters"] ?? [],
+      ),
+      registries: JSON.stringify(
+        configUtils.parseRegistriesWithoutCredentials(
+          getOptionalInput("registries"),
+        ) ?? [],
+      ),
     };
     await sendStatusReport({
       ...initWithConfigStatusReport,
@@ -203,7 +245,7 @@ async function run() {
 
   let config: configUtils.Config | undefined;
   let codeql: CodeQL;
-  let toolsDownloadDurationMs: number | undefined;
+  let toolsDownloadStatusReport: ToolsDownloadStatusReport | undefined;
   let toolsFeatureFlagsValid: boolean | undefined;
   let toolsSource: ToolsSource;
   let toolsVersion: string;
@@ -230,7 +272,10 @@ async function run() {
     logger,
   );
 
-  core.exportVariable(EnvVar.JOB_RUN_UUID, uuidV4());
+  const jobRunUuid = uuidV4();
+  logger.info(`Job run UUID is ${jobRunUuid}.`);
+  core.exportVariable(EnvVar.JOB_RUN_UUID, jobRunUuid);
+
   core.exportVariable(EnvVar.INIT_ACTION_HAS_RUN, "true");
 
   try {
@@ -258,7 +303,7 @@ async function run() {
       logger,
     );
     codeql = initCodeQLResult.codeql;
-    toolsDownloadDurationMs = initCodeQLResult.toolsDownloadDurationMs;
+    toolsDownloadStatusReport = initCodeQLResult.toolsDownloadStatusReport;
     toolsVersion = initCodeQLResult.toolsVersion;
     toolsSource = initCodeQLResult.toolsSource;
 
@@ -324,6 +369,28 @@ async function run() {
   try {
     cleanupDatabaseClusterDirectory(config, logger);
 
+    // Log CodeQL download telemetry, if appropriate
+    if (toolsDownloadStatusReport) {
+      addDiagnostic(
+        config,
+        // Arbitrarily choose the first language. We could also choose all languages, but that
+        // increases the risk of misinterpreting the data.
+        config.languages[0],
+        makeDiagnostic(
+          "codeql-action/bundle-download-telemetry",
+          "CodeQL bundle download telemetry",
+          {
+            attributes: toolsDownloadStatusReport,
+            visibility: {
+              cliSummaryTable: false,
+              statusPage: false,
+              telemetry: true,
+            },
+          },
+        ),
+      );
+    }
+
     // Forward Go flags
     const goFlags = process.env["GOFLAGS"];
     if (goFlags) {
@@ -561,7 +628,7 @@ async function run() {
     await sendCompletedStatusReport(
       startedAt,
       config,
-      toolsDownloadDurationMs,
+      toolsDownloadStatusReport,
       toolsFeatureFlagsValid,
       toolsSource,
       toolsVersion,
@@ -575,7 +642,7 @@ async function run() {
   await sendCompletedStatusReport(
     startedAt,
     config,
-    toolsDownloadDurationMs,
+    toolsDownloadStatusReport,
     toolsFeatureFlagsValid,
     toolsSource,
     toolsVersion,

src/init.ts

@@ -12,7 +12,7 @@ import * as configUtils from "./config-utils";
 import { CodeQLDefaultVersionInfo } from "./feature-flags";
 import { Language, isScannedLanguage } from "./languages";
 import { Logger } from "./logging";
-import { ToolsSource } from "./setup-codeql";
+import { ToolsDownloadStatusReport, ToolsSource } from "./setup-codeql";
 import { ToolsFeature } from "./tools-features";
 import { TracerConfig, getCombinedTracerConfig } from "./tracer-config";
 import * as util from "./util";
@@ -26,12 +26,12 @@ export async function initCodeQL(
   logger: Logger,
 ): Promise<{
   codeql: CodeQL;
-  toolsDownloadDurationMs?: number;
+  toolsDownloadStatusReport?: ToolsDownloadStatusReport;
   toolsSource: ToolsSource;
   toolsVersion: string;
 }> {
   logger.startGroup("Setup CodeQL tools");
-  const { codeql, toolsDownloadDurationMs, toolsSource, toolsVersion } =
+  const { codeql, toolsDownloadStatusReport, toolsSource, toolsVersion } =
     await setupCodeQL(
       toolsInput,
       apiDetails,
@@ -43,7 +43,7 @@ export async function initCodeQL(
     );
   await codeql.printVersion();
   logger.endGroup();
-  return { codeql, toolsDownloadDurationMs, toolsSource, toolsVersion };
+  return { codeql, toolsDownloadStatusReport, toolsSource, toolsVersion };
 }
 
 export async function initConfig(

src/setup-codeql.test.ts

@@ -152,9 +152,12 @@ test("setupCodeQLBundle logs the CodeQL CLI version being used when asked to use
   // Stub the downloadCodeQL function to prevent downloading artefacts
   // during testing from being called.
   sinon.stub(setupCodeql, "downloadCodeQL").resolves({
-    toolsVersion: LINKED_CLI_VERSION.cliVersion,
     codeqlFolder: "codeql",
-    toolsDownloadDurationMs: 200,
+    statusReport: {
+      downloadDurationMs: 200,
+      extractionDurationMs: 300,
+    },
+    toolsVersion: LINKED_CLI_VERSION.cliVersion,
   });
 
   await withTmpDir(async (tmpDir) => {
@@ -195,9 +198,12 @@ test("setupCodeQLBundle logs the CodeQL CLI version being used when asked to dow
   // Stub the downloadCodeQL function to prevent downloading artefacts
   // during testing from being called.
   sinon.stub(setupCodeql, "downloadCodeQL").resolves({
-    toolsVersion: expectedVersion,
     codeqlFolder: "codeql",
-    toolsDownloadDurationMs: 200,
+    statusReport: {
+      downloadDurationMs: 200,
+      extractionDurationMs: 300,
+    },
+    toolsVersion: expectedVersion,
   });
 
   await withTmpDir(async (tmpDir) => {

src/setup-codeql.ts

@@ -461,6 +461,11 @@ export async function tryGetFallbackToolcacheVersion(
   return fallbackVersion;
 }
 
+export interface ToolsDownloadStatusReport {
+  downloadDurationMs: number;
+  extractionDurationMs: number;
+}
+
 // Exported using `export const` for testing purposes. Specifically, we want to
 // be able to stub this function and have other functions in this file use that stub.
 export const downloadCodeQL = async function (
@@ -471,9 +476,9 @@ export const downloadCodeQL = async function (
   tempDir: string,
   logger: Logger,
 ): Promise<{
-  toolsVersion: string;
   codeqlFolder: string;
-  toolsDownloadDurationMs: number;
+  statusReport: ToolsDownloadStatusReport;
+  toolsVersion: string;
 }> {
   const parsedCodeQLURL = new URL(codeqlURL);
   const searchParams = new URLSearchParams(parsedCodeQLURL.search);
@@ -513,20 +518,18 @@ export const downloadCodeQL = async function (
     authorization,
     finalHeaders,
   );
-  const toolsDownloadDurationMs = Math.round(
-    performance.now() - toolsDownloadStart,
-  );
+  const downloadDurationMs = Math.round(performance.now() - toolsDownloadStart);
 
   logger.debug(
-    `Finished downloading CodeQL bundle to ${archivedBundlePath} (${toolsDownloadDurationMs} ms).`,
+    `Finished downloading CodeQL bundle to ${archivedBundlePath} (${downloadDurationMs} ms).`,
   );
 
   logger.debug("Extracting CodeQL bundle.");
   const extractionStart = performance.now();
   const extractedBundlePath = await toolcache.extractTar(archivedBundlePath);
-  const extractionMs = Math.round(performance.now() - extractionStart);
+  const extractionDurationMs = Math.round(performance.now() - extractionStart);
   logger.debug(
-    `Finished extracting CodeQL bundle to ${extractedBundlePath} (${extractionMs} ms).`,
+    `Finished extracting CodeQL bundle to ${extractedBundlePath} (${extractionDurationMs} ms).`,
   );
   await cleanUpGlob(archivedBundlePath, "CodeQL bundle archive", logger);
 
@@ -539,9 +542,12 @@ export const downloadCodeQL = async function (
         `URL ${codeqlURL}.`,
     );
     return {
-      toolsVersion: maybeCliVersion ?? "unknown",
       codeqlFolder: extractedBundlePath,
-      toolsDownloadDurationMs,
+      statusReport: {
+        downloadDurationMs,
+        extractionDurationMs,
+      },
+      toolsVersion: maybeCliVersion ?? "unknown",
     };
   }
 
@@ -567,9 +573,12 @@ export const downloadCodeQL = async function (
   }
 
   return {
-    toolsVersion: maybeCliVersion ?? toolcacheVersion,
     codeqlFolder: toolcachedBundlePath,
-    toolsDownloadDurationMs,
+    statusReport: {
+      downloadDurationMs,
+      extractionDurationMs,
+    },
+    toolsVersion: maybeCliVersion ?? toolcacheVersion,
   };
 };
 
@@ -632,7 +641,7 @@ export async function setupCodeQLBundle(
   logger: Logger,
 ): Promise<{
   codeqlFolder: string;
-  toolsDownloadDurationMs?: number;
+  toolsDownloadStatusReport?: ToolsDownloadStatusReport;
   toolsSource: ToolsSource;
   toolsVersion: string;
 }> {
@@ -646,7 +655,7 @@ export async function setupCodeQLBundle(
 
   let codeqlFolder: string;
   let toolsVersion = source.toolsVersion;
-  let toolsDownloadDurationMs: number | undefined;
+  let toolsDownloadStatusReport: ToolsDownloadStatusReport | undefined;
   let toolsSource: ToolsSource;
   switch (source.sourceType) {
     case "local":
@@ -669,14 +678,14 @@ export async function setupCodeQLBundle(
       );
       toolsVersion = result.toolsVersion;
       codeqlFolder = result.codeqlFolder;
-      toolsDownloadDurationMs = result.toolsDownloadDurationMs;
+      toolsDownloadStatusReport = result.statusReport;
       toolsSource = ToolsSource.Download;
       break;
     }
     default:
       util.assertNever(source);
   }
-  return { codeqlFolder, toolsDownloadDurationMs, toolsSource, toolsVersion };
+  return { codeqlFolder, toolsDownloadStatusReport, toolsSource, toolsVersion };
 }
 
 async function cleanUpGlob(glob: string, name: string, logger: Logger) {

src/util.ts

@@ -1100,3 +1100,7 @@ export enum BuildMode {
   /** The database will be created by building the source root using manually specified build steps. */
   Manual = "manual",
 }
+
+export function cloneObject<T>(obj: T): T {
+  return JSON.parse(JSON.stringify(obj)) as T;
+}